Commit | Line | Data |
---|---|---|
b0322a85 | 1 | '\" t |
d9898ee8 | 2 | .\" <!-- Copyright 1998 - 2007 Double Precision, Inc. See COPYING for --> |
3 | .\" <!-- distribution information. --> | |
4 | .\" Title: userdbpw | |
b0322a85 CE |
5 | .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] |
6 | .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> | |
d50284c4 | 7 | .\" Date: 06/20/2015 |
d9898ee8 | 8 | .\" Manual: Double Precision, Inc. |
9 | .\" Source: Double Precision, Inc. | |
b0322a85 | 10 | .\" Language: English |
d9898ee8 | 11 | .\" |
d50284c4 | 12 | .TH "USERDBPW" "8" "06/20/2015" "Double Precision, Inc." "Double Precision, Inc." |
b0322a85 CE |
13 | .\" ----------------------------------------------------------------- |
14 | .\" * Define some portability stuff | |
15 | .\" ----------------------------------------------------------------- | |
16 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
17 | .\" http://bugs.debian.org/507673 | |
18 | .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html | |
19 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
20 | .ie \n(.g .ds Aq \(aq | |
21 | .el .ds Aq ' | |
22 | .\" ----------------------------------------------------------------- | |
23 | .\" * set default formatting | |
24 | .\" ----------------------------------------------------------------- | |
d9898ee8 | 25 | .\" disable hyphenation |
26 | .nh | |
27 | .\" disable justification (adjust text to left margin only) | |
28 | .ad l | |
b0322a85 CE |
29 | .\" ----------------------------------------------------------------- |
30 | .\" * MAIN CONTENT STARTS HERE * | |
31 | .\" ----------------------------------------------------------------- | |
d9898ee8 | 32 | .SH "NAME" |
b0322a85 | 33 | userdbpw \- create an encrypted password |
d9898ee8 | 34 | .SH "SYNOPSIS" |
b0322a85 | 35 | .HP \w'\fBuserdbpw\fR\fBuserdb\fR\ 'u |
d9898ee8 | 36 | \fBuserdbpw\fR [[\-md5] | [\-hmac\-md5] | [\-hmac\-sha1]] |\fBuserdb\fR {\fIname\fR} set {\fIfield\fR} |
37 | .SH "DESCRIPTION" | |
38 | .PP | |
39 | \fBuserdbpw\fR | |
40 | enables secure entry of encrypted passwords into | |
b0322a85 | 41 | @userdb@\&. |
d9898ee8 | 42 | .PP |
43 | \fBuserdbpw\fR | |
b0322a85 | 44 | reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output\&. |
d9898ee8 | 45 | .PP |
46 | If standard input is attached to a terminal device, | |
47 | \fBuserdbpw\fR | |
b0322a85 | 48 | explicitly issues a "Password: " prompt on standard error, and turns off echo while the password is entered\&. |
d9898ee8 | 49 | .PP |
50 | The | |
51 | \fB\-md5\fR | |
b0322a85 | 52 | option is available on systems that use MD5\-hashed passwords (such as systems that use the current version of the PAM library for authenticating, with MD5 passwords enabled)\&. This option creates an MD5 password hash, instead of using the traditional |
d9898ee8 | 53 | \fBcrypt()\fR |
b0322a85 | 54 | function\&. |
d9898ee8 | 55 | .PP |
56 | \fB\-hmac\-md5\fR | |
57 | and | |
58 | \fB\-hmac\-sha1\fR | |
b0322a85 | 59 | options are available only if the userdb library is installed by an application that uses a challenge/response authentication mechanism\&. |
d9898ee8 | 60 | \fB\-hmac\-md5\fR |
b0322a85 | 61 | creates an intermediate HMAC context using the MD5 hash function\&. |
d9898ee8 | 62 | \fB\-hmac\-sha1\fR |
b0322a85 | 63 | uses the SHA1 hash function instead\&. Whether either HMAC function is actually available depends on the actual application that installs the |
d9898ee8 | 64 | \fBuserdb\fR |
b0322a85 | 65 | library\&. |
d9898ee8 | 66 | .PP |
b0322a85 CE |
67 | Note that even though the result of HMAC hashing looks like an encrypted password, it\*(Aqs really not\&. HMAC\-based challenge/response authentication mechanisms require the cleartext password to be available as cleartext\&. Computing an intermediate HMAC context does scramble the cleartext password, however if its compromised, it WILL be possible for an attacker to succesfully authenticate\&. Therefore, applications that use challenge/response authentication will store intermediate HMAC contexts in the "pw" fields in the userdb database, which will be compiled into the |
68 | userdbshadow\&.dat | |
69 | database, which has group and world permissions turned off\&. The userdb library also requires that the cleartext userdb source for the | |
70 | userdb\&.dat | |
d9898ee8 | 71 | and |
b0322a85 CE |
72 | userdbshadow\&.dat |
73 | databases is also stored with the group and world permissions turned off\&. | |
d9898ee8 | 74 | .PP |
75 | \fBuserdbpw\fR | |
76 | is usually used together in a pipe with | |
b0322a85 | 77 | \fBuserdb\fR, which reads from standard input\&. For example: |
d9898ee8 | 78 | .sp |
b0322a85 | 79 | .if n \{\ |
d9898ee8 | 80 | .RS 4 |
b0322a85 | 81 | .\} |
d9898ee8 | 82 | .nf |
83 | \fBuserdbpw \-md5 | userdb users/john set systempw\fR | |
84 | .fi | |
b0322a85 | 85 | .if n \{\ |
d9898ee8 | 86 | .RE |
b0322a85 | 87 | .\} |
d9898ee8 | 88 | .PP |
89 | or: | |
90 | .sp | |
b0322a85 | 91 | .if n \{\ |
d9898ee8 | 92 | .RS 4 |
b0322a85 | 93 | .\} |
d9898ee8 | 94 | .nf |
95 | \fBuserdbpw \-hmac\-md5 | userdb users/john set hmac\-md5pw\fR | |
96 | .fi | |
b0322a85 | 97 | .if n \{\ |
d9898ee8 | 98 | .RE |
b0322a85 | 99 | .\} |
d9898ee8 | 100 | .PP |
101 | These commands set the | |
102 | \fBsystempw\fR | |
103 | field in the record for the user | |
104 | \fBjohn\fR | |
105 | in | |
b0322a85 | 106 | @userdb@/users |
d9898ee8 | 107 | file, and the |
108 | \fBhmac\-md5pw\fR | |
b0322a85 | 109 | field\&. Don\*(Aqt forget to run |
d9898ee8 | 110 | \fBmakeuserdb\fR |
b0322a85 | 111 | for the change to take effect\&. |
d9898ee8 | 112 | .PP |
113 | The following command does the same thing: | |
114 | .sp | |
b0322a85 | 115 | .if n \{\ |
d9898ee8 | 116 | .RS 4 |
b0322a85 | 117 | .\} |
d9898ee8 | 118 | .nf |
119 | \fBuserdb users/john set systempw=\fR\fB\fBSECRETPASSWORD\fR\fR | |
120 | .fi | |
b0322a85 | 121 | .if n \{\ |
d9898ee8 | 122 | .RE |
b0322a85 | 123 | .\} |
d9898ee8 | 124 | .PP |
125 | However, this command passes the secret password as an argument to the | |
126 | \fBuserdb\fR | |
127 | command, which can be viewed by anyone who happens to run | |
128 | \fBps\fR(1) | |
b0322a85 | 129 | at the same time\&. Using |
d9898ee8 | 130 | \fBuserdbpw\fR |
131 | allows the secret password to be specified in a way that cannot be easily viewed by | |
b0322a85 | 132 | \fBps\fR(1)\&. |
d9898ee8 | 133 | .SH "SEE ALSO" |
134 | .PP | |
b0322a85 CE |
135 | \m[blue]\fB\fBuserdb\fR(8)\fR\m[]\&\s-2\u[1]\d\s+2, |
136 | \m[blue]\fB\fBmakeuserdb\fR(8)\fR\m[]\&\s-2\u[2]\d\s+2 | |
8d138742 | 137 | .SH "NOTES" |
d9898ee8 | 138 | .IP " 1." 4 |
139 | \fBuserdb\fR(8) | |
140 | .RS 4 | |
b0322a85 | 141 | \%[set $man.base.url.for.relative.links]/userdb.html |
d9898ee8 | 142 | .RE |
143 | .IP " 2." 4 | |
144 | \fBmakeuserdb\fR(8) | |
145 | .RS 4 | |
b0322a85 | 146 | \%[set $man.base.url.for.relative.links]/makeuserdb.html |
d9898ee8 | 147 | .RE |