d9898ee8 |
1 | <?xml version="1.0"?> |
2 | <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><title>userdbpw</title><link rel="stylesheet" href="style.css" type="text/css"/><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"/><link rel="start" href="#userdbpw" title="userdbpw"/><link xmlns="" rel="stylesheet" type="text/css" href="manpage.css"/><meta xmlns="" name="MSSmartTagsPreventParsing" content="TRUE"/><link xmlns="" rel="icon" href="icon.gif" type="image/gif"/><!-- |
3 | |
4 | Copyright 1998 - 2007 Double Precision, Inc. See COPYING for distribution |
5 | information. |
6 | |
7 | --></head><body><div class="refentry" lang="en" xml:lang="en"><a id="userdbpw" shape="rect"> </a><div class="titlepage"/><div class="refnamediv"><h2>Name</h2><p>userdbpw — create an encrypted password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">userdbpw</code> [[-md5] | [-hmac-md5] | [-hmac-sha1]] | <br clear="none"/><code class="command">userdb</code> {<em class="replaceable"><code>name</code></em>} set {<em class="replaceable"><code>field</code></em>}</p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id282353" shape="rect"> </a><h2>DESCRIPTION</h2><p><span><strong class="command">userdbpw</strong></span> enables secure entry of encrypted |
8 | passwords into <code class="filename">@userdb@</code>.</p><p><span><strong class="command">userdbpw</strong></span> reads a single line of text on |
9 | standard input, encrypts it, and prints the encrypted result to standard |
10 | output.</p><p>If standard input is attached to a terminal device, |
11 | <span><strong class="command">userdbpw</strong></span> explicitly issues a "Password: " prompt on |
12 | standard error, and turns off echo while the password is entered.</p><p>The <code class="option">-md5</code> option is available on systems that use |
13 | MD5-hashed passwords (such as systems that use the current version of the |
14 | PAM library for authenticating, with MD5 passwords enabled). |
15 | This option creates an MD5 password hash, instead of using the |
16 | traditional <code class="function">crypt()</code> function.</p><p><code class="option">-hmac-md5</code> and <code class="option">-hmac-sha1</code> options |
17 | are available only if the userdb library is installed by an application |
18 | that uses a challenge/response authentication mechanism. |
19 | <code class="option">-hmac-md5</code> creates an intermediate HMAC context using the |
20 | MD5 hash function. <code class="option">-hmac-sha1</code> uses the SHA1 hash function |
21 | instead. Whether either HMAC function is actually available depends on the |
22 | actual application that installs the <code class="option">userdb</code> library.</p><p>Note that even though the result of HMAC hashing looks like an encrypted |
23 | password, it's really not. HMAC-based challenge/response authentication |
24 | mechanisms require the cleartext password to be available as cleartext. |
25 | Computing an intermediate HMAC context does scramble the cleartext password, |
26 | however if its compromised, it WILL be possible for an attacker to succesfully |
27 | authenticate. Therefore, applications that use challenge/response |
28 | authentication will store intermediate HMAC contexts in the "pw" fields in the |
29 | userdb database, which will be compiled into the |
30 | <code class="filename">userdbshadow.dat</code> |
31 | database, which has group and world permissions turned off. The |
32 | userdb library also requires that the cleartext userdb source for the |
33 | <code class="filename">userdb.dat</code> and |
34 | <code class="filename">userdbshadow.dat</code> databases is also stored with the |
35 | group and world permissions turned off.</p><p><span><strong class="command">userdbpw</strong></span> is usually used together in a pipe with |
36 | <span><strong class="command">userdb</strong></span>, which reads from standard input. For example:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdbpw -md5 | userdb users/john set systempw</strong></span></pre></div></blockquote></div><p>or:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdbpw -hmac-md5 | userdb users/john set hmac-md5pw</strong></span></pre></div></blockquote></div><p>These commands set the <code class="option">systempw</code> field in the record for |
37 | the user <code class="option">john</code> in <code class="filename">@userdb@/users</code> file, and the |
38 | <code class="option">hmac-md5pw</code> field. Don't forget to run |
39 | <span><strong class="command">makeuserdb</strong></span> for the change to take effect.</p><p>The following command does the same thing:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdb users/john set systempw=<code class="option">SECRETPASSWORD</code></strong></span></pre></div></blockquote></div><p>However, this command passes the secret password as an argument to the |
40 | <span><strong class="command">userdb</strong></span> command, which can be viewed by anyone who happens |
41 | to run |
42 | <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> |
43 | at the same time. Using <span><strong class="command">userdbpw</strong></span> allows the secret password |
44 | to be specified in a way that cannot be easily viewed by |
45 | <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id281936" shape="rect"> </a><h2>SEE ALSO</h2><p> |
46 | <a href="userdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">userdb</span>(8)</span></a>, |
47 | |
48 | <a href="makeuserdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">makeuserdb</span>(8)</span></a></p></div></div></body></html> |