[hcoop/debian/courier-authlib.git] / userdb / userdbpw.html.in

<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><title>userdbpw</title><link rel="stylesheet" href="style.css" type="text/css"/><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"/><link rel="start" href="#userdbpw" title="userdbpw"/><link xmlns="" rel="stylesheet" type="text/css" href="manpage.css"/><meta xmlns="" name="MSSmartTagsPreventParsing" content="TRUE"/><link xmlns="" rel="icon" href="icon.gif" type="image/gif"/><!--

Copyright 1998 - 2007 Double Precision, Inc.  See COPYING for distribution
information.

--></head><body><div class="refentry" lang="en" xml:lang="en"><a id="userdbpw" shape="rect"> </a><div class="titlepage"/><div class="refnamediv"><h2>Name</h2><p>userdbpw — create an encrypted password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">userdbpw</code>  [[-md5] |  [-hmac-md5] |  [-hmac-sha1]]  | <br clear="none"/><code class="command">userdb</code>  {<em class="replaceable"><code>name</code></em>}  set  {<em class="replaceable"><code>field</code></em>}</p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id282353" shape="rect"> </a><h2>DESCRIPTION</h2><p><span><strong class="command">userdbpw</strong></span> enables secure entry of encrypted
passwords into <code class="filename">@userdb@</code>.</p><p><span><strong class="command">userdbpw</strong></span> reads a single line of text on
standard input, encrypts it, and prints the encrypted result to standard
output.</p><p>If standard input is attached to a terminal device,
<span><strong class="command">userdbpw</strong></span> explicitly issues a "Password: " prompt on
standard error, and turns off echo while the password is entered.</p><p>The <code class="option">-md5</code> option is available on systems that use
MD5-hashed passwords (such as systems that use the current version of the
PAM library for authenticating, with MD5 passwords enabled).
This option creates an MD5 password hash, instead of using the
traditional <code class="function">crypt()</code> function.</p><p><code class="option">-hmac-md5</code> and <code class="option">-hmac-sha1</code> options
are available only if the userdb library is installed by an application
that uses a challenge/response authentication mechanism.
<code class="option">-hmac-md5</code> creates an intermediate HMAC context using the
MD5 hash function. <code class="option">-hmac-sha1</code> uses the SHA1 hash function
instead. Whether either HMAC function is actually available depends on the
actual application that installs the <code class="option">userdb</code> library.</p><p>Note that even though the result of HMAC hashing looks like an encrypted
password, it's really not.  HMAC-based challenge/response authentication
mechanisms require the cleartext password to be available as cleartext.
Computing an intermediate HMAC context does scramble the cleartext password,
however if its compromised, it WILL be possible for an attacker to succesfully
authenticate.  Therefore, applications that use challenge/response
authentication will store intermediate HMAC contexts in the "pw" fields in the
userdb database, which will be compiled into the
<code class="filename">userdbshadow.dat</code>
database, which has group and world permissions turned off. The
userdb library also requires that the cleartext userdb source for the
<code class="filename">userdb.dat</code> and
<code class="filename">userdbshadow.dat</code> databases is also stored with the
group and world permissions turned off.</p><p><span><strong class="command">userdbpw</strong></span> is usually used together in a pipe with
<span><strong class="command">userdb</strong></span>, which reads from standard input. For example:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdbpw -md5 | userdb users/john set systempw</strong></span></pre></div></blockquote></div><p>or:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdbpw -hmac-md5 | userdb users/john set hmac-md5pw</strong></span></pre></div></blockquote></div><p>These commands set the <code class="option">systempw</code> field in the record for
the user <code class="option">john</code> in <code class="filename">@userdb@/users</code> file, and the
<code class="option">hmac-md5pw</code> field. Don't forget to run
<span><strong class="command">makeuserdb</strong></span> for the change to take effect.</p><p>The following command does the same thing:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdb users/john set systempw=<code class="option">SECRETPASSWORD</code></strong></span></pre></div></blockquote></div><p>However, this command passes the secret password as an argument to the
<span><strong class="command">userdb</strong></span> command, which can be viewed by anyone who happens
to run
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
at the same time. Using <span><strong class="command">userdbpw</strong></span> allows the secret password
to be specified in a way that cannot be easily viewed by
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id281936" shape="rect"> </a><h2>SEE ALSO</h2><p>
<a href="userdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">userdb</span>(8)</span></a>,
 
<a href="makeuserdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">makeuserdb</span>(8)</span></a></p></div></div></body></html>
Commit	Line	Data
d9898ee8	1	<?xml version="1.0"?>
	2	<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><title>userdbpw</title><link rel="stylesheet" href="style.css" type="text/css"/><meta name="generator" content="DocBook XSL Stylesheets V1.72.0"/><link rel="start" href="#userdbpw" title="userdbpw"/><link xmlns="" rel="stylesheet" type="text/css" href="manpage.css"/><meta xmlns="" name="MSSmartTagsPreventParsing" content="TRUE"/><link xmlns="" rel="icon" href="icon.gif" type="image/gif"/><!--
	3
	4	Copyright 1998 - 2007 Double Precision, Inc. See COPYING for distribution
	5	information.
	6
	7	--></head><body><div class="refentry" lang="en" xml:lang="en"><a id="userdbpw" shape="rect"> </a><div class="titlepage"/><div class="refnamediv"><h2>Name</h2><p>userdbpw — create an encrypted password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">userdbpw</code> [[-md5] \| [-hmac-md5] \| [-hmac-sha1]] \| <br clear="none"/><code class="command">userdb</code> {<em class="replaceable"><code>name</code></em>} set {<em class="replaceable"><code>field</code></em>}</p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id282353" shape="rect"> </a><h2>DESCRIPTION</h2><p><span><strong class="command">userdbpw</strong></span> enables secure entry of encrypted
	8	passwords into <code class="filename">@userdb@</code>.</p><p><span><strong class="command">userdbpw</strong></span> reads a single line of text on
	9	standard input, encrypts it, and prints the encrypted result to standard
	10	output.</p><p>If standard input is attached to a terminal device,
	11	<span><strong class="command">userdbpw</strong></span> explicitly issues a "Password: " prompt on
	12	standard error, and turns off echo while the password is entered.</p><p>The <code class="option">-md5</code> option is available on systems that use
	13	MD5-hashed passwords (such as systems that use the current version of the
	14	PAM library for authenticating, with MD5 passwords enabled).
	15	This option creates an MD5 password hash, instead of using the
	16	traditional <code class="function">crypt()</code> function.</p><p><code class="option">-hmac-md5</code> and <code class="option">-hmac-sha1</code> options
	17	are available only if the userdb library is installed by an application
	18	that uses a challenge/response authentication mechanism.
	19	<code class="option">-hmac-md5</code> creates an intermediate HMAC context using the
	20	MD5 hash function. <code class="option">-hmac-sha1</code> uses the SHA1 hash function
	21	instead. Whether either HMAC function is actually available depends on the
	22	actual application that installs the <code class="option">userdb</code> library.</p><p>Note that even though the result of HMAC hashing looks like an encrypted
	23	password, it's really not. HMAC-based challenge/response authentication
	24	mechanisms require the cleartext password to be available as cleartext.
	25	Computing an intermediate HMAC context does scramble the cleartext password,
	26	however if its compromised, it WILL be possible for an attacker to succesfully
	27	authenticate. Therefore, applications that use challenge/response
	28	authentication will store intermediate HMAC contexts in the "pw" fields in the
	29	userdb database, which will be compiled into the
	30	<code class="filename">userdbshadow.dat</code>
	31	database, which has group and world permissions turned off. The
	32	userdb library also requires that the cleartext userdb source for the
	33	<code class="filename">userdb.dat</code> and
	34	<code class="filename">userdbshadow.dat</code> databases is also stored with the
	35	group and world permissions turned off.</p><p><span><strong class="command">userdbpw</strong></span> is usually used together in a pipe with
	36	<span><strong class="command">userdb</strong></span>, which reads from standard input. For example:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdbpw -md5 \| userdb users/john set systempw</strong></span></pre></div></blockquote></div><p>or:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdbpw -hmac-md5 \| userdb users/john set hmac-md5pw</strong></span></pre></div></blockquote></div><p>These commands set the <code class="option">systempw</code> field in the record for
	37	the user <code class="option">john</code> in <code class="filename">@userdb@/users</code> file, and the
	38	<code class="option">hmac-md5pw</code> field. Don't forget to run
	39	<span><strong class="command">makeuserdb</strong></span> for the change to take effect.</p><p>The following command does the same thing:</p><div class="blockquote"><blockquote class="blockquote"><div class="informalexample"><pre class="programlisting" xml:space="preserve"><span><strong class="command">userdb users/john set systempw=<code class="option">SECRETPASSWORD</code></strong></span></pre></div></blockquote></div><p>However, this command passes the secret password as an argument to the
	40	<span><strong class="command">userdb</strong></span> command, which can be viewed by anyone who happens
	41	to run
	42	<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
	43	at the same time. Using <span><strong class="command">userdbpw</strong></span> allows the secret password
	44	to be specified in a way that cannot be easily viewed by
	45	<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id281936" shape="rect"> </a><h2>SEE ALSO</h2><p>
	46	<a href="userdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">userdb</span>(8)</span></a>,
	47
	48	<a href="makeuserdb.html" target="_top" shape="rect"><span class="citerefentry"><span class="refentrytitle">makeuserdb</span>(8)</span></a></p></div></div></body></html>