[hcoop/debian/courier-authlib.git] / userdb / userdbpw.8.in

'\" t
.\"  <!-- Copyright 1998 - 2007 Double Precision, Inc.  See COPYING for -->
.\"  <!-- distribution information. -->
.\"     Title: userdbpw
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: 08/25/2013
.\"    Manual: Double Precision, Inc.
.\"    Source: Double Precision, Inc.
.\"  Language: English
.\"
.TH "USERDBPW" "8" "08/25/2013" "Double Precision, Inc." "Double Precision, Inc."
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
userdbpw \- create an encrypted password
.SH "SYNOPSIS"
.HP \w'\fBuserdbpw\fR\fBuserdb\fR\ 'u
\fBuserdbpw\fR [[\-md5] | [\-hmac\-md5] | [\-hmac\-sha1]] |\fBuserdb\fR {\fIname\fR} set {\fIfield\fR}
.SH "DESCRIPTION"
.PP
\fBuserdbpw\fR
enables secure entry of encrypted passwords into
@userdb@\&.
.PP
\fBuserdbpw\fR
reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output\&.
.PP
If standard input is attached to a terminal device,
\fBuserdbpw\fR
explicitly issues a "Password: " prompt on standard error, and turns off echo while the password is entered\&.
.PP
The
\fB\-md5\fR
option is available on systems that use MD5\-hashed passwords (such as systems that use the current version of the PAM library for authenticating, with MD5 passwords enabled)\&. This option creates an MD5 password hash, instead of using the traditional
\fBcrypt()\fR
function\&.
.PP
\fB\-hmac\-md5\fR
and
\fB\-hmac\-sha1\fR
options are available only if the userdb library is installed by an application that uses a challenge/response authentication mechanism\&.
\fB\-hmac\-md5\fR
creates an intermediate HMAC context using the MD5 hash function\&.
\fB\-hmac\-sha1\fR
uses the SHA1 hash function instead\&. Whether either HMAC function is actually available depends on the actual application that installs the
\fBuserdb\fR
library\&.
.PP
Note that even though the result of HMAC hashing looks like an encrypted password, it\*(Aqs really not\&. HMAC\-based challenge/response authentication mechanisms require the cleartext password to be available as cleartext\&. Computing an intermediate HMAC context does scramble the cleartext password, however if its compromised, it WILL be possible for an attacker to succesfully authenticate\&. Therefore, applications that use challenge/response authentication will store intermediate HMAC contexts in the "pw" fields in the userdb database, which will be compiled into the
userdbshadow\&.dat
database, which has group and world permissions turned off\&. The userdb library also requires that the cleartext userdb source for the
userdb\&.dat
and
userdbshadow\&.dat
databases is also stored with the group and world permissions turned off\&.
.PP
\fBuserdbpw\fR
is usually used together in a pipe with
\fBuserdb\fR, which reads from standard input\&. For example:
.sp
.if n \{\
.RS 4
.\}
.nf
\fBuserdbpw \-md5 | userdb users/john set systempw\fR
.fi
.if n \{\
.RE
.\}
.PP
or:
.sp
.if n \{\
.RS 4
.\}
.nf
\fBuserdbpw \-hmac\-md5 | userdb users/john set hmac\-md5pw\fR
.fi
.if n \{\
.RE
.\}
.PP
These commands set the
\fBsystempw\fR
field in the record for the user
\fBjohn\fR
in
@userdb@/users
file, and the
\fBhmac\-md5pw\fR
field\&. Don\*(Aqt forget to run
\fBmakeuserdb\fR
for the change to take effect\&.
.PP
The following command does the same thing:
.sp
.if n \{\
.RS 4
.\}
.nf
\fBuserdb users/john set systempw=\fR\fB\fBSECRETPASSWORD\fR\fR
.fi
.if n \{\
.RE
.\}
.PP
However, this command passes the secret password as an argument to the
\fBuserdb\fR
command, which can be viewed by anyone who happens to run
\fBps\fR(1)
at the same time\&. Using
\fBuserdbpw\fR
allows the secret password to be specified in a way that cannot be easily viewed by
\fBps\fR(1)\&.
.SH "SEE ALSO"
.PP
\m[blue]\fB\fBuserdb\fR(8)\fR\m[]\&\s-2\u[1]\d\s+2,
\m[blue]\fB\fBmakeuserdb\fR(8)\fR\m[]\&\s-2\u[2]\d\s+2
.SH "NOTES"
.IP " 1." 4
\fBuserdb\fR(8)
.RS 4
\%[set $man.base.url.for.relative.links]/userdb.html
.RE
.IP " 2." 4
\fBmakeuserdb\fR(8)
.RS 4
\%[set $man.base.url.for.relative.links]/makeuserdb.html
.RE
Commit	Line	Data
b0322a85	1	'\" t
d9898ee8	2	.\" <!-- Copyright 1998 - 2007 Double Precision, Inc. See COPYING for -->
	3	.\" <!-- distribution information. -->
	4	.\" Title: userdbpw
b0322a85 CE	5	.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
	6	.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
	7	.\" Date: 08/25/2013
d9898ee8	8	.\" Manual: Double Precision, Inc.
d9898ee8	9	.\" Source: Double Precision, Inc.
b0322a85	10	.\" Language: English
d9898ee8	11	.\"
b0322a85 CE	12	.TH "USERDBPW" "8" "08/25/2013" "Double Precision, Inc." "Double Precision, Inc."
	13	.\" -----------------------------------------------------------------
	14	.\" * Define some portability stuff
	15	.\" -----------------------------------------------------------------
	16	.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	17	.\" http://bugs.debian.org/507673
	18	.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
	19	.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	20	.ie \n(.g .ds Aq \(aq
	21	.el .ds Aq '
	22	.\" -----------------------------------------------------------------
	23	.\" * set default formatting
	24	.\" -----------------------------------------------------------------
d9898ee8	25	.\" disable hyphenation
	26	.nh
	27	.\" disable justification (adjust text to left margin only)
	28	.ad l
b0322a85 CE	29	.\" -----------------------------------------------------------------
	30	.\" * MAIN CONTENT STARTS HERE *
	31	.\" -----------------------------------------------------------------
d9898ee8	32	.SH "NAME"
b0322a85	33	userdbpw \- create an encrypted password
d9898ee8	34	.SH "SYNOPSIS"
b0322a85	35	.HP \w'\fBuserdbpw\fR\fBuserdb\fR\ 'u
d9898ee8	36	\fBuserdbpw\fR [[\-md5] \| [\-hmac\-md5] \| [\-hmac\-sha1]] \|\fBuserdb\fR {\fIname\fR} set {\fIfield\fR}
	37	.SH "DESCRIPTION"
	38	.PP
	39	\fBuserdbpw\fR
	40	enables secure entry of encrypted passwords into
b0322a85	41	@userdb@\&.
d9898ee8	42	.PP
d9898ee8	43	\fBuserdbpw\fR
b0322a85	44	reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output\&.
d9898ee8	45	.PP
	46	If standard input is attached to a terminal device,
	47	\fBuserdbpw\fR
b0322a85	48	explicitly issues a "Password: " prompt on standard error, and turns off echo while the password is entered\&.
d9898ee8	49	.PP
	50	The
	51	\fB\-md5\fR
b0322a85	52	option is available on systems that use MD5\-hashed passwords (such as systems that use the current version of the PAM library for authenticating, with MD5 passwords enabled)\&. This option creates an MD5 password hash, instead of using the traditional
d9898ee8	53	\fBcrypt()\fR
b0322a85	54	function\&.
d9898ee8	55	.PP
	56	\fB\-hmac\-md5\fR
	57	and
	58	\fB\-hmac\-sha1\fR
b0322a85	59	options are available only if the userdb library is installed by an application that uses a challenge/response authentication mechanism\&.
d9898ee8	60	\fB\-hmac\-md5\fR
b0322a85	61	creates an intermediate HMAC context using the MD5 hash function\&.
d9898ee8	62	\fB\-hmac\-sha1\fR
b0322a85	63	uses the SHA1 hash function instead\&. Whether either HMAC function is actually available depends on the actual application that installs the
d9898ee8	64	\fBuserdb\fR
b0322a85	65	library\&.
d9898ee8	66	.PP
b0322a85 CE	67	Note that even though the result of HMAC hashing looks like an encrypted password, it\*(Aqs really not\&. HMAC\-based challenge/response authentication mechanisms require the cleartext password to be available as cleartext\&. Computing an intermediate HMAC context does scramble the cleartext password, however if its compromised, it WILL be possible for an attacker to succesfully authenticate\&. Therefore, applications that use challenge/response authentication will store intermediate HMAC contexts in the "pw" fields in the userdb database, which will be compiled into the
	68	userdbshadow\&.dat
	69	database, which has group and world permissions turned off\&. The userdb library also requires that the cleartext userdb source for the
	70	userdb\&.dat
d9898ee8	71	and
b0322a85 CE	72	userdbshadow\&.dat
b0322a85 CE	73	databases is also stored with the group and world permissions turned off\&.
d9898ee8	74	.PP
	75	\fBuserdbpw\fR
	76	is usually used together in a pipe with
b0322a85	77	\fBuserdb\fR, which reads from standard input\&. For example:
d9898ee8	78	.sp
b0322a85	79	.if n \{\
d9898ee8	80	.RS 4
b0322a85	81	.\}
d9898ee8	82	.nf
	83	\fBuserdbpw \-md5 \| userdb users/john set systempw\fR
	84	.fi
b0322a85	85	.if n \{\
d9898ee8	86	.RE
b0322a85	87	.\}
d9898ee8	88	.PP
	89	or:
	90	.sp
b0322a85	91	.if n \{\
d9898ee8	92	.RS 4
b0322a85	93	.\}
d9898ee8	94	.nf
	95	\fBuserdbpw \-hmac\-md5 \| userdb users/john set hmac\-md5pw\fR
	96	.fi
b0322a85	97	.if n \{\
d9898ee8	98	.RE
b0322a85	99	.\}
d9898ee8	100	.PP
	101	These commands set the
	102	\fBsystempw\fR
	103	field in the record for the user
	104	\fBjohn\fR
	105	in
b0322a85	106	@userdb@/users
d9898ee8	107	file, and the
d9898ee8	108	\fBhmac\-md5pw\fR
b0322a85	109	field\&. Don\*(Aqt forget to run
d9898ee8	110	\fBmakeuserdb\fR
b0322a85	111	for the change to take effect\&.
d9898ee8	112	.PP
	113	The following command does the same thing:
	114	.sp
b0322a85	115	.if n \{\
d9898ee8	116	.RS 4
b0322a85	117	.\}
d9898ee8	118	.nf
	119	\fBuserdb users/john set systempw=\fR\fB\fBSECRETPASSWORD\fR\fR
	120	.fi
b0322a85	121	.if n \{\
d9898ee8	122	.RE
b0322a85	123	.\}
d9898ee8	124	.PP
	125	However, this command passes the secret password as an argument to the
	126	\fBuserdb\fR
	127	command, which can be viewed by anyone who happens to run
	128	\fBps\fR(1)
b0322a85	129	at the same time\&. Using
d9898ee8	130	\fBuserdbpw\fR
d9898ee8	131	allows the secret password to be specified in a way that cannot be easily viewed by
b0322a85	132	\fBps\fR(1)\&.
d9898ee8	133	.SH "SEE ALSO"
d9898ee8	134	.PP
b0322a85 CE	135	\m[blue]\fB\fBuserdb\fR(8)\fR\m[]\&\s-2\u[1]\d\s+2,
b0322a85 CE	136	\m[blue]\fB\fBmakeuserdb\fR(8)\fR\m[]\&\s-2\u[2]\d\s+2
8d138742	137	.SH "NOTES"
d9898ee8	138	.IP " 1." 4
	139	\fBuserdb\fR(8)
	140	.RS 4
b0322a85	141	\%[set $man.base.url.for.relative.links]/userdb.html
d9898ee8	142	.RE
	143	.IP " 2." 4
	144	\fBmakeuserdb\fR(8)
	145	.RS 4
b0322a85	146	\%[set $man.base.url.for.relative.links]/makeuserdb.html
d9898ee8	147	.RE