|DACSPASSWD(1)||DACS Commands Manual||DACSPASSWD(1)|
NAME¶dacspasswd - manage DACS accounts
[-pf file] [-simple]
[op-spec] [--] [username]
DESCRIPTION¶This program is part of the DACS suite.
The dacspasswd command manages accounts that are used by the local_passwd_authenticate and local_simple_authenticate, authentication modules. This utility serves a similar purpose for these authentication modules that Apache's htpasswd(1) command does for its mod_auth_basic and mod_authn_dbm modules.
Apart from their use by local_passwd_authenticate and local_simple_authenticate, these accounts are completely separate from any other accounts and passwords.
Only lowercase usernames are permitted for these accounts.
The command allows arbitrary data to be associated with each account. This "private" data is opaque to DACS and is not used by DACS. Custom, account-specific information can be stored, retrieved, and deleted. Data that is not printable text must be encoded. The information is automatically deleted when its account is removed. Using this feature, account administration programs might be developed to store:
Or instead, a pointer to any of this sort of information might be stored. There is no size limit for the data, but if relatively large amounts of data are being stored for a large number of accounts, the storage type should be chosen with care to ensure reasonable performance.
Passwords are accessed using the DACS virtual filestore through the passwds or simple item types. Each record in the file is keyed on the username. The information associated with each key consists of several fields separated by a "|" character, and includes a digest algorithm identifier, salt, the computed digest, and optional application data.
Use dacsauth(1) to validate (test) a password.
The password digest algorithm used depends on the PASSWORD_DIGEST directive in effect. The PASSWORD_SALT_PREFIX directive is also used.
Apart from using an authentication method stronger than one based on passwords, current best practice is to use a key derivation function like scrypt rather than a cryptographic digest for the PASSWORD_DIGEST. While in general doing so will provide additional protection if an attacker obtains the password file, it will not help if users are allowed to choose weak passwords.
Plaintext passwords are not stored by dacspasswd. This makes it more difficult for an attacker that gains access to the password file to discover plaintext passwords, but also means that forgotten passwords cannot be recovered (except by exhaustive search, which ought to be impractical).
The salted hash of the password is stored, assuming salting has not been disabled, rather than the hash of the password itself. This makes a stolen password file more difficult for an attacker to use (see rainbow tables).
Only a DACS administrator should be able to successfully run this program from the command line. Because DACS keys and configuration files, including the file used to store passwords, must be restricted to an administrator, this will normally be the case, but a careful administrator will set file permissions to deny access to all other users. An ordinary user is able to change his own password using the dacs_passwd(8) web service.
Even if the password file is stored as a plain text file, it is probably best to modify it only through this program or dacs_passwd. Corrupting a password file entry may prevent signing on to the corresponding account or even all accounts that require the password file.
It is good administrative practice to store accounts with passwords separately from those without.
This program is also available as a DACS web service, dacs_passwd(8).
OPTIONS¶By default, the program will prompt for a new password if one is required by the selected operation.
The dacspasswd command recognizes these command line flags:
A password given on the command line may be visible to other users on the same system.
Return an exit status of 0 if an account for username exists and is enabled, or 1 if it does not exist or is disabled.
Return an exit status of 0 if an account for username exists, or 1 if it does not exist.
Return an exit status of 0 if an account for username exists and has private data, or 1 if it does not exist or does not have private data. If an entry's private data is the empty string, it is considered to have private data.
Return an exit status of 0 if an account for username exists and is disabled, or 1 if it does not exist or is enabled.
Since only the administrator is allowed to use this command, no restrictions are imposed on the length or quality of the passwords that the administrator supplies; a warning message will be emitted, however, if the password is considered to be weak based on the PASSWORD_CONSTRAINTS directive that is configured.
EXAMPLES¶To list all of the accounts configured for the jurisdiction named EXAMPLE:
% dacspasswd -uj EXAMPLE -list auggie bobo* booboo jj
Note that the account for username bobo has been disabled.
To re-enable bobo's account:
% dacspasswd -uj EXAMPLE -ena bobo
To test if bobo's account is enabled:
% dacspasswd -uj EXAMPLE -test ena bobo % echo $status 0
To test if there are accounts for usernames booboo and bob:
% dacspasswd -uj EXAMPLE -test exists booboo % echo $status 0 % dacspasswd -uj EXAMPLE -test exists bob % echo $status 1
To reset the password for username bobo interactively:
% dacspasswd -uj EXAMPLE -set bobo New password for bobo? Re-type new password for bobo?
Note that the password text is not displayed.
To reset the password for username bobo using the program's standard input:
% echo $newpasswd | dacspasswd -uj EXAMPLE -set -pf - bobo
To create a new, disabled account for username bob and store the private data "On vacation":
% dacspasswd -uj EXAMPLE -add -pf ./pwfile -dis -pds "On vacation" bob
The password is read from the file ./pwfile.
To get the private data for username bob:
% set x=`dacspasswd -uj EXAMPLE -pdg bob` % echo "$x" On vacation
To regenerate the current password file:
% dacspasswd -uj EXAMPLE -q -vfs "[newpasswds]dacs-kwv-fs:/usr/local/dacs/tmp/newpasswd?field_sep=:" -regen
DIAGNOSTICS¶The program exits 0 if everything was fine, and non-zero otherwise. A "false" outcome from the -test operation is reflected by an exit status of 1. An error condition is indicated by an exit status of 2.
BUGS¶That password information is not represented externally as an XML document tends to haunt your humble narrator. The password file format is subject to change.
SEE ALSO¶dacs_passwd(8), dacsauth(1), dacs_authenticate(8), dacs_admin(8), dacs.conf(5)
AUTHOR¶Distributed Systems Software (www.dss.ca)
COPYING¶Copyright © 2003-2017 Distributed Systems Software. See the LICENSE file that accompanies the distribution for licensing information.
- rainbow tables