DACSPASSWD(1) | DACS Commands Manual | DACSPASSWD(1) |
NAME¶
dacspasswd - manage DACS accountsSYNOPSIS¶
dacspasswd [dacsoptions[1]]
[-p password]
[-pf file] [ -simple]
[-vfs vfs_uri]
[ op-spec] [--] [username]
DESCRIPTION¶
This program is part of the DACS suite. The dacspasswd command manages accounts that are used by the local_passwd_authenticate[2] and local_simple_authenticate[3], authentication modules. This utility serves a similar purpose for these authentication modules that Apache'shtpasswd(1)[4] command does for its mod_auth[5] and mod_auth_dbm[6] modules (or mod_auth_basic[7] and mod_authn_dbm[8]). Apart from their use by local_passwd_authenticate and local_simple_authenticate, these accounts are completely separate from any other accounts and passwords.•the last time a password was changed;
•hashes of previous password values (so that they
are not reused);
•a note that the account's password must be
changed;
•a password reminder question and answer;
•information for mutual authentication, such as a
small image provided by the user that is displayed at login time;
•an encrypted representation of the password for
recovery purposes (when absolutely necessary)
•several security questions (with answers), one of
which might be selected at random and presented to the user at login time;
or
•user preferences.
Or instead, a pointer to any of this sort of information might be stored. There
is no size limit for the data, but if relatively large amounts of data are
being stored for a large number of accounts, the storage type should be chosen
with care to ensure reasonable performance.
Passwords are accessed using the DACS virtual filestore through the
passwds or simple item types. Each record in the file is keyed on the
username. The information associated with each key consists of several fields
separated by a "|" character, and includes a digest algorithm
identifier, salt, the computed digest, and optional application data.
OPTIONS¶
By default, the program will prompt for a new password if one is required by the selected operation. The dacspasswd command recognizes these command line flags: -p passwordSpecify the password.
Security
A password given on the command line may be visible to other users on the same
system.
-pdd
Delete the private data associated with
username.
-pdg
Get the private data associated with username and
print it to the standard output.
-pds string
Set (or replace) string as private data associated
with username.
-pdsf file
Set (or replace) the private data associated with
username, reading it from file. If file is "-",
then the data is read from the standard input. This flag and -pf cannot
both be used to read from the standard input.
-pf file
Read the password to use from file. If file
is "-", then the password is read from the standard input without
prompting. This flag and -pdsf cannot both be used to read from the
standard input.
-simple
Use the simple item type expected by
local_simple_authenticate instead of the default. The program will not
prompt for passwords because these accounts do not use them.
-vfs vfs_uri
Add vfs_uri as a VFS[13] configuration
directive. By specifying the item type passwds, a location for the password
file can be given, overriding any configuration file value. This is
particularly useful in conjunction with dacsauth(1)[14].
op-spec
The following operations are recognized. The
-enable, -disable, -pdd, -pds, and -pdsf
are the only operations that can be combined with another operation (for
example, you can disable an account and set its private data at the same
time).
-a
-add
-del
-delete
-disable
-ena
-enable
-get
-list
-set
-up
-update
--
Add username to the password file. The entry must
not already exist. By default, the user will be prompted for the password,
which must be retyped for confirmation. This is the default operation.
-d
Delete username from the password file.
-dis
Disable the account for username so that
authentication modules will not accept any password. If used with -a,
-s, or -u, the account will also be disabled. The username may
subsequently be enabled.
-en
Re-enable the account for username, which is
currently disabled. The authentication modules will once again accept the
password. If used with -a, -s, or -u, the account will
also be enabled.
-g
Get the digest string for username and print it to
the standard output. A script can validate a password by passing this digest
string to password()[15] along with the password obtained from the
user.
-l
List username if it appears in the password file.
If no username is provided, list all usernames. A disabled account is
indicated by a '*' (which is not a valid character in a username).
-s
Set or reset the password for username, which must
already exist in the password file. The enabled/disabled status is preserved
unless overridden by a flag.
-test testop
Test an entry for one of several attributes and report
the outcome through the program's exit status. The testop is one of the
following keywords or abbreviated keywords:
-u
•enabled, ena, en
Return an exit status of 0 if an account for username exists and
is enabled, or 1 if it does not exist or is disabled.
•exists, ex
Return an exit status of 0 if an account for username exists, or 1 if it
does not exist.
•data
Return an exit status of 0 if an account for username exists and
has private data, or 1 if it does not exist or does not have private data. If
an entry's private data is the empty string, it is considered to have private
data.
•disabled, dis
Return an exit status of 0 if an account for username exists and
is disabled, or 1 if it does not exist or is enabled.
Add username to the password file or update an
existing entry for username. By default, the user will be prompted for
the password, which must be retyped for confirmation. If the entry exists, the
enabled/disabled status is preserved unless overridden by a flag.
This flag signals the end of the flag arguments; a
username may follow, possibly beginning with a " -"
character.
Since only the administrator is allowed to use this command, no restrictions are
imposed on the length or quality of the passwords that the administrator
supplies; a warning message will be emitted, however, if the password is
considered to be weak based on the PASSWORD_CONSTRAINTS[16] directive
that is configured.
EXAMPLES¶
To list all of the accounts configured for the jurisdiction named EXAMPLE:% dacspasswd -uj EXAMPLE -list auggie bobo* booboo jj
% dacspasswd -uj EXAMPLE -ena bobo
% dacspasswd -uj EXAMPLE -test ena bobo % echo $status 0
% dacspasswd -uj EXAMPLE -test exists booboo % echo $status 0 % dacspasswd -uj EXAMPLE -test exists bob % echo $status 1
% dacspasswd -uj EXAMPLE -set bobo New password for bobo? Re-type new password for bobo?
% echo $newpasswd | dacspasswd -uj EXAMPLE -set -pf - bobo
% dacspasswd -uj EXAMPLE -add -pf ./pwfile -dis -pds "On vacation" bob
% set x=`dacspasswd -uj EXAMPLE -pdg bob` % echo "$x" On vacation
DIAGNOSTICS¶
The program exits 0 if everything was fine, and non-zero otherwise. A "false" outcome from the -test operation is reflected by an exit status of 1. An error condition is indicated by an exit status of 2.BUGS¶
That password information is not represented externally as an XML document tends to haunt your humble narrator. The format is subject to change.SEE ALSO¶
dacs_passwd(8)[12], dacsauth(1)[14], dacs_authenticate(8)[17], dacs_admin(8)[18], dacs.conf(5)[19]AUTHOR¶
Distributed Systems Software ( www.dss.ca[20])COPYING¶
Copyright2003-2012 Distributed Systems Software. See the LICENSE[21] file that accompanies the distribution for licensing information.NOTES¶
- 1.
- dacsoptions
- 2.
- local_passwd_authenticate
- 3.
- local_simple_authenticate
- 4.
- htpasswd(1)
- 5.
- mod_auth
- 6.
- mod_auth_dbm
- 7.
- mod_auth_basic
- 8.
- mod_authn_dbm
- 9.
- PASSWORD_DIGEST
- 10.
- PASSWORD_SALT_PREFIX
- 11.
- rainbow tables
- 12.
- dacs_passwd(8)
- 13.
- VFS
- 14.
- dacsauth(1)
- 15.
- password()
- 16.
- PASSWORD_CONSTRAINTS
- 18.
- dacs_admin(8)
- 19.
- dacs.conf(5)
- 20.
- www.dss.ca
- 21.
- LICENSE
07/17/2013 | DACS 1.4.28b |