table of contents
DACS_PASSWD(8) | DACS Web Services Manual | DACS_PASSWD(8) |
NAME¶
dacs_passwd - manage private DACS passwordsSYNOPSIS¶
dacs_passwd
[ dacsoptions[1]]
DESCRIPTION¶
This program is part of the DACS suite. The dacs_passwd web service is used to manage usernames and passwords recognized by local_passwd_authenticate[2], a DACS authentication module. This utility serves a similar purpose for local_passwd_authenticate that Apache's htpasswd(1)[3] command does for its mod_auth[4] and mod_auth_dbm[5] modules. These accounts and passwords are used only by local_passwd_authenticate and are completely separate from any other accounts and passwords.OPTIONS¶
Web Service Arguments¶
In addition to the standard CGI arguments[8], dacs_passwd understands the following CGI arguments: OPERATIONThe following operations are supported:
ACCOUNT
•ADD
Like SET but add or replace an entry for USERNAME.
•DELETE
Delete the account for USERNAME.
•DISABLE
Disable the account for USERNAME.
•ENABLE
Enable the account for USERNAME.
•LIST
List USERNAME, if it exists, otherwise all usernames. A disabled account
is indicated by a '*' (which is not a valid character in a username).
•SET
Sets or resets a DACS password for USERNAME to
NEW_PASSWORD. The CONFIRM_NEW_PASSWORD argument must also be
given and be identical to NEW_PASSWORD. Unless the operation is
performed by a DACS administrator (i.e., an ADMIN_IDENTITY[9])
or disabled by the PASSWORD_OPS_NEED_PASSWORD[10] directive, the
current password for USERNAME must be given as PASSWORD.
Security
For users other than a DACS administrator, a password must meet certain
requirements on its length and the character set from which it is comprised.
Note that these requirements are only significant at the time a password is
set or changed; existing passwords are unaffected by changes to the
configuration directives. Please refer to the PASSWORD_CONSTRAINTS[11]
directive.
Users should be made aware of security issues related to passwords, including
better techniques for selecting passwords and keeping them private.
How to choose better passwords
Users might consider adopting a method such as the one described in this
proposal[12]. It suggests that users construct site-specific
passwords from three components:
The PIN, is memorized by the user. The other two components may be written down
but must be kept in a relatively secure location (such as in the user's wallet
or in a desk drawer). The user forms his or her passwords by combining these
three components in any order that is easy to remember.
For the site www.example.net, a user might select the password
"examRB8s#i8", where "exam" is derived from the site's
domain name (component 2), "RB8s" is a random string used with this
password only (component 3), and "#i8" is the user's secret PIN
(component 1). Because it is probably difficult to remember, the user might
create a note with "examRB8s" written on it (components 2 and 3),
but not the PIN.
For the site dacs.dss.ca, the same user might select the password
"dssceIM#i8".
Since most people are not very good at it, the site-specific random string (and,
ideally, the PIN as well) should be chosen using a good-quality random
generator, such as the random()[13] function:
In addition to being difficult to guess because of their random components and
reasonably large character set, these passwords are different for each site;
should one password be compromised, the others are not immediately available
to an attacker. Similarly, the written strings cannot be immediately exploited
if they are stolen or copied. The strength of the method can be increased by
making the PIN longer, or chosen from a larger space of characters.
1.a short, random string (a secret PIN) that
will be common to all of the user's passwords;
2.a string derived from a site's domain name
using some simple and easy-to-remember procedure (e.g., using the first four
letters or consonents); and
3.a short, site-specific random string
(this component is different for each of a user's passwords).
% dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')" "y2FJ"
Either PASSWD (the default) or SIMPLE, case
insensitively, to select between the item types passwds and simple,
respectively. The requested item type must be configured (see
dacs.conf(5)[14]).
USERNAME
The DACS username of interest.
FORMAT
By default, output is emitted in HTML. Several
varieties of XML output can be selected, however, using the FORMAT
argument (please refer to dacs(1)[15] and
dacs_passwd.dtd[16]).
DIAGNOSTICS¶
The program exits 0 if everything was fine, 1 if an error occurred.SEE ALSO¶
dacspasswd(1)[6], dacs.conf(5)[17]AUTHOR¶
Distributed Systems Software ( www.dss.ca[18])COPYING¶
Copyright2003-2012 Distributed Systems Software. See the LICENSE[19] file that accompanies the distribution for licensing information.NOTES¶
- 1.
- dacsoptions
- 2.
- local_passwd_authenticate
- 3.
- htpasswd(1)
- 4.
- mod_auth
- 5.
- mod_auth_dbm
- 8.
- standard CGI arguments
- 9.
- ADMIN_IDENTITY
- 10.
- PASSWORD_OPS_NEED_PASSWORD
- 11.
- PASSWORD_CONSTRAINTS
- 12.
- this proposal
- 13.
- random()
- 14.
- dacs.conf(5)
- 15.
- dacs(1)
- 16.
- dacs_passwd.dtd
- 17.
- dacs.conf(5)
- 18.
- www.dss.ca
- 19.
- LICENSE
10/22/2012 | DACS 1.4.27b |