unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-3.1)
Page:
Section:
Apropos / Subsearch:
optional field

USERDBPW(8)                                                        USERDBPW(8)



NAME
       userdbpw - create an encrypted password

SYNOPSIS
       userdbpw [ -md5 | -hmac-md5 | -hmac-sha1 ] |userdb name set field


DESCRIPTION
       userdbpw   enables   secure   entry   of   encrypted   passwords   into
       /etc/courier/userdb.

       userdbpw reads a single line of text on standard  input,  encrypts  it,
       and prints the encrypted result to standard output.

       If standard input is attached to a terminal device, userdbpw explicitly
       issues a "Password: " prompt on standard  error,  and  turns  off  echo
       while the password is entered.

       The  -md5  option is available on systems that use MD5-hashed passwords
       (such as systems that use the current version of the  PAM  library  for
       authenticating,  with  MD5  passwords enabled).  This option creates an
       MD5 password hash, instead of using the traditional crypt() function.

       -hmac-md5 and -hmac-sha1 options  are  available  only  if  the  userdb
       library  is  installed by an application that uses a challenge/response
       authentication mechanism.  -hmac-md5 creates an intermediate HMAC  con-
       text  using  the MD5 hash function. -hmac-sha1 uses the SHA1 hash func-
       tion instead.  Whether  either  HMAC  function  is  actually  available
       depends on the actual application that installs the userdb library.

       Note  that  even  though  the  result  of  HMAC  hashing  looks like an
       encrypted password, it's  really  not.   HMAC-based  challenge/response
       authentication  mechanisms  require the cleartext password to be avail-
       able as cleartext.  Computing an intermediate HMAC context does  scram-
       ble the cleartext password, however if its compromised, it WILL be pos-
       sible for an attacker to succesfully authenticate.  Therefore, applica-
       tions  that use challenge/response authentication will store intermedi-
       ate HMAC contexts in the "pw" fields in the userdb database, which will
       be  compiled  into  the  userdbshadow.dat database, which has group and
       world permissions turned off. The userdb library also requires that the
       cleartext  userdb  source for the userdb.dat and userdbshadow.dat data-
       bases is also stored with the group and world permissions turned off.

       userdbpw is usually used together in a pipe with  userdb,  which  reads
       from standard input. For example:


              userdbpw -md5 | userdb users/john set systempw

       or:


              userdbpw -hmac-md5 | userdb users/john set hmac-md5pw

       These  commands  set the systempw field in the record for the user john
       in /etc/courier/userdb/users file, and the hmac-md5pw field. Don't for-
       get to run makeuserdb for the change to take effect.

       The following command does the same thing:


              userdb users/john set systempw=SECRETPASSWORD

       However,  this command passes the secret password as an argument to the
       userdb command, which can be viewed by anyone who happens to run  ps(1)
       at the same time. Using userdbpw allows the secret password to be spec-
       ified in a way that cannot be easily viewed by ps(1).

SEE ALSO
       userdb(8), makeuserdb(8)



Double Precision, Inc.          27 August 2004                     USERDBPW(8)