userdbpw - create an encrypted password
userdbpw [ -md5 | -hmac-md5 | -hmac-sha1 ] |userdb name set field
userdbpw enables secure entry of encrypted passwords into
userdbpw reads a single line of text on standard input, encrypts it,
and prints the encrypted result to standard output.
If standard input is attached to a terminal device, userdbpw explicitly
issues a "Password: " prompt on standard error, and turns off echo
while the password is entered.
The -md5 option is available on systems that use MD5-hashed passwords
(such as systems that use the current version of the PAM library for
authenticating, with MD5 passwords enabled). This option creates an
MD5 password hash, instead of using the traditional crypt() function.
-hmac-md5 and -hmac-sha1 options are available only if the userdb
library is installed by an application that uses a challenge/response
authentication mechanism. -hmac-md5 creates an intermediate HMAC con-
text using the MD5 hash function. -hmac-sha1 uses the SHA1 hash func-
tion instead. Whether either HMAC function is actually available
depends on the actual application that installs the userdb library.
Note that even though the result of HMAC hashing looks like an
encrypted password, it's really not. HMAC-based challenge/response
authentication mechanisms require the cleartext password to be avail-
able as cleartext. Computing an intermediate HMAC context does scram-
ble the cleartext password, however if its compromised, it WILL be pos-
sible for an attacker to succesfully authenticate. Therefore, applica-
tions that use challenge/response authentication will store intermedi-
ate HMAC contexts in the "pw" fields in the userdb database, which will
be compiled into the userdbshadow.dat database, which has group and
world permissions turned off. The userdb library also requires that the
cleartext userdb source for the userdb.dat and userdbshadow.dat data-
bases is also stored with the group and world permissions turned off.
userdbpw is usually used together in a pipe with userdb, which reads
from standard input. For example:
userdbpw -md5 | userdb users/john set systempw
userdbpw -hmac-md5 | userdb users/john set hmac-md5pw
These commands set the systempw field in the record for the user john
in /etc/courier/userdb/users file, and the hmac-md5pw field. Don't for-
get to run makeuserdb for the change to take effect.
The following command does the same thing:
userdb users/john set systempw=SECRETPASSWORD
However, this command passes the secret password as an argument to the
userdb command, which can be viewed by anyone who happens to run ps(1)
at the same time. Using userdbpw allows the secret password to be spec-
ified in a way that cannot be easily viewed by ps(1).
Double Precision, Inc. 27 August 2004 USERDBPW(8)