| Courier-Authlib | | | Home | | | Release notes | | | Installation | | | Documentation |
userdbpw — create an encrypted password
userdbpw [[-md5] |
[-hmac-md5] | [-hmac-sha1]] |
userdb {name} set {field}
userdbpw
enables secure entry of encrypted passwords into /usr/local/etc/authlib/userdb.
userdbpw reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output.
If standard input is attached to a terminal device, userdbpw explicitly issues a "Password: " prompt on standard error, and turns off echo while the password is entered.
The -md5 option is available
on systems that use MD5-hashed passwords (such as systems
that use the current version of the PAM library for
authenticating, with MD5 passwords enabled). This option
creates an MD5 password hash, instead of using the
traditional crypt()
function.
-hmac-md5 and -hmac-sha1 options are available only if the
userdb library is installed by an application that uses a
challenge/response authentication mechanism. -hmac-md5 creates an intermediate HMAC
context using the MD5 hash function. -hmac-sha1 uses the SHA1 hash function
instead. Whether either HMAC function is actually available
depends on the actual application that installs the
userdb library.
Note that even though the result of HMAC hashing looks
like an encrypted password, it's really not. HMAC-based
challenge/response authentication mechanisms require the
cleartext password to be available as cleartext. Computing an
intermediate HMAC context does scramble the cleartext
password, however if its compromised, it WILL be possible for
an attacker to succesfully authenticate. Therefore,
applications that use challenge/response authentication will
store intermediate HMAC contexts in the "pw" fields in the
userdb database, which will be compiled into the userdbshadow.dat database, which has group
and world permissions turned off. The userdb library also
requires that the cleartext userdb source for the
userdb.dat and userdbshadow.dat databases is also stored
with the group and world permissions turned off.
userdbpw is usually used together in a pipe with userdb, which reads from standard input. For example:
userdbpw -md5 | userdb users/john set systempw
or:
userdbpw -hmac-md5 | userdb users/john set hmac-md5pw
These commands set the systempw field in the record for the user
john in /usr/local/etc/authlib/userdb/users file,
and the hmac-md5pw field. Don't
forget to run makeuserdb for the change
to take effect.
The following command does the same thing:
userdb users/john set systempw=SECRETPASSWORD
However, this command passes the secret password as an argument to the userdb command, which can be viewed by anyone who happens to run ps(1) at the same time. Using userdbpw allows the secret password to be specified in a way that cannot be easily viewed by ps(1).