Provided by: dacs_1.4.28b-3ubuntu1_amd64 bug

NAME

       dacs_passwd - manage private DACS passwords

SYNOPSIS

       dacs_passwd [dacsoptions[1]]

DESCRIPTION

       This program is part of the DACS suite.

       The dacs_passwd web service is used to manage usernames and passwords recognized by
       local_passwd_authenticate[2], a DACS authentication module. This utility serves a similar
       purpose for local_passwd_authenticate that Apache's htpasswd(1)[3] command does for its
       mod_auth[4] and mod_auth_dbm[5] modules. These accounts and passwords are used only by
       local_passwd_authenticate and are completely separate from any other accounts and
       passwords.

           Note
           Much of the functionality of this program is also available as a DACS utility,
           dacspasswd(1)[6], which operates on the same password files. Because dacs_admin(8)[7]
           provides the same functionality and more, dacs_passwd may be removed in a future
           release.

           Security
           The default DACS ACL restricts use of this web service to a DACS administrator and to
           users who are setting the password for their own DACS account at the receiving
           jurisdiction. Administrators should ensure that the ACL for dacs_passwd is correct for
           their environment.

OPTIONS

   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_passwd understands the following CGI
       arguments:

       OPERATION
           The following operations are supported:

           •   ADD

               Like SET but add or replace an entry for USERNAME.

           •   DELETE

               Delete the account for USERNAME.

           •   DISABLE

               Disable the account for USERNAME.

           •   ENABLE

               Enable the account for USERNAME.

           •   LIST

               List USERNAME, if it exists, otherwise all usernames. A disabled account is
               indicated by a '*' (which is not a valid character in a username).

           •   SET

               Sets or resets a DACS password for USERNAME to NEW_PASSWORD. The
               CONFIRM_NEW_PASSWORD argument must also be given and be identical to NEW_PASSWORD.
               Unless the operation is performed by a DACS administrator (i.e., an
               ADMIN_IDENTITY[9]) or disabled by the PASSWORD_OPS_NEED_PASSWORD[10] directive,
               the current password for USERNAME must be given as PASSWORD.

                   Security
                   For users other than a DACS administrator, a password must meet certain
                   requirements on its length and the character set from which it is comprised.
                   Note that these requirements are only significant at the time a password is
                   set or changed; existing passwords are unaffected by changes to the
                   configuration directives. Please refer to the PASSWORD_CONSTRAINTS[11]
                   directive.

                   Users should be made aware of security issues related to passwords, including
                   better techniques for selecting passwords and keeping them private.

                   How to choose better passwords
                   Users might consider adopting a method such as the one described in this
                   proposal[12]. It suggests that users construct site-specific passwords from
                   three components:

                    1. PIN-1, a short, random string that is common to all of the user's
                       passwords, kept secret, and not likely to be in any dictionary;

                    2. SITE, a string that is derived from the site's domain name using some
                       simple and easy-to-remember procedure (e.g., using the first four letters
                       or consonents); and

                    3. PIN-2, a short, site-specific random string (this component is different
                       for each of a user's passwords, and is something not likely to be in any
                       dictionary).

                   PIN-1 is memorized by the user. The other two components may be written down
                   but must be kept in a relatively secure location (such as in the user's wallet
                   or in a desk drawer). The user forms his or her passwords by combining these
                   three components in any order that is easy to remember.

                   For the site www.example.net, a user might select the password "examRB8s#i8",
                   where "exam" (component 2, SITE) is derived from the site's domain name,
                   "RB8s" is a random string used with this password only (component 3, PIN-2),
                   and "#i8" is the user's secret PIN (component 1, PIN-1). Because it is
                   probably difficult to remember, the user might create a note with "examRB8s"
                   written on it (SITE and PIN-2), but not PIN-1.

                   For the site dacs.dss.ca, the same user might select the password
                   "dssceIM#i8".

                   Since most people are not very good at it, the random strings should be chosen
                   using a good-quality random generator, such as the random()[13] function:

                       % dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"
                       "y2FJ"

                   In addition to being difficult to guess because of their random components and
                   reasonably large character set, these passwords are different for each site;
                   should one password be compromised, the others are not immediately available
                   to an attacker. Similarly, the written strings cannot be immediately exploited
                   if they are stolen or copied. The strength of the method can be increased by
                   making either or both PIN components longer, or chosen from a larger space of
                   characters.

       ACCOUNT
           Either PASSWD (the default) or SIMPLE, case insensitively, to select between the item
           types passwds and simple, respectively. The requested item type must be configured
           (see dacs.conf(5)[14]).

       USERNAME
           The DACS username of interest.

       FORMAT
           By default, output is emitted in HTML. Several varieties of XML output can be
           selected, however, using the FORMAT argument (please refer to dacs(1)[15] and
           dacs_passwd.dtd[16]).

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

SEE ALSO

       dacspasswd(1)[6], dacs.conf(5)[17]

AUTHOR

       Distributed Systems Software (www.dss.ca[18])

COPYING

       Copyright2003-2013 Distributed Systems Software. See the LICENSE[19] file that accompanies
       the distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. local_passwd_authenticate
           http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate

        3. htpasswd(1)
           http://httpd.apache.org/docs/2.2/programs/htpasswd.html

        4. mod_auth
           http://httpd.apache.org/docs-2.2/mod/mod_auth.html

        5. mod_auth_dbm
           http://httpd.apache.org/docs-2.2/mod/mod_auth_dbm.html

        6. dacspasswd(1)
           http://dacs.dss.ca/man/dacspasswd.1.html

        7. dacs_admin(8)
           http://dacs.dss.ca/man/dacs_admin.8.html

        8. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

        9. ADMIN_IDENTITY
           http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY

       10. PASSWORD_OPS_NEED_PASSWORD
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_OPS_NEED_PASSWORD

       11. PASSWORD_CONSTRAINTS
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS

       12. this proposal
           http://www.f-secure.com/weblog/archives/00001691.html

       13. random()
           http://dacs.dss.ca/man/dacs.exprs.5.html#random

       14. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html#VFS

       15. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

       16. dacs_passwd.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_passwd.dtd

       17. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html

       18. www.dss.ca
           http://www.dss.ca

       19. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE