Provided by: dacs_1.4.28b-3ubuntu2_i386 bug


       dacs_passwd - manage private DACS passwords


       dacs_passwd [dacsoptions[1]]


       This program is part of the DACS suite.

       The dacs_passwd web service is used to manage usernames and passwords
       recognized by local_passwd_authenticate[2], a DACS authentication
       module. This utility serves a similar purpose for
       local_passwd_authenticate that Apache's htpasswd(1)[3] command does for
       its mod_auth[4] and mod_auth_dbm[5] modules. These accounts and
       passwords are used only by local_passwd_authenticate and are completely
       separate from any other accounts and passwords.

           Much of the functionality of this program is also available as a
           DACS utility, dacspasswd(1)[6], which operates on the same password
           files. Because dacs_admin(8)[7] provides the same functionality and
           more, dacs_passwd may be removed in a future release.

           The default DACS ACL restricts use of this web service to a DACS
           administrator and to users who are setting the password for their
           own DACS account at the receiving jurisdiction. Administrators
           should ensure that the ACL for dacs_passwd is correct for their


   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_passwd understands
       the following CGI arguments:

           The following operations are supported:

           ·   ADD

               Like SET but add or replace an entry for USERNAME.

           ·   DELETE

               Delete the account for USERNAME.

           ·   DISABLE

               Disable the account for USERNAME.

           ·   ENABLE

               Enable the account for USERNAME.

           ·   LIST

               List USERNAME, if it exists, otherwise all usernames. A
               disabled account is indicated by a '*' (which is not a valid
               character in a username).

           ·   SET

               Sets or resets a DACS password for USERNAME to NEW_PASSWORD.
               The CONFIRM_NEW_PASSWORD argument must also be given and be
               identical to NEW_PASSWORD. Unless the operation is performed by
               a DACS administrator (i.e., an ADMIN_IDENTITY[9]) or disabled
               by the PASSWORD_OPS_NEED_PASSWORD[10] directive, the current
               password for USERNAME must be given as PASSWORD.

                   For users other than a DACS administrator, a password must
                   meet certain requirements on its length and the character
                   set from which it is comprised. Note that these
                   requirements are only significant at the time a password is
                   set or changed; existing passwords are unaffected by
                   changes to the configuration directives. Please refer to
                   the PASSWORD_CONSTRAINTS[11] directive.

                   Users should be made aware of security issues related to
                   passwords, including better techniques for selecting
                   passwords and keeping them private.

                   How to choose better passwords
                   Users might consider adopting a method such as the one
                   described in this proposal[12]. It suggests that users
                   construct site-specific passwords from three components:

                    1. PIN-1, a short, random string that is common to all of
                       the user's passwords, kept secret, and not likely to be
                       in any dictionary;

                    2. SITE, a string that is derived from the site's domain
                       name using some simple and easy-to-remember procedure
                       (e.g., using the first four letters or consonents); and

                    3. PIN-2, a short, site-specific random string (this
                       component is different for each of a user's passwords,
                       and is something not likely to be in any dictionary).

                   PIN-1 is memorized by the user. The other two components
                   may be written down but must be kept in a relatively secure
                   location (such as in the user's wallet or in a desk
                   drawer). The user forms his or her passwords by combining
                   these three components in any order that is easy to

                   For the site, a user might select the
                   password "examRB8s#i8", where "exam" (component 2, SITE) is
                   derived from the site's domain name, "RB8s" is a random
                   string used with this password only (component 3, PIN-2),
                   and "#i8" is the user's secret PIN (component 1, PIN-1).
                   Because it is probably difficult to remember, the user
                   might create a note with "examRB8s" written on it (SITE and
                   PIN-2), but not PIN-1.

                   For the site, the same user might select the
                   password "dssceIM#i8".

                   Since most people are not very good at it, the random
                   strings should be chosen using a good-quality random
                   generator, such as the random()[13] function:

                       % dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"

                   In addition to being difficult to guess because of their
                   random components and reasonably large character set, these
                   passwords are different for each site; should one password
                   be compromised, the others are not immediately available to
                   an attacker. Similarly, the written strings cannot be
                   immediately exploited if they are stolen or copied. The
                   strength of the method can be increased by making either or
                   both PIN components longer, or chosen from a larger space
                   of characters.

           Either PASSWD (the default) or SIMPLE, case insensitively, to
           select between the item types passwds and simple, respectively. The
           requested item type must be configured (see dacs.conf(5)[14]).

           The DACS username of interest.

           By default, output is emitted in HTML. Several varieties of XML
           output can be selected, however, using the FORMAT argument (please
           refer to dacs(1)[15] and dacs_passwd.dtd[16]).


       The program exits 0 if everything was fine, 1 if an error occurred.


       dacspasswd(1)[6], dacs.conf(5)[17]


       Distributed Systems Software ([18])


       Copyright2003-2013 Distributed Systems Software. See the LICENSE[19]
       file that accompanies the distribution for licensing information.


        1. dacsoptions

        2. local_passwd_authenticate

        3. htpasswd(1)

        4. mod_auth

        5. mod_auth_dbm

        6. dacspasswd(1)

        7. dacs_admin(8)

        8. standard CGI arguments




       12. this proposal

       13. random()

       14. dacs.conf(5)

       15. dacs(1)

       16. dacs_passwd.dtd

       17. dacs.conf(5)


       19. LICENSE