Provided by: dacs_1.4.38a-2build1_amd64 bug

NAME

       dacspasswd - manage DACS accounts

SYNOPSIS

       dacspasswd [dacsoptions[1]] [-p password] [-pf file] [-simple] [-vfs vfs_uri]
                  [op-spec] [--] [username]

DESCRIPTION

       This program is part of the DACS suite.

       The dacspasswd command manages accounts that are used by the local_passwd_authenticate[2]
       and local_simple_authenticate[3], authentication modules. This utility serves a similar
       purpose for these authentication modules that Apache's htpasswd(1)[4] command does for its
       mod_auth_basic[5] and mod_authn_dbm[6] modules.

       Apart from their use by local_passwd_authenticate and local_simple_authenticate, these
       accounts are completely separate from any other accounts and passwords.

           Note
           Only lowercase usernames are permitted for these accounts.

       The command allows arbitrary data to be associated with each account. This "private" data
       is opaque to DACS and is not used by DACS. Custom, account-specific information can be
       stored, retrieved, and deleted. Data that is not printable text must be encoded. The
       information is automatically deleted when its account is removed. Using this feature,
       account administration programs might be developed to store:

       •   the last time a password was changed;

       •   hashes of previous password values (so that they are not reused);

       •   a note that the account's password must be changed;

       •   a password reminder question and answer;

       •   information for mutual authentication, such as a small image provided by the user that
           is displayed at login time;

       •   an encrypted representation of the password for recovery purposes (when absolutely
           necessary)

       •   several security questions (with answers), one of which might be selected at random
           and presented to the user at login time; or

       •   user preferences.

       Or instead, a pointer to any of this sort of information might be stored. There is no size
       limit for the data, but if relatively large amounts of data are being stored for a large
       number of accounts, the storage type should be chosen with care to ensure reasonable
       performance.

       Passwords are accessed using the DACS virtual filestore through the passwds or simple item
       types. Each record in the file is keyed on the username. The information associated with
       each key consists of several fields separated by a "|" character, and includes a digest
       algorithm identifier, salt, the computed digest, and optional application data.

       Use dacsauth(1)[7] to validate (test) a password.

           Security
           The password digest algorithm used depends on the PASSWORD_DIGEST[8] directive in
           effect. The PASSWORD_SALT_PREFIX[9] directive is also used.

           Apart from using an authentication method stronger than one based on passwords,
           current best practice is to use a key derivation function like scrypt rather than a
           cryptographic digest for the PASSWORD_DIGEST[8]. While in general doing so will
           provide additional protection if an attacker obtains the password file, it will not
           help if users are allowed to choose weak passwords.

           Plaintext passwords are not stored by dacspasswd. This makes it more difficult for an
           attacker that gains access to the password file to discover plaintext passwords, but
           also means that forgotten passwords cannot be recovered (except by exhaustive search,
           which ought to be impractical).

           The salted hash of the password is stored, assuming salting has not been disabled,
           rather than the hash of the password itself. This makes a stolen password file more
           difficult for an attacker to use (see rainbow tables[10]).

           Only a DACS administrator should be able to successfully run this program from the
           command line. Because DACS keys and configuration files, including the file used to
           store passwords, must be restricted to an administrator, this will normally be the
           case, but a careful administrator will set file permissions to deny access to all
           other users. An ordinary user is able to change his own password using the
           dacs_passwd(8)[11] web service.

           Tip
           Even if the password file is stored as a plain text file, it is probably best to
           modify it only through this program or dacs_passwd. Corrupting a password file entry
           may prevent signing on to the corresponding account or even all accounts that require
           the password file.

           It is good administrative practice to store accounts with passwords separately from
           those without.

       This program is also available as a DACS web service, dacs_passwd(8)[11].

OPTIONS

       By default, the program will prompt for a new password if one is required by the selected
       operation.

       The dacspasswd command recognizes these command line flags:

       -p password
           Specify the password.

               Security
               A password given on the command line may be visible to other users on the same
               system.

       -pdd
           Delete the private data associated with username.

       -pdg
           Get the private data associated with username and print it to the standard output.

       -pds string
           Set (or replace) string as private data associated with username.

       -pdsf file
           Set (or replace) the private data associated with username, reading it from file. If
           file is "-", then the data is read from the standard input. This flag and -pf cannot
           both be used to read from the standard input.

       -pf file
           Read the password to use from file. If file is "-", then the password is read from the
           standard input without prompting. This flag and -pdsf cannot both be used to read from
           the standard input.

       -simple
           Use the simple item type expected by local_simple_authenticate instead of the default.
           The program will not prompt for passwords because these accounts do not use them.

       -vfs vfs_uri
           Add vfs_uri as a VFS[12] configuration directive. By specifying the item type passwds,
           a location for the password file can be given, overriding any configuration file
           value. This is particularly useful in conjunction with dacsauth(1)[7].

       op-spec
           The following operations are recognized. The -enable, -disable, -pdd, -pds, and -pdsf
           are the only operations that can be combined with another operation (for example, you
           can disable an account and set its private data at the same time).

           -a
           -add
               Add username to the password file. The entry must not already exist. By default,
               the user will be prompted for the password, which must be retyped for
               confirmation. This is the default operation.

           -d
           -del
           -delete
               Delete username from the password file.

           -dis
           -disable
               Disable the account for username so that authentication modules will not accept
               any password. If used with -a, -s, or -u, the account will also be disabled. The
               username may subsequently be enabled.

           -en
           -ena
           -enable
               Re-enable the account for username, which is currently disabled. The
               authentication modules will once again accept the password. If used with -a, -s,
               or -u, the account will also be enabled.

           -g
           -get
               Get the digest string for username and print it to the standard output. A script
               can validate a password by passing this digest string to password()[13] along with
               the password obtained from the user.

           -l
           -list
           -long
           -longlist
               List username if it appears in the password file. If no username is provided, list
               all usernames. A disabled account is indicated by a '*' (which is not a valid
               character in a username). The -long and -longlist variants display additional
               detail about each entry, such as the digest algorithm used.

           -s
           -set
               Set or reset the password for username, which must already exist in the password
               file. The enabled/disabled status is preserved unless overridden by a flag.

           -regen
           -regenerate
               Read the current password file (item type passwds) and copy it to the item type
               newpasswds. This will normally create an exact copy, but if there are applicable
               formatting changes, they are automatically applied to the input; that is, if the
               format of the input file is older than the format preferred by the current version
               of DACS, it will be updated in the output file to the extent possible. The output
               file should be carefully examined and tested before being used.

           -test test-op
               Test an entry for one of several attributes and report the outcome through the
               program's exit status. The test-op is one of the following keywords or abbreviated
               keywords:

               •   enabled, ena, en

                   Return an exit status of 0 if an account for username exists and is enabled,
                   or 1 if it does not exist or is disabled.

               •   exists, ex

                   Return an exit status of 0 if an account for username exists, or 1 if it does
                   not exist.

               •   data

                   Return an exit status of 0 if an account for username exists and has private
                   data, or 1 if it does not exist or does not have private data. If an entry's
                   private data is the empty string, it is considered to have private data.

               •   disabled, dis

                   Return an exit status of 0 if an account for username exists and is disabled,
                   or 1 if it does not exist or is enabled.

           -u
           -up
           -update
               Add username to the password file or update an existing entry for username. By
               default, the user will be prompted for the password, which must be retyped for
               confirmation. If the entry exists, the enabled/disabled status is preserved unless
               overridden by a flag.

       --
           This flag signals the end of the flag arguments; a username may follow, possibly
           beginning with a "-" character.

       Since only the administrator is allowed to use this command, no restrictions are imposed
       on the length or quality of the passwords that the administrator supplies; a warning
       message will be emitted, however, if the password is considered to be weak based on the
       PASSWORD_CONSTRAINTS[14] directive that is configured.

EXAMPLES

       To list all of the accounts configured for the jurisdiction named EXAMPLE:

           % dacspasswd -uj EXAMPLE -list
           auggie
           bobo*
           booboo
           jj

       Note that the account for username bobo has been disabled.

       To re-enable bobo's account:

           % dacspasswd -uj EXAMPLE -ena bobo

       To test if bobo's account is enabled:

           % dacspasswd -uj EXAMPLE -test ena bobo
           % echo $status
           0

       To test if there are accounts for usernames booboo and bob:

           % dacspasswd -uj EXAMPLE -test exists booboo
           % echo $status
           0
           % dacspasswd -uj EXAMPLE -test exists bob
           % echo $status
           1

       To reset the password for username bobo interactively:

           % dacspasswd -uj EXAMPLE -set bobo
           New password for bobo?
           Re-type new password for bobo?

       Note that the password text is not displayed.

       To reset the password for username bobo using the program's standard input:

           % echo $newpasswd | dacspasswd -uj EXAMPLE -set -pf - bobo

       To create a new, disabled account for username bob and store the private data "On
       vacation":

           % dacspasswd -uj EXAMPLE -add -pf ./pwfile -dis -pds "On vacation" bob

       The password is read from the file ./pwfile.

       To get the private data for username bob:

           % set x=`dacspasswd -uj EXAMPLE -pdg bob`
           % echo "$x"
           On vacation

       To regenerate the current password file:

           % dacspasswd -uj EXAMPLE -q -vfs "[newpasswds]dacs-kwv-fs:/usr/local/dacs/tmp/newpasswd?field_sep=:" -regen

DIAGNOSTICS

       The program exits 0 if everything was fine, and non-zero otherwise. A "false" outcome from
       the -test operation is reflected by an exit status of 1. An error condition is indicated
       by an exit status of 2.

BUGS

       That password information is not represented externally as an XML document tends to haunt
       your humble narrator. The password file format is subject to change.

SEE ALSO

       dacs_passwd(8)[11], dacsauth(1)[7], dacs_authenticate(8)[15], dacs_admin(8)[16],
       dacs.conf(5)[17]

AUTHOR

       Distributed Systems Software (www.dss.ca[18])

COPYING

       Copyright2003-2016 Distributed Systems Software. See the LICENSE[19] file that accompanies
       the distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. local_passwd_authenticate
           http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate

        3. local_simple_authenticate
           http://dacs.dss.ca/man/dacs_authenticate.8.html#local_simple_authenticate

        4. htpasswd(1)
           http://httpd.apache.org/docs/2.2/programs/htpasswd.html

        5. mod_auth_basic
           http://httpd.apache.org/docs-2.4/mod/mod_auth_basic.html

        6. mod_authn_dbm
           http://httpd.apache.org/docs-2.4/mod/mod_authn_dbm.html

        7. dacsauth(1)
           http://dacs.dss.ca/man/dacsauth.1.html

        8. PASSWORD_DIGEST
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_DIGEST

        9. PASSWORD_SALT_PREFIX
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_SALT_PREFIX

       10. rainbow tables
           http://en.wikipedia.org/wiki/Rainbow_table

       11. dacs_passwd(8)
           http://dacs.dss.ca/man/dacs_passwd.8.html

       12. VFS
           http://dacs.dss.ca/man/dacs.conf.5.html#VFS

       13. password()
           http://dacs.dss.ca/man/dacs.exprs.5.html#password

       14. PASSWORD_CONSTRAINTS
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS

       15. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       16. dacs_admin(8)
           http://dacs.dss.ca/man/dacs_admin.8.html

       17. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html

       18. www.dss.ca
           http://www.dss.ca

       19. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE