bionic (8) dacs_passwd.8.gz

Provided by: dacs_1.4.38a-2build1_amd64 bug

NAME

       dacs_passwd - manage private DACS passwords

SYNOPSIS

       dacs_passwd [dacsoptions[1]]

DESCRIPTION

       This program is part of the DACS suite.

       The dacs_passwd web service is used to manage usernames and passwords recognized by
       local_passwd_authenticate[2], a DACS authentication module. This utility serves a similar purpose for
       local_passwd_authenticate that Apache's htpasswd(1)[3] command does for its mod_auth[4] and
       mod_auth_dbm[5] modules. These accounts and passwords are used only by local_passwd_authenticate and are
       completely separate from any other accounts and passwords.

           Note
           Much of the functionality of this program is also available as a DACS utility, dacspasswd(1)[6],
           which operates on the same password files. Because dacs_admin(8)[7] provides the same functionality
           and more, dacs_passwd may be removed in a future release.

           Security
           This web service enforces several requirements over and above those specified by its access control
           rule. The USERNAME argument must be syntactically valid and lowercase. The user must already be
           authenticated. To change his password, a (non-admin) user must enter his current password.

           The default DACS ACL restricts use of this web service to a DACS administrator and to users who are
           setting the password for their own DACS account at the receiving jurisdiction. Administrators should
           ensure that the ACL for dacs_passwd is correct for their environment.

OPTIONS

   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_passwd understands the following CGI arguments:

       OPERATION
           The following operations are supported:

           •   ADD

               Like SET but add or replace an entry for USERNAME.

           •   DELETE

               Delete the account for USERNAME.

           •   DISABLE

               Disable the account for USERNAME.

           •   ENABLE

               Enable the account for USERNAME.

           •   LIST

               List USERNAME, if it exists, otherwise all usernames. A disabled account is indicated by a '*'
               (which is not a valid character in a username).

           •   SET

               Sets or resets a DACS password for USERNAME to NEW_PASSWORD. The CONFIRM_NEW_PASSWORD argument
               must also be given and be identical to NEW_PASSWORD. Unless the operation is performed by a DACS
               administrator (i.e., an ADMIN_IDENTITY[9]) or disabled by the PASSWORD_OPS_NEED_PASSWORD[10]
               directive, the current password for USERNAME must be given as PASSWORD.

                   Security
                   For users other than a DACS administrator, a password must meet certain requirements on its
                   length and the character set from which it is comprised. Note that these requirements are
                   only significant at the time a password is set or changed; existing passwords are unaffected
                   by changes to the configuration directives. Please refer to the PASSWORD_CONSTRAINTS[11]
                   directive.

                   Users should be made aware of security issues related to passwords, including better
                   techniques for selecting passwords and keeping them private.

                   How to choose better passwords
                   Most users can benefit from adopting a method for password selection similar to the one
                   described in this proposal[12]. It suggests that users construct site-specific passwords from
                   three separate components:

                    1. PIN-1, a short, random string that is common to all of the user's passwords, kept secret,
                       and unlikely to be in any dictionary;

                    2. SITE, a string that is derived from a site's name (or domain name) using some simple and
                       easy-to-remember procedure (e.g., using an obvious abbreviation or prefix, or the first
                       four letters or consonents, perhaps mixing upper and lower case); and

                    3. PIN-2, a short, site-specific random string that is different for each of the user's
                       passwords, and not likely to be in any dictionary.

                   PIN-1 is memorized by the user. The other two components may be written down but must be kept
                   in a relatively secure location (such as in the user's wallet or in a locked desk drawer).

                   The user forms passwords by combining these three components in any order that is easy to
                   remember, like:

                       SITE PIN-2 PIN-1

                   Following that ordering, for the site www.example.net, a user might select the password
                   "exampleRB8s#i8", where "example" (component 2, SITE) is derived from the site's domain name,
                   "RB8s" is a random string used with this password only (component 3, PIN-2), and "#i8" is the
                   user's secret PIN (component 1, PIN-1). Because it is probably difficult to remember, the
                   user might create a note with "www.example.net RB8s" written on it but not PIN-1.

                   For httpd.apache.org, the same user might select the password "httpd33ABB#i8".

                   For the site dacs.dss.ca, the user might select the password "dacsceIM#i8".

                   Note that because the characters comprising PIN-1 must be acceptable in all sites' passwords,
                   and some sites accept a rather limited character set for their passwords, it may be necessary
                   to restrict PIN-1 to the alphanumeric alphabet. The other two components can be chosen from
                   whatever password characters are permitted by the particular site. As some sites
                   unfortunately allow only relatively short passwords, it is preferable to shorten SITE rather
                   than either of the other two components.

                   Provided the basic rules are followed, a user can strengthen the method by making minor
                   changes. As a simple example, one or more separating characters, also from a restricted
                   character set, might be added before and after the middle component:

                       SITE Z PIN-2 Z PIN-1

                   In this example, a 'Z' is used as a separating character.

                   Since most people are not very good at it, the random strings should be chosen using a
                   good-quality random generator, such as the random()[13] function:

                       % dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"
                       "y2FJ"

                   Or, on FreeBSD or macOS:

                       % jot -r -c 20 33 126 | rs -g 0 4
                       ib2Y
                       25$z
                       vI9Z
                       ^KpZ
                       51b7

                   In addition to being difficult to guess because of their random components and reasonably
                   large character set, these passwords are different for each site; should one password be
                   compromised, the others are not immediately available to an attacker. Similarly, the written
                   strings cannot be immediately exploited if they are stolen or copied. The strength of the
                   method can be increased by making either or both PIN components longer, chosen from a larger
                   space of characters, or by inserting one or more characters between components. Software is
                   available to help evaluate password strength (e.g., How Big is Your Haystack?[14]), but avoid
                   giving out the actual password you intend to use.

       ACCOUNT
           Either PASSWD (the default) or SIMPLE, case insensitively, to select between the item types passwds
           and simple, respectively. The requested item type must be configured (see dacs.conf(5)[15]).

       USERNAME
           The DACS username of interest.

       FORMAT
           By default, output is emitted in HTML. Several varieties of XML output can be selected, however,
           using the FORMAT argument (please refer to dacs(1)[16] and dacs_passwd.dtd[17]).

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

SEE ALSO

       dacspasswd(1)[6], dacs_admin(8)[7], dacs.conf(5)[18]

AUTHOR

       Distributed Systems Software (www.dss.ca[19])

COPYING

       Copyright2003-2016 Distributed Systems Software. See the LICENSE[20] file that accompanies the
       distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. local_passwd_authenticate
           http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate

        3. htpasswd(1)
           http://httpd.apache.org/docs/2.2/programs/htpasswd.html

        4. mod_auth
           http://httpd.apache.org/docs-2.2/mod/mod_auth.html

        5. mod_auth_dbm
           http://httpd.apache.org/docs-2.2/mod/mod_auth_dbm.html

        6. dacspasswd(1)
           http://dacs.dss.ca/man/dacspasswd.1.html

        7. dacs_admin(8)
           http://dacs.dss.ca/man/dacs_admin.8.html

        8. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

        9. ADMIN_IDENTITY
           http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY

       10. PASSWORD_OPS_NEED_PASSWORD
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_OPS_NEED_PASSWORD

       11. PASSWORD_CONSTRAINTS
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS

       12. this proposal
           http://www.f-secure.com/weblog/archives/00001691.html

       13. random()
           http://dacs.dss.ca/man/dacs.exprs.5.html#random

       14. How Big is Your Haystack?
           https://www.grc.com/haystack.htm

       15. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html#VFS

       16. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

       17. dacs_passwd.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_passwd.dtd

       18. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html

       19. www.dss.ca
           http://www.dss.ca

       20. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE