Provided by: dacs_1.4.38a-2build1_amd64 
NAME
dacs_passwd - manage private DACS passwords
SYNOPSIS
dacs_passwd [dacsoptions[1]]
DESCRIPTION
This program is part of the DACS suite.
The dacs_passwd web service is used to manage usernames and passwords recognized by
local_passwd_authenticate[2], a DACS authentication module. This utility serves a similar
purpose for local_passwd_authenticate that Apache's htpasswd(1)[3] command does for its
mod_auth[4] and mod_auth_dbm[5] modules. These accounts and passwords are used only by
local_passwd_authenticate and are completely separate from any other accounts and
passwords.
Note
Much of the functionality of this program is also available as a DACS utility,
dacspasswd(1)[6], which operates on the same password files. Because dacs_admin(8)[7]
provides the same functionality and more, dacs_passwd may be removed in a future
release.
Security
This web service enforces several requirements over and above those specified by its
access control rule. The USERNAME argument must be syntactically valid and lowercase.
The user must already be authenticated. To change his password, a (non-admin) user
must enter his current password.
The default DACS ACL restricts use of this web service to a DACS administrator and to
users who are setting the password for their own DACS account at the receiving
jurisdiction. Administrators should ensure that the ACL for dacs_passwd is correct for
their environment.
OPTIONS
Web Service Arguments
In addition to the standard CGI arguments[8], dacs_passwd understands the following CGI
arguments:
OPERATION
The following operations are supported:
• ADD
Like SET but add or replace an entry for USERNAME.
• DELETE
Delete the account for USERNAME.
• DISABLE
Disable the account for USERNAME.
• ENABLE
Enable the account for USERNAME.
• LIST
List USERNAME, if it exists, otherwise all usernames. A disabled account is
indicated by a '*' (which is not a valid character in a username).
• SET
Sets or resets a DACS password for USERNAME to NEW_PASSWORD. The
CONFIRM_NEW_PASSWORD argument must also be given and be identical to NEW_PASSWORD.
Unless the operation is performed by a DACS administrator (i.e., an
ADMIN_IDENTITY[9]) or disabled by the PASSWORD_OPS_NEED_PASSWORD[10] directive,
the current password for USERNAME must be given as PASSWORD.
Security
For users other than a DACS administrator, a password must meet certain
requirements on its length and the character set from which it is comprised.
Note that these requirements are only significant at the time a password is
set or changed; existing passwords are unaffected by changes to the
configuration directives. Please refer to the PASSWORD_CONSTRAINTS[11]
directive.
Users should be made aware of security issues related to passwords, including
better techniques for selecting passwords and keeping them private.
How to choose better passwords
Most users can benefit from adopting a method for password selection similar
to the one described in this proposal[12]. It suggests that users construct
site-specific passwords from three separate components:
1. PIN-1, a short, random string that is common to all of the user's
passwords, kept secret, and unlikely to be in any dictionary;
2. SITE, a string that is derived from a site's name (or domain name) using
some simple and easy-to-remember procedure (e.g., using an obvious
abbreviation or prefix, or the first four letters or consonents, perhaps
mixing upper and lower case); and
3. PIN-2, a short, site-specific random string that is different for each of
the user's passwords, and not likely to be in any dictionary.
PIN-1 is memorized by the user. The other two components may be written down
but must be kept in a relatively secure location (such as in the user's wallet
or in a locked desk drawer).
The user forms passwords by combining these three components in any order that
is easy to remember, like:
SITE PIN-2 PIN-1
Following that ordering, for the site www.example.net, a user might select the
password "exampleRB8s#i8", where "example" (component 2, SITE) is derived from
the site's domain name, "RB8s" is a random string used with this password only
(component 3, PIN-2), and "#i8" is the user's secret PIN (component 1, PIN-1).
Because it is probably difficult to remember, the user might create a note
with "www.example.net RB8s" written on it but not PIN-1.
For httpd.apache.org, the same user might select the password "httpd33ABB#i8".
For the site dacs.dss.ca, the user might select the password "dacsceIM#i8".
Note that because the characters comprising PIN-1 must be acceptable in all
sites' passwords, and some sites accept a rather limited character set for
their passwords, it may be necessary to restrict PIN-1 to the alphanumeric
alphabet. The other two components can be chosen from whatever password
characters are permitted by the particular site. As some sites unfortunately
allow only relatively short passwords, it is preferable to shorten SITE rather
than either of the other two components.
Provided the basic rules are followed, a user can strengthen the method by
making minor changes. As a simple example, one or more separating characters,
also from a restricted character set, might be added before and after the
middle component:
SITE Z PIN-2 Z PIN-1
In this example, a 'Z' is used as a separating character.
Since most people are not very good at it, the random strings should be chosen
using a good-quality random generator, such as the random()[13] function:
% dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"
"y2FJ"
Or, on FreeBSD or macOS:
% jot -r -c 20 33 126 | rs -g 0 4
ib2Y
25$z
vI9Z
^KpZ
51b7
In addition to being difficult to guess because of their random components and
reasonably large character set, these passwords are different for each site;
should one password be compromised, the others are not immediately available
to an attacker. Similarly, the written strings cannot be immediately exploited
if they are stolen or copied. The strength of the method can be increased by
making either or both PIN components longer, chosen from a larger space of
characters, or by inserting one or more characters between components.
Software is available to help evaluate password strength (e.g., How Big is
Your Haystack?[14]), but avoid giving out the actual password you intend to
use.
ACCOUNT
Either PASSWD (the default) or SIMPLE, case insensitively, to select between the item
types passwds and simple, respectively. The requested item type must be configured
(see dacs.conf(5)[15]).
USERNAME
The DACS username of interest.
FORMAT
By default, output is emitted in HTML. Several varieties of XML output can be
selected, however, using the FORMAT argument (please refer to dacs(1)[16] and
dacs_passwd.dtd[17]).
DIAGNOSTICS
The program exits 0 if everything was fine, 1 if an error occurred.
SEE ALSO
dacspasswd(1)[6], dacs_admin(8)[7], dacs.conf(5)[18]
AUTHOR
Distributed Systems Software (www.dss.ca[19])
COPYING
Copyright2003-2016 Distributed Systems Software. See the LICENSE[20] file that accompanies
the distribution for licensing information.
NOTES
1. dacsoptions
http://dacs.dss.ca/man/dacs.1.html#dacsoptions
2. local_passwd_authenticate
http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate
3. htpasswd(1)
http://httpd.apache.org/docs/2.2/programs/htpasswd.html
4. mod_auth
http://httpd.apache.org/docs-2.2/mod/mod_auth.html
5. mod_auth_dbm
http://httpd.apache.org/docs-2.2/mod/mod_auth_dbm.html
6. dacspasswd(1)
http://dacs.dss.ca/man/dacspasswd.1.html
7. dacs_admin(8)
http://dacs.dss.ca/man/dacs_admin.8.html
8. standard CGI arguments
http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args
9. ADMIN_IDENTITY
http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY
10. PASSWORD_OPS_NEED_PASSWORD
http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_OPS_NEED_PASSWORD
11. PASSWORD_CONSTRAINTS
http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS
12. this proposal
http://www.f-secure.com/weblog/archives/00001691.html
13. random()
http://dacs.dss.ca/man/dacs.exprs.5.html#random
14. How Big is Your Haystack?
https://www.grc.com/haystack.htm
15. dacs.conf(5)
http://dacs.dss.ca/man/dacs.conf.5.html#VFS
16. dacs(1)
http://dacs.dss.ca/man/dacs.1.html
17. dacs_passwd.dtd
http://dacs.dss.ca/man/../dtd-xsd/dacs_passwd.dtd
18. dacs.conf(5)
http://dacs.dss.ca/man/dacs.conf.5.html
19. www.dss.ca
http://www.dss.ca
20. LICENSE
http://dacs.dss.ca/man/../misc/LICENSE