Provided by: courier-authlib-userdb_0.71.4-1_amd64 bug


       userdbpw - create an encrypted password


       userdbpw [[-md5] | [-hmac-md5] | [-hmac-sha1]] |userdb {name} set {field}


       userdbpw enables secure entry of encrypted passwords into /etc/courier/userdb.

       userdbpw reads a single line of text on standard input, encrypts it, and prints the
       encrypted result to standard output.

       If standard input is attached to a terminal device, userdbpw explicitly issues a
       "Password: " prompt on standard error, and turns off echo while the password is entered.

       The -md5 option is available on systems that use MD5-hashed passwords (such as systems
       that use the current version of the PAM library for authenticating, with MD5 passwords
       enabled). This option creates an MD5 password hash, instead of using the traditional
       crypt() function.

       -hmac-md5 and -hmac-sha1 options are available only if the userdb library is installed by
       an application that uses a challenge/response authentication mechanism.  -hmac-md5 creates
       an intermediate HMAC context using the MD5 hash function.  -hmac-sha1 uses the SHA1 hash
       function instead. Whether either HMAC function is actually available depends on the actual
       application that installs the userdb library.

       Note that even though the result of HMAC hashing looks like an encrypted password, it's
       really not. HMAC-based challenge/response authentication mechanisms require the cleartext
       password to be available as cleartext. Computing an intermediate HMAC context does
       scramble the cleartext password, however if its compromised, it WILL be possible for an
       attacker to succesfully authenticate. Therefore, applications that use challenge/response
       authentication will store intermediate HMAC contexts in the "pw" fields in the userdb
       database, which will be compiled into the userdbshadow.dat database, which has group and
       world permissions turned off. The userdb library also requires that the cleartext userdb
       source for the userdb.dat and userdbshadow.dat databases is also stored with the group and
       world permissions turned off.

       userdbpw is usually used together in a pipe with userdb, which reads from standard input.
       For example:

           userdbpw -md5 | userdb users/john set systempw


           userdbpw -hmac-md5 | userdb users/john set hmac-md5pw

       These commands set the systempw field in the record for the user john in
       /etc/courier/userdb/users file, and the hmac-md5pw field. Don't forget to run makeuserdb
       for the change to take effect.

       The following command does the same thing:

           userdb users/john set systempw=SECRETPASSWORD

       However, this command passes the secret password as an argument to the userdb command,
       which can be viewed by anyone who happens to run ps(1) at the same time. Using userdbpw
       allows the secret password to be specified in a way that cannot be easily viewed by ps(1).


       userdb(8)[1], makeuserdb(8)[2]


        1. userdb(8)
           [set $man.base.url.for.relative.links]/userdb.html

        2. makeuserdb(8)
           [set $man.base.url.for.relative.links]/makeuserdb.html