from small one page howto to huge articles all in one place
 

search text in:





Poll
Which linux distribution do you use?







poll results

Last additions:
using iotop to find disk usage hogs

using iotop to find disk usage hogs

words:

887

views:

99310

userrating:

average rating: 1.7 (84 votes) (1=very good 6=terrible)


May 25th. 2007:
Words

486

Views

214455

why adblockers are bad


Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

words:

161

views:

95505

userrating:

average rating: 1.3 (28 votes) (1=very good 6=terrible)


April, 26th. 2006:

Druckversion
You are here: manpages





USERDBPW

Section: Double Precision, Inc. (8)
Updated: 08/25/2013
Index Return to Main Contents
 

NAME

userdbpw - create an encrypted password  

SYNOPSIS

userdbpw [[-md5] | [-hmac-md5] | [-hmac-sha1]] |userdb {name} set {field}
 

DESCRIPTION

userdbpw

enables secure entry of encrypted passwords into /etc/courier/authlib/userdb.

userdbpw reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output.

If standard input is attached to a terminal device, userdbpw explicitly issues a "Password: " prompt on standard error, and turns off echo while the password is entered.

The -md5 option is available on systems that use MD5-hashed passwords (such as systems that use the current version of the PAM library for authenticating, with MD5 passwords enabled). This option creates an MD5 password hash, instead of using the traditional crypt() function.

-hmac-md5 and -hmac-sha1 options are available only if the userdb library is installed by an application that uses a challenge/response authentication mechanism. -hmac-md5 creates an intermediate HMAC context using the MD5 hash function. -hmac-sha1 uses the SHA1 hash function instead. Whether either HMAC function is actually available depends on the actual application that installs the userdb library.

Note that even though the result of HMAC hashing looks like an encrypted password, it's really not. HMAC-based challenge/response authentication mechanisms require the cleartext password to be available as cleartext. Computing an intermediate HMAC context does scramble the cleartext password, however if its compromised, it WILL be possible for an attacker to succesfully authenticate. Therefore, applications that use challenge/response authentication will store intermediate HMAC contexts in the "pw" fields in the userdb database, which will be compiled into the userdbshadow.dat database, which has group and world permissions turned off. The userdb library also requires that the cleartext userdb source for the userdb.dat and userdbshadow.dat databases is also stored with the group and world permissions turned off.

userdbpw is usually used together in a pipe with userdb, which reads from standard input. For example:

userdbpw -md5 | userdb users/john set systempw

or:

userdbpw -hmac-md5 | userdb users/john set hmac-md5pw

These commands set the systempw field in the record for the user john in /etc/courier/authlib/userdb/users file, and the hmac-md5pw field. Don't forget to run makeuserdb for the change to take effect.

The following command does the same thing:

userdb users/john set systempw=SECRETPASSWORD

However, this command passes the secret password as an argument to the userdb command, which can be viewed by anyone who happens to run ps(1) at the same time. Using userdbpw allows the secret password to be specified in a way that cannot be easily viewed by ps(1).  

SEE ALSO

m[blue]userdb(8)m[][1], m[blue]makeuserdb(8)m[][2]  

NOTES

1.
userdb(8)
[set $man.base.url.for.relative.links]/userdb.html
2.
makeuserdb(8)
[set $man.base.url.for.relative.links]/makeuserdb.html


 

Index

NAME
SYNOPSIS
DESCRIPTION
SEE ALSO
NOTES


Please read "Why adblockers are bad".



Other free services
toURL.org
Shorten long
URLs to short
links like
http://tourl.org/2
tourl.org
.
Reverse DNS lookup
Find out which hostname(s)
resolve to a
given IP or other hostnames for the server
www.reversednslookup.org
rdf newsfeed | rss newsfeed | Atom newsfeed
- Powered by LeopardCMS - Running on Gentoo -
Copyright 2004-2017 Sascha Nitsch Unternehmensberatung UG(haftungsbeschränkt)
Valid XHTML1.1 : Valid CSS : buttonmaker
- Level Triple-A Conformance to Web Content Accessibility Guidelines 1.0 -
- Copyright and legal notices -
Time to create this page: 4.0 ms