Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

userdbpw(8) [debian man page]

USERDBPW(8)						      Double Precision, Inc.						       USERDBPW(8)

NAME

       userdbpw - create an encrypted password

SYNOPSIS

       userdbpw [[-md5] | [-hmac-md5] | [-hmac-sha1]] |userdb {name} set {field}

DESCRIPTION

       userdbpw enables secure entry of encrypted passwords into /etc/courier/userdb.

       userdbpw reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output.

       If standard input is attached to a terminal device, userdbpw explicitly issues a "Password: " prompt on standard error, and turns off echo
       while the password is entered.

       The -md5 option is available on systems that use MD5-hashed passwords (such as systems that use the current version of the PAM library for
       authenticating, with MD5 passwords enabled). This option creates an MD5 password hash, instead of using the traditional crypt() function.

       -hmac-md5 and -hmac-sha1 options are available only if the userdb library is installed by an application that uses a challenge/response
       authentication mechanism.  -hmac-md5 creates an intermediate HMAC context using the MD5 hash function.  -hmac-sha1 uses the SHA1 hash
       function instead. Whether either HMAC function is actually available depends on the actual application that installs the userdb library.

       Note that even though the result of HMAC hashing looks like an encrypted password, it's really not. HMAC-based challenge/response
       authentication mechanisms require the cleartext password to be available as cleartext. Computing an intermediate HMAC context does scramble
       the cleartext password, however if its compromised, it WILL be possible for an attacker to succesfully authenticate. Therefore,
       applications that use challenge/response authentication will store intermediate HMAC contexts in the "pw" fields in the userdb database,
       which will be compiled into the userdbshadow.dat database, which has group and world permissions turned off. The userdb library also
       requires that the cleartext userdb source for the userdb.dat and userdbshadow.dat databases is also stored with the group and world
       permissions turned off.

       userdbpw is usually used together in a pipe with userdb, which reads from standard input. For example:

	   userdbpw -md5 | userdb users/john set systempw

       or:

	   userdbpw -hmac-md5 | userdb users/john set hmac-md5pw

       These commands set the systempw field in the record for the user john in /etc/courier/userdb/users file, and the hmac-md5pw field. Don't
       forget to run makeuserdb for the change to take effect.

       The following command does the same thing:

	   userdb users/john set systempw=SECRETPASSWORD

       However, this command passes the secret password as an argument to the userdb command, which can be viewed by anyone who happens to run
       ps(1) at the same time. Using userdbpw allows the secret password to be specified in a way that cannot be easily viewed by ps(1).

SEE ALSO

       userdb(8)[1], makeuserdb(8)[2]

NOTES

	1. userdb(8)
	   userdb.html

	2. makeuserdb(8)
	   makeuserdb.html

Double Precision, Inc.						    08/23/2008							       USERDBPW(8)

Check Out this Related Man Page

USERDB(8)						      Double Precision, Inc.							 USERDB(8)

NAME

       userdb - manipulate /etc/courier/userdb

SYNOPSIS

       userdb {addr} set {field=value...}

       userdb {addr} unset {field...}

       userdb {addr} del

       userdb {path/addr} [set | unset | del] ...

       userdb -f {file} {adr} [set | unset | del] ...

       userdb -show {path}

       userdb -show {path} {addr}

       userdb -show -f {file}

       userdb -show -f {file} {addr}

DESCRIPTION

       userdb is a convenient script to individually manipulate entries in /etc/courier/userdb. See makeuserdb(8)[1] for a description of its
       contents.  /etc/courier/userdb can always be edited using any text editor, but userdb is a convenient way to modify this file from another
       script.

       /etc/courier/userdb can also be a subdirectory, instead of a file. Specify foo/bar/addr to manipulate addr in the file
       /etc/courier/userdb/foo/bar. You can also use the -f flag: -f /etc/courier/userdb/foo/bar is equivalent. Use whatever form makes the most
       sense to you.

       /etc/courier/userdb must not have any group or world permissions. That's because its contents may include system passwords (depending upon
       the application which uses this virtual user account database).

       Each line in /etc/courier/userdb takes following form:

       addr specifies a unique virtual address. It is followed by a single tab character, then a list of field=value pairs, separated by vertical
       slash characters. See makeuserdb(8)[1] for field definitions.

       A text editor can be used to add blank lines or comments in /etc/courier/userdb. Any blank lines or comments are ignored by the userdb
       script.

       The names of the actual fields, and their contents, are defined entirely by applications that use the /etc/courier/userdb database, the
       userdb command just adds or removes arbitrary fields.

       For example:

	   userdb default/info set mail=/home/mail/info

       This command accesses the address "info" in /etc/courier/userdb/default.

       If the second argument to userdb is "set", the remaining arguments are taken as field=value pairs, which are added to the record for addr.
       If there is no record for addr, a new record will be appended to the file. If addr exists, any existing values of any specified fields are
       removed. If =value is missing, userdb stops and prompts for it. This is useful if you're setting a password field, where you do not want to
       specify the password on the command line, which can be seen by the ps(1) command. If userdb is being executed by a script, the value can be
       provided on standard input.

       Use "unset" to delete fields from an existing record. Use "del" to delete all fields in the existing record, plus the record itself.

   DISPLAYING /etc/courier/userdb
       If the first argument to userdb is -show, userdb displays the contents of /etc/courier/userdb. If /etc/courier/userdb is a subdirectory,
       path must refer to a specific file in /etc/courier/userdb. The -f option can be used instead of path in order to specify an arbitrary file.

       If addr is not specified, userdb produces a list, on standard output, containing all addresses found in the file, on per line. If addr is
       specified, userdb produces a list, on standard output, of all the fields in /etc/courier/userdb for this addr.

   REBUILDING /etc/courier/userdb.dat
       The actual virtual account/address database is /etc/courier/userdb.dat. This is a binary database file.	/etc/courier/userdb is the plain
       text version. After running userdb, execute the makeuserdb(8)[1] command to rebuild /etc/courier/userdb.dat for the changes to take effect.

BUGS

       addr must be unique. If /etc/courier/userdb is a subdirectory, it's possible to create the same addr in different files in the
       subdirectory. This is an error that is not currently detected by userdb, however the subsequent makeuserdb(8)[1] command will fail with an
       error message.

FILES

	/etc/courier/userdb - plain text file, or directory of plain text files

	.lock.filename - lock file for filename

	.tmp.filename - temporary file used to create new contents of filename

SEE ALSO

       makeuserdb(8)[1], userdbpw(8)[2]

NOTES

	1. makeuserdb(8)
	   makeuserdb.html

	2. userdbpw(8)
	   userdbpw.html

Double Precision, Inc.						    08/23/2008								 USERDB(8)
Man Page