Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

userdbpw(8) [centos man page]

USERDBPW(8)						      Double Precision, Inc.						       USERDBPW(8)

userdbpw - create an encrypted password SYNOPSIS
userdbpw [[-md5] | [-hmac-md5] | [-hmac-sha1]] |userdb {name} set {field} DESCRIPTION
userdbpw enables secure entry of encrypted passwords into /etc/courier/userdb. userdbpw reads a single line of text on standard input, encrypts it, and prints the encrypted result to standard output. If standard input is attached to a terminal device, userdbpw explicitly issues a "Password: " prompt on standard error, and turns off echo while the password is entered. The -md5 option is available on systems that use MD5-hashed passwords (such as systems that use the current version of the PAM library for authenticating, with MD5 passwords enabled). This option creates an MD5 password hash, instead of using the traditional crypt() function. -hmac-md5 and -hmac-sha1 options are available only if the userdb library is installed by an application that uses a challenge/response authentication mechanism. -hmac-md5 creates an intermediate HMAC context using the MD5 hash function. -hmac-sha1 uses the SHA1 hash function instead. Whether either HMAC function is actually available depends on the actual application that installs the userdb library. Note that even though the result of HMAC hashing looks like an encrypted password, it's really not. HMAC-based challenge/response authentication mechanisms require the cleartext password to be available as cleartext. Computing an intermediate HMAC context does scramble the cleartext password, however if its compromised, it WILL be possible for an attacker to succesfully authenticate. Therefore, applications that use challenge/response authentication will store intermediate HMAC contexts in the "pw" fields in the userdb database, which will be compiled into the userdbshadow.dat database, which has group and world permissions turned off. The userdb library also requires that the cleartext userdb source for the userdb.dat and userdbshadow.dat databases is also stored with the group and world permissions turned off. userdbpw is usually used together in a pipe with userdb, which reads from standard input. For example: userdbpw -md5 | userdb users/john set systempw or: userdbpw -hmac-md5 | userdb users/john set hmac-md5pw These commands set the systempw field in the record for the user john in /etc/courier/userdb/users file, and the hmac-md5pw field. Don't forget to run makeuserdb for the change to take effect. The following command does the same thing: userdb users/john set systempw=SECRETPASSWORD However, this command passes the secret password as an argument to the userdb command, which can be viewed by anyone who happens to run ps(1) at the same time. Using userdbpw allows the secret password to be specified in a way that cannot be easily viewed by ps(1). SEE ALSO
userdb(8)[1], makeuserdb(8)[2] NOTES
1. userdb(8) userdb.html 2. makeuserdb(8) makeuserdb.html Double Precision, Inc. 08/23/2008 USERDBPW(8)

Check Out this Related Man Page

USERDB(8)						      Double Precision, Inc.							 USERDB(8)

userdb - manipulate /etc/courier/userdb SYNOPSIS
userdb {addr} set {field=value...} userdb {addr} unset {field...} userdb {addr} del userdb {path/addr} [set | unset | del] ... userdb -f {file} {adr} [set | unset | del] ... userdb -show {path} userdb -show {path} {addr} userdb -show -f {file} userdb -show -f {file} {addr} DESCRIPTION
userdb is a convenient script to individually manipulate entries in /etc/courier/userdb. See makeuserdb(8)[1] for a description of its contents. /etc/courier/userdb can always be edited using any text editor, but userdb is a convenient way to modify this file from another script. /etc/courier/userdb can also be a subdirectory, instead of a file. Specify foo/bar/addr to manipulate addr in the file /etc/courier/userdb/foo/bar. You can also use the -f flag: -f /etc/courier/userdb/foo/bar is equivalent. Use whatever form makes the most sense to you. /etc/courier/userdb must not have any group or world permissions. That's because its contents may include system passwords (depending upon the application which uses this virtual user account database). Each line in /etc/courier/userdb takes following form: addr specifies a unique virtual address. It is followed by a single tab character, then a list of field=value pairs, separated by vertical slash characters. See makeuserdb(8)[1] for field definitions. A text editor can be used to add blank lines or comments in /etc/courier/userdb. Any blank lines or comments are ignored by the userdb script. The names of the actual fields, and their contents, are defined entirely by applications that use the /etc/courier/userdb database, the userdb command just adds or removes arbitrary fields. For example: userdb default/info set mail=/home/mail/info This command accesses the address "info" in /etc/courier/userdb/default. If the second argument to userdb is "set", the remaining arguments are taken as field=value pairs, which are added to the record for addr. If there is no record for addr, a new record will be appended to the file. If addr exists, any existing values of any specified fields are removed. If =value is missing, userdb stops and prompts for it. This is useful if you're setting a password field, where you do not want to specify the password on the command line, which can be seen by the ps(1) command. If userdb is being executed by a script, the value can be provided on standard input. Use "unset" to delete fields from an existing record. Use "del" to delete all fields in the existing record, plus the record itself. DISPLAYING /etc/courier/userdb If the first argument to userdb is -show, userdb displays the contents of /etc/courier/userdb. If /etc/courier/userdb is a subdirectory, path must refer to a specific file in /etc/courier/userdb. The -f option can be used instead of path in order to specify an arbitrary file. If addr is not specified, userdb produces a list, on standard output, containing all addresses found in the file, on per line. If addr is specified, userdb produces a list, on standard output, of all the fields in /etc/courier/userdb for this addr. REBUILDING /etc/courier/userdb.dat The actual virtual account/address database is /etc/courier/userdb.dat. This is a binary database file. /etc/courier/userdb is the plain text version. After running userdb, execute the makeuserdb(8)[1] command to rebuild /etc/courier/userdb.dat for the changes to take effect. BUGS
addr must be unique. If /etc/courier/userdb is a subdirectory, it's possible to create the same addr in different files in the subdirectory. This is an error that is not currently detected by userdb, however the subsequent makeuserdb(8)[1] command will fail with an error message. FILES
/etc/courier/userdb - plain text file, or directory of plain text files .lock.filename - lock file for filename .tmp.filename - temporary file used to create new contents of filename SEE ALSO
makeuserdb(8)[1], userdbpw(8)[2] NOTES
1. makeuserdb(8) makeuserdb.html 2. userdbpw(8) userdbpw.html Double Precision, Inc. 08/23/2008 USERDB(8)
Man Page