Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

dacs_passwd(8) [debian man page]

DACS_PASSWD(8)						     DACS Web Services Manual						    DACS_PASSWD(8)

NAME

       dacs_passwd - manage private DACS passwords

SYNOPSIS

       dacs_passwd [dacsoptions[1]]

DESCRIPTION

       This program is part of the DACS suite.

       The dacs_passwd web service is used to manage usernames and passwords recognized by local_passwd_authenticate[2], a DACS authentication
       module. This utility serves a similar purpose for local_passwd_authenticate that Apache's htpasswd(1)[3] command does for its mod_auth[4]
       and mod_auth_dbm[5] modules. These accounts and passwords are used only by local_passwd_authenticate and are completely separate from any
       other accounts and passwords.

	   Note
	   Much of the functionality of this program is also available as a DACS utility, dacspasswd(1)[6], which operates on the same password
	   files. Because dacs_admin(8)[7] provides the same functionality and more, dacs_passwd may be removed in a future release.

	   Security
	   The default DACS ACL restricts use of this web service to a DACS administrator and to users who are setting the password for their own
	   DACS account at the receiving jurisdiction. Administrators should ensure that the ACL for dacs_passwd is correct for their environment.

OPTIONS

   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_passwd understands the following CGI arguments:

       OPERATION
	   The following operations are supported:

	   o   ADD

	       Like SET but add or replace an entry for USERNAME.

	   o   DELETE

	       Delete the account for USERNAME.

	   o   DISABLE

	       Disable the account for USERNAME.

	   o   ENABLE

	       Enable the account for USERNAME.

	   o   LIST

	       List USERNAME, if it exists, otherwise all usernames. A disabled account is indicated by a '*' (which is not a valid character in a
	       username).

	   o   SET

	       Sets or resets a DACS password for USERNAME to NEW_PASSWORD. The CONFIRM_NEW_PASSWORD argument must also be given and be identical
	       to NEW_PASSWORD. Unless the operation is performed by a DACS administrator (i.e., an ADMIN_IDENTITY[9]) or disabled by the
	       PASSWORD_OPS_NEED_PASSWORD[10] directive, the current password for USERNAME must be given as PASSWORD.

		   Security
		   For users other than a DACS administrator, a password must meet certain requirements on its length and the character set from
		   which it is comprised. Note that these requirements are only significant at the time a password is set or changed; existing
		   passwords are unaffected by changes to the configuration directives. Please refer to the PASSWORD_CONSTRAINTS[11] directive.

		   Users should be made aware of security issues related to passwords, including better techniques for selecting passwords and
		   keeping them private.

		   How to choose better passwords
		   Users might consider adopting a method such as the one described in this proposal[12]. It suggests that users construct
		   site-specific passwords from three components:

		    1. a short, random string (a secret PIN) that will be common to all of the user's passwords;

		    2. a string derived from a site's domain name using some simple and easy-to-remember procedure (e.g., using the first four
		       letters or consonents); and

		    3. a short, site-specific random string (this component is different for each of a user's passwords).

		   The PIN, is memorized by the user. The other two components may be written down but must be kept in a relatively secure
		   location (such as in the user's wallet or in a desk drawer). The user forms his or her passwords by combining these three
		   components in any order that is easy to remember.

		   For the site www.example.net, a user might select the password "examRB8s#i8", where "exam" is derived from the site's domain
		   name (component 2), "RB8s" is a random string used with this password only (component 3), and "#i8" is the user's secret PIN
		   (component 1). Because it is probably difficult to remember, the user might create a note with "examRB8s" written on it
		   (components 2 and 3), but not the PIN.

		   For the site dacs.dss.ca, the same user might select the password "dssceIM#i8".

		   Since most people are not very good at it, the site-specific random string (and, ideally, the PIN as well) should be chosen
		   using a good-quality random generator, such as the random()[13] function:

		       % dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"
		       "y2FJ"

		   In addition to being difficult to guess because of their random components and reasonably large character set, these passwords
		   are different for each site; should one password be compromised, the others are not immediately available to an attacker.
		   Similarly, the written strings cannot be immediately exploited if they are stolen or copied. The strength of the method can be
		   increased by making the PIN longer, or chosen from a larger space of characters.

       ACCOUNT
	   Either PASSWD (the default) or SIMPLE, case insensitively, to select between the item types passwds and simple, respectively. The
	   requested item type must be configured (see dacs.conf(5)[14]).

       USERNAME
	   The DACS username of interest.

       FORMAT
	   By default, output is emitted in HTML. Several varieties of XML output can be selected, however, using the FORMAT argument (please
	   refer to dacs(1)[15] and dacs_passwd.dtd[16]).

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

SEE ALSO

       dacspasswd(1)[6], dacs.conf(5)[17]

AUTHOR

       Distributed Systems Software (www.dss.ca[18])

COPYING

       Copyright2003-2012 Distributed Systems Software. See the LICENSE[19] file that accompanies the distribution for licensing information.

NOTES

	1. dacsoptions
	   http://dacs.dss.ca/man/dacs.1.html#dacsoptions

	2. local_passwd_authenticate
	   http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate

	3. htpasswd(1)
	   http://httpd.apache.org/docs/2.2/programs/htpasswd.html

	4. mod_auth
	   http://httpd.apache.org/docs-2.2/mod/mod_auth.html

	5. mod_auth_dbm
	   http://httpd.apache.org/docs-2.2/mod/mod_auth_dbm.html

	6. dacspasswd(1)
	   http://dacs.dss.ca/man/dacspasswd.1.html

	7. dacs_admin(8)
	   http://dacs.dss.ca/man/dacs_admin.8.html

	8. standard CGI arguments
	   http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

	9. ADMIN_IDENTITY
	   http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY

       10. PASSWORD_OPS_NEED_PASSWORD
	   http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_OPS_NEED_PASSWORD

       11. PASSWORD_CONSTRAINTS
	   http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS

       12. this proposal
	   http://www.f-secure.com/weblog/archives/00001691.html

       13. random()
	   http://dacs.dss.ca/man/dacs.exprs.5.html#random

       14. dacs.conf(5)
	   http://dacs.dss.ca/man/dacs.conf.5.html#VFS

       15. dacs(1)
	   http://dacs.dss.ca/man/dacs.1.html

       16. dacs_passwd.dtd
	   http://dacs.dss.ca/man/../dtd-xsd/dacs_passwd.dtd

       17. dacs.conf(5)
	   http://dacs.dss.ca/man/dacs.conf.5.html

       18. www.dss.ca
	   http://www.dss.ca

       19. LICENSE
	   http://dacs.dss.ca/man/../misc/LICENSE

DACS 1.4.27b							    10/22/2012							    DACS_PASSWD(8)
Man Page