dacs_passwd

DACS_PASSWD(8)              DACS Web Services Manual              DACS_PASSWD(8)



NAME
       dacs_passwd - manage private DACS passwords

SYNOPSIS
       dacs_passwd [dacsoptions[1]]

DESCRIPTION
       This program is part of the DACS suite.

       The dacs_passwd web service is used to manage usernames and passwords
       recognized by local_passwd_authenticate[2], a DACS authentication module.
       This utility serves a similar purpose for local_passwd_authenticate that
       Apache's htpasswd(1)[3] command does for its mod_authn_file[4] and
       mod_authn_dbm[5] modules. These accounts and passwords are used only by
       local_passwd_authenticate and are completely separate from any other
       accounts and passwords.

           Note
           Much of the functionality of this program is also available as a DACS
           utility, dacspasswd(1)[6], which operates on the same password files.
           Because dacs_admin(8)[7] provides the same functionality and more,
           dacs_passwd may be removed in a future release.

           Security
           This web service enforces several requirements over and above those
           specified by its access control rule. The USERNAME argument must be
           syntactically valid and lowercase. The user must already be
           authenticated. To change his password, a (non-admin) user must enter
           his current password.

           The default DACS ACL restricts use of this web service to a DACS
           administrator and to users who are setting the password for their own
           DACS account at the receiving jurisdiction. Administrators should
           ensure that the ACL for dacs_passwd is correct for their environment.

OPTIONS
   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_passwd understands the
       following CGI arguments:

       OPERATION
           The following operations are supported:

           •   ADD

               Like SET but add or replace an entry for USERNAME.

           •   DELETE

               Delete the account for USERNAME.

           •   DISABLE

               Disable the account for USERNAME.

           •   ENABLE

               Enable the account for USERNAME.

           •   LIST

               List USERNAME, if it exists, otherwise all usernames. A disabled
               account is indicated by a '*' (which is not a valid character in
               a username).

           •   SET

               Sets or resets a DACS password for USERNAME to NEW_PASSWORD. The
               CONFIRM_NEW_PASSWORD argument must also be given and be identical
               to NEW_PASSWORD. Unless the operation is performed by a DACS
               administrator (i.e., an ADMIN_IDENTITY[9]) or disabled by the
               PASSWORD_OPS_NEED_PASSWORD[10] directive, the current password
               for USERNAME must be given as PASSWORD.

                   Security
                   For users other than a DACS administrator, a password must
                   meet certain requirements on its length and the character set
                   from which it is comprised. Note that these requirements are
                   only significant at the time a password is set or changed;
                   existing passwords are unaffected by changes to the
                   configuration directives. Please refer to the
                   PASSWORD_CONSTRAINTS[11] directive.

                   Users should be made aware of security issues related to
                   passwords, including better techniques for selecting
                   passwords and keeping them private.

                   How to choose better passwords
                   Most users can benefit from adopting a method for password
                   selection similar to the one described in this proposal[12].
                   It suggests that users construct site-specific passwords from
                   three separate components:

                    1. PIN-1, a short, random string that is common to all of
                       the user's passwords, kept secret, and unlikely to be in
                       any dictionary;

                    2. SITE, a string that is derived from a site's name (or
                       domain name) using some simple and easy-to-remember
                       procedure (e.g., using an obvious abbreviation or prefix,
                       or the first four letters or consonents, perhaps mixing
                       upper and lower case); and

                    3. PIN-2, a short, site-specific random string that is
                       different for each of the user's passwords, and not
                       likely to be in any dictionary.

                   PIN-1 is memorized by the user. The other two components may
                   be written down but must be kept in a relatively secure
                   location (such as in the user's wallet or in a locked desk
                   drawer).

                   The user forms passwords by combining these three components
                   in any order that is easy to remember, like:

                       SITE PIN-2 PIN-1

                   Following that ordering, for the site www.example.net, a user
                   might select the password "exampleRB8s#i8", where "example"
                   (component 2, SITE) is derived from the site's domain name,
                   "RB8s" is a random string used with this password only
                   (component 3, PIN-2), and "#i8" is the user's secret PIN
                   (component 1, PIN-1). Because it is probably difficult to
                   remember, the user might create a note with "www.example.net
                   RB8s" written on it but not PIN-1.

                   For httpd.apache.org, the same user might select the password
                   "httpd33ABB#i8".

                   For the site dacs.dss.ca, the user might select the password
                   "dacsceIM#i8".

                   Note that because the characters comprising PIN-1 must be
                   acceptable in all sites' passwords, and some sites accept a
                   rather limited character set for their passwords, it may be
                   necessary to restrict PIN-1 to the alphanumeric alphabet. The
                   other two components can be chosen from whatever password
                   characters are permitted by the particular site. As some
                   sites unfortunately allow only relatively short passwords, it
                   is preferable to shorten SITE rather than either of the other
                   two components.

                   Provided the basic rules are followed, a user can strengthen
                   the method by making minor changes. As a simple example, one
                   or more separating characters, also from a restricted
                   character set, might be added before and after the middle
                   component:

                       SITE Z PIN-2 Z PIN-1

                   In this example, a 'Z' is used as a separating character.

                   Since most people are not very good at it, the random strings
                   should be chosen using a good-quality random generator, such
                   as the random()[13] function:

                       % dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"
                       "y2FJ"

                   Or, on FreeBSD or macOS:

                       % jot -r -c 20 33 126 | rs -g 0 4
                       ib2Y
                       25$z
                       vI9Z
                       ^KpZ
                       51b7

                   In addition to being difficult to guess because of their
                   random components and reasonably large character set, these
                   passwords are different for each site; should one password be
                   compromised, the others are not immediately available to an
                   attacker. Similarly, the written strings cannot be
                   immediately exploited if they are stolen or copied. The
                   strength of the method can be increased by making either or
                   both PIN components longer, chosen from a larger space of
                   characters, or by inserting one or more characters between
                   components. Software is available to help evaluate password
                   strength (e.g., How Big is Your Haystack?[14]), but avoid
                   giving out the actual password you intend to use.


       ACCOUNT
           Either PASSWD (the default) or SIMPLE, case insensitively, to select
           between the item types passwds and simple, respectively. The
           requested item type must be configured (see dacs.conf(5)[15]).

       USERNAME
           The DACS username of interest.

       FORMAT
           By default, output is emitted in HTML. Several varieties of XML
           output can be selected, however, using the FORMAT argument (please
           refer to dacs(1)[16] and dacs_passwd.dtd[17]).

DIAGNOSTICS
       The program exits 0 if everything was fine, 1 if an error occurred.

SEE ALSO
       dacspasswd(1)[6], dacs_admin(8)[7], dacs.conf(5)[18]

AUTHOR
       Distributed Systems Software (www.dss.ca[19])

COPYING
       Copyright © 2003-2017 Distributed Systems Software. See the LICENSE[20]
       file that accompanies the distribution for licensing information.

NOTES
        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. local_passwd_authenticate
           http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate

        3. htpasswd(1)
           http://httpd.apache.org/docs/2.4/programs/htpasswd.html

        4. mod_authn_file
           http://httpd.apache.org/docs/2.4/mod/mod_authn_file.html

        5. mod_authn_dbm
           http://httpd.apache.org/docs/2.4/mod/mod_authn_dbm.html

        6. dacspasswd(1)
           http://dacs.dss.ca/man/dacspasswd.1.html

        7. dacs_admin(8)
           http://dacs.dss.ca/man/dacs_admin.8.html

        8. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

        9. ADMIN_IDENTITY
           http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY

       10. PASSWORD_OPS_NEED_PASSWORD
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_OPS_NEED_PASSWORD

       11. PASSWORD_CONSTRAINTS
           http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS

       12. this proposal
           http://www.f-secure.com/weblog/archives/00001691.html

       13. random()
           http://dacs.dss.ca/man/dacs.exprs.5.html#random

       14. How Big is Your Haystack?
           https://www.grc.com/haystack.htm

       15. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html#VFS

       16. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

       17. dacs_passwd.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_passwd.dtd

       18. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html

       19. www.dss.ca
           http://www.dss.ca

       20. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE



DACS 1.4.40                        02/19/2019                     DACS_PASSWD(8)