DACSPASSWD(1)                 DACS Commands Manual                 DACSPASSWD(1)

       dacspasswd - manage DACS accounts

       dacspasswd [dacsoptions[1]] [-p password] [-pf file] [-simple]
                  [-vfs vfs_uri]
                  [op-spec] [--] [username]

       This program is part of the DACS suite.

       The dacspasswd command manages accounts that are used by the
       local_passwd_authenticate[2] and local_simple_authenticate[3],
       authentication modules. This utility serves a similar purpose for these
       authentication modules that Apache's htpasswd(1)[4] command does for its
       mod_auth_basic[5] and mod_authn_dbm[6] modules.

       Apart from their use by local_passwd_authenticate and
       local_simple_authenticate, these accounts are completely separate from
       any other accounts and passwords.

           Only lowercase usernames are permitted for these accounts.

       The command allows arbitrary data to be associated with each account.
       This "private" data is opaque to DACS and is not used by DACS. Custom,
       account-specific information can be stored, retrieved, and deleted. Data
       that is not printable text must be encoded. The information is
       automatically deleted when its account is removed. Using this feature,
       account administration programs might be developed to store:

       •   the last time a password was changed;

       •   hashes of previous password values (so that they are not reused);

       •   a note that the account's password must be changed;

       •   a password reminder question and answer;

       •   information for mutual authentication, such as a small image provided
           by the user that is displayed at login time;

       •   an encrypted representation of the password for recovery purposes
           (when absolutely necessary)

       •   several security questions (with answers), one of which might be
           selected at random and presented to the user at login time; or

       •   user preferences.

       Or instead, a pointer to any of this sort of information might be stored.
       There is no size limit for the data, but if relatively large amounts of
       data are being stored for a large number of accounts, the storage type
       should be chosen with care to ensure reasonable performance.

       Passwords are accessed using the DACS virtual filestore through the
       passwds or simple item types. Each record in the file is keyed on the
       username. The information associated with each key consists of several
       fields separated by a "|" character, and includes a digest algorithm
       identifier, salt, the computed digest, and optional application data.

       Use dacsauth(1)[7] to validate (test) a password.

           The password digest algorithm used depends on the PASSWORD_DIGEST[8]
           directive in effect. The PASSWORD_SALT_PREFIX[9] directive is also

           Apart from using an authentication method stronger than one based on
           passwords, current best practice is to use a key derivation function
           like scrypt rather than a cryptographic digest for the
           PASSWORD_DIGEST[8]. While in general doing so will provide additional
           protection if an attacker obtains the password file, it will not help
           if users are allowed to choose weak passwords.

           Plaintext passwords are not stored by dacspasswd. This makes it more
           difficult for an attacker that gains access to the password file to
           discover plaintext passwords, but also means that forgotten passwords
           cannot be recovered (except by exhaustive search, which ought to be

           The salted hash of the password is stored, assuming salting has not
           been disabled, rather than the hash of the password itself. This
           makes a stolen password file more difficult for an attacker to use
           (see rainbow tables[10]).

           Only a DACS administrator should be able to successfully run this
           program from the command line. Because DACS keys and configuration
           files, including the file used to store passwords, must be restricted
           to an administrator, this will normally be the case, but a careful
           administrator will set file permissions to deny access to all other
           users. An ordinary user is able to change his own password using the
           dacs_passwd(8)[11] web service.

           Even if the password file is stored as a plain text file, it is
           probably best to modify it only through this program or dacs_passwd.
           Corrupting a password file entry may prevent signing on to the
           corresponding account or even all accounts that require the password

           It is good administrative practice to store accounts with passwords
           separately from those without.

       This program is also available as a DACS web service, dacs_passwd(8)[11].

       By default, the program will prompt for a new password if one is required
       by the selected operation.

       The dacspasswd command recognizes these command line flags:

       -p password
           Specify the password.

               A password given on the command line may be visible to other
               users on the same system.

           Delete the private data associated with username.

           Get the private data associated with username and print it to the
           standard output.

       -pds string
           Set (or replace) string as private data associated with username.

       -pdsf file
           Set (or replace) the private data associated with username, reading
           it from file. If file is "-", then the data is read from the standard
           input. This flag and -pf cannot both be used to read from the
           standard input.

       -pf file
           Read the password to use from file. If file is "-", then the password
           is read from the standard input without prompting. This flag and
           -pdsf cannot both be used to read from the standard input.

           Use the simple item type expected by local_simple_authenticate
           instead of the default. The program will not prompt for passwords
           because these accounts do not use them.

       -vfs vfs_uri
           Add vfs_uri as a VFS[12] configuration directive. By specifying the
           item type passwds, a location for the password file can be given,
           overriding any configuration file value. This is particularly useful
           in conjunction with dacsauth(1)[7].

           The following operations are recognized. The -enable, -disable, -pdd,
           -pds, and -pdsf are the only operations that can be combined with
           another operation (for example, you can disable an account and set
           its private data at the same time).

               Add username to the password file. The entry must not already
               exist. By default, the user will be prompted for the password,
               which must be retyped for confirmation. This is the default

               Delete username from the password file.

               Disable the account for username so that authentication modules
               will not accept any password. If used with -a, -s, or -u, the
               account will also be disabled. The username may subsequently be

               Re-enable the account for username, which is currently disabled.
               The authentication modules will once again accept the password.
               If used with -a, -s, or -u, the account will also be enabled.

               Get the digest string for username and print it to the standard
               output. A script can validate a password by passing this digest
               string to password()[13] along with the password obtained from
               the user.

               List username if it appears in the password file. If no username
               is provided, list all usernames. A disabled account is indicated
               by a '*' (which is not a valid character in a username). The
               -long and -longlist variants display additional detail about each
               entry, such as the digest algorithm used.

               Set or reset the password for username, which must already exist
               in the password file. The enabled/disabled status is preserved
               unless overridden by a flag.

               Read the current password file (item type passwds) and copy it to
               the item type newpasswds. This will normally create an exact
               copy, but if there are applicable formatting changes, they are
               automatically applied to the input; that is, if the format of the
               input file is older than the format preferred by the current
               version of DACS, it will be updated in the output file to the
               extent possible. The output file should be carefully examined and
               tested before being used.

           -test test-op
               Test an entry for one of several attributes and report the
               outcome through the program's exit status. The test-op is one of
               the following keywords or abbreviated keywords:

               •   enabled, ena, en

                   Return an exit status of 0 if an account for username exists
                   and is enabled, or 1 if it does not exist or is disabled.

               •   exists, ex

                   Return an exit status of 0 if an account for username exists,
                   or 1 if it does not exist.

               •   data

                   Return an exit status of 0 if an account for username exists
                   and has private data, or 1 if it does not exist or does not
                   have private data. If an entry's private data is the empty
                   string, it is considered to have private data.

               •   disabled, dis

                   Return an exit status of 0 if an account for username exists
                   and is disabled, or 1 if it does not exist or is enabled.

               Add username to the password file or update an existing entry for
               username. By default, the user will be prompted for the password,
               which must be retyped for confirmation. If the entry exists, the
               enabled/disabled status is preserved unless overridden by a flag.

           This flag signals the end of the flag arguments; a username may
           follow, possibly beginning with a "-" character.

       Since only the administrator is allowed to use this command, no
       restrictions are imposed on the length or quality of the passwords that
       the administrator supplies; a warning message will be emitted, however,
       if the password is considered to be weak based on the
       PASSWORD_CONSTRAINTS[14] directive that is configured.

       To list all of the accounts configured for the jurisdiction named

           % dacspasswd -uj EXAMPLE -list

       Note that the account for username bobo has been disabled.

       To re-enable bobo's account:

           % dacspasswd -uj EXAMPLE -ena bobo

       To test if bobo's account is enabled:

           % dacspasswd -uj EXAMPLE -test ena bobo
           % echo $status

       To test if there are accounts for usernames booboo and bob:

           % dacspasswd -uj EXAMPLE -test exists booboo
           % echo $status
           % dacspasswd -uj EXAMPLE -test exists bob
           % echo $status

       To reset the password for username bobo interactively:

           % dacspasswd -uj EXAMPLE -set bobo
           New password for bobo?
           Re-type new password for bobo?

       Note that the password text is not displayed.

       To reset the password for username bobo using the program's standard

           % echo $newpasswd | dacspasswd -uj EXAMPLE -set -pf - bobo

       To create a new, disabled account for username bob and store the private
       data "On vacation":

           % dacspasswd -uj EXAMPLE -add -pf ./pwfile -dis -pds "On vacation" bob

       The password is read from the file ./pwfile.

       To get the private data for username bob:

           % set x=`dacspasswd -uj EXAMPLE -pdg bob`
           % echo "$x"
           On vacation

       To regenerate the current password file:

           % dacspasswd -uj EXAMPLE -q -vfs "[newpasswds]dacs-kwv-fs:/usr/local/dacs/tmp/newpasswd?field_sep=:" -regen

       The program exits 0 if everything was fine, and non-zero otherwise. A
       "false" outcome from the -test operation is reflected by an exit status
       of 1. An error condition is indicated by an exit status of 2.

       That password information is not represented externally as an XML
       document tends to haunt your humble narrator. The password file format is
       subject to change.

       dacs_passwd(8)[11], dacsauth(1)[7], dacs_authenticate(8)[15],
       dacs_admin(8)[16], dacs.conf(5)[17]

       Distributed Systems Software (www.dss.ca[18])

       Copyright © 2003-2017 Distributed Systems Software. See the LICENSE[19]
       file that accompanies the distribution for licensing information.

        1. dacsoptions

        2. local_passwd_authenticate

        3. local_simple_authenticate

        4. htpasswd(1)

        5. mod_auth_basic

        6. mod_authn_dbm

        7. dacsauth(1)



       10. rainbow tables

       11. dacs_passwd(8)

       12. VFS

       13. password()


       15. dacs_authenticate(8)

       16. dacs_admin(8)

       17. dacs.conf(5)

       18. www.dss.ca

       19. LICENSE

DACS 1.4.40                        08/23/2020                      DACSPASSWD(1)