Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
USERDBPW(8)		    Double Precision, Inc.		   USERDBPW(8)

       userdbpw	- create an encrypted password

       userdbpw	[[-md5]	| [-hmac-md5] |	[-hmac-sha1]] |userdb {name} set

       userdbpw	enables	secure entry of	encrypted passwords into

       userdbpw	reads a	single line of text on standard	input, encrypts	it,
       and prints the encrypted	result to standard output.

       If standard input is attached to	a terminal device, userdbpw explicitly
       issues a	"Password: " prompt on standard	error, and turns off echo
       while the password is entered.

       The -md5	option is available on systems that use	MD5-hashed passwords
       (such as	systems	that use the current version of	the PAM	library	for
       authenticating, with MD5	passwords enabled). This option	creates	an MD5
       password	hash, instead of using the traditional crypt() function.

       -hmac-md5 and -hmac-sha1	options	are available only if the userdb
       library is installed by an application that uses	a challenge/response
       authentication mechanism.  -hmac-md5 creates an intermediate HMAC
       context using the MD5 hash function.  -hmac-sha1	uses the SHA1 hash
       function	instead. Whether either	HMAC function is actually available
       depends on the actual application that installs the userdb library.

       Note that even though the result	of HMAC	hashing	looks like an
       encrypted password, it's	really not. HMAC-based challenge/response
       authentication mechanisms require the cleartext password	to be
       available as cleartext. Computing an intermediate HMAC context does
       scramble	the cleartext password,	however	if its compromised, it WILL be
       possible	for an attacker	to succesfully authenticate. Therefore,
       applications that use challenge/response	authentication will store
       intermediate HMAC contexts in the "pw" fields in	the userdb database,
       which will be compiled into the userdbshadow.dat	database, which	has
       group and world permissions turned off. The userdb library also
       requires	that the cleartext userdb source for the userdb.dat and
       userdbshadow.dat	databases is also stored with the group	and world
       permissions turned off.

       userdbpw	is usually used	together in a pipe with	userdb,	which reads
       from standard input. For	example:

	   userdbpw -md5 | userdb users/john set systempw


	   userdbpw -hmac-md5 |	userdb users/john set hmac-md5pw

       These commands set the systempw field in	the record for the user	john
       in /usr/local/etc/userdb/users file, and	the hmac-md5pw field. Don't
       forget to run makeuserdb	for the	change to take effect.

       The following command does the same thing:

	   userdb users/john set systempw=SECRETPASSWORD

       However,	this command passes the	secret password	as an argument to the
       userdb command, which can be viewed by anyone who happens to run	ps(1)
       at the same time. Using userdbpw	allows the secret password to be
       specified in a way that cannot be easily	viewed by ps(1).

       userdb(8)[1], makeuserdb(8)[2]

	1. userdb(8)
	   [set	$man.base.url.for.relative.links]/userdb.html

	2. makeuserdb(8)
	   [set	$man.base.url.for.relative.links]/makeuserdb.html

Double Precision, Inc.		  09/08/2017			   USERDBPW(8)


Want to link to this manual page? Use this URL:

home | help