Manage private dacs passwords
dacs_passwd [\m[blue]dacsoptions\m[]\s-2\u[1]\d\s+2]
This program is part of the DACS suite.
The dacs_passwd web service is used to manage usernames and passwords recognized by \m[blue]local_passwd_authenticate\m[]\s-2\u[2]\d\s+2, a DACS authentication module. This utility serves a similar purpose for local_passwd_authenticate that Apache's \m[blue]htpasswd(1)\m[]\s-2\u[3]\d\s+2 command does for its \m[blue]mod_auth\m[]\s-2\u[4]\d\s+2 and \m[blue]mod_auth_dbm\m[]\s-2\u[5]\d\s+2 modules. These accounts and passwords are used only by local_passwd_authenticate and are completely separate from any other accounts and passwords.
Note
Much of the functionality of this program is also available as a DACS utility, \m[blue]dacspasswd(1)\m[]\s-2\u[6]\d\s+2, which operates on the same password files. Because \m[blue]dacs_admin(8)\m[]\s-2\u[7]\d\s+2 provides the same functionality and more, dacs_passwd may be removed in a future release.
Security
The default DACS ACL restricts use of this web service to a DACS administrator and to users who are setting the password for their own DACS account at the receiving jurisdiction. Administrators should ensure that the ACL for dacs_passwd is correct for their environment.
In addition to the \m[blue]standard CGI arguments\m[]\s-2\u[8]\d\s+2, dacs_passwd understands the following CGI arguments:
OPERATION
The following operations are supported:
ADD
Like SET but add or replace an entry for USERNAME.
DELETE
Delete the account for USERNAME.
DISABLE
Disable the account for USERNAME.
ENABLE
Enable the account for USERNAME.
LIST
List USERNAME, if it exists, otherwise all usernames. A disabled account is indicated by a '*' (which is not a valid character in a username).
SET
Sets or resets a DACS password for USERNAME to NEW_PASSWORD. The CONFIRM_NEW_PASSWORD argument must also be given and be identical to NEW_PASSWORD. Unless the operation is performed by a DACS administrator (i.e., an \m[blue]ADMIN_IDENTITY\m[]\s-2\u[9]\d\s+2) or disabled by the \m[blue]PASSWORD_OPS_NEED_PASSWORD\m[]\s-2\u[10]\d\s+2 directive, the current password for USERNAME must be given as PASSWORD.
Security
For users other than a DACS administrator, a password must meet certain requirements on its length and the character set from which it is comprised. Note that these requirements are only significant at the time a password is set or changed; existing passwords are unaffected by changes to the configuration directives. Please refer to the \m[blue]PASSWORD_CONSTRAINTS\m[]\s-2\u[11]\d\s+2 directive.
Users should be made aware of security issues related to passwords, including better techniques for selecting passwords and keeping them private.
How to choose better passwords
Users might consider adopting a method such as the one described in \m[blue]this proposal\m[]\s-2\u[12]\d\s+2. It suggests that users construct site-specific passwords from three components:
PIN-1, a short, random string that is common to all of the user's passwords, kept secret, and not likely to be in any dictionary;
SITE, a string that is derived from the site's domain name using some simple and easy-to-remember procedure (e.g., using the first four letters or consonents); and
PIN-2, a short, site-specific random string (this component is different for each of a user's passwords, and is something not likely to be in any dictionary).
PIN-1 is memorized by the user. The other two components may be written down but must be kept in a relatively secure location (such as in the user's wallet or in a desk drawer). The user forms his or her passwords by combining these three components in any order that is easy to remember.
For the site www.example.net, a user might select the password "examRB8s#i8", where "exam" (component 2, SITE) is derived from the site's domain name, "RB8s" is a random string used with this password only (component 3, PIN-2), and "#i8" is the user's secret PIN (component 1, PIN-1). Because it is probably difficult to remember, the user might create a note with "examRB8s" written on it (SITE and PIN-2), but not PIN-1.
For the site dacs.dss.ca, the same user might select the password "dssceIM#i8".
Since most people are not very good at it, the random strings should be chosen using a good-quality random generator, such as the \m[blue]random()\m[]\s-2\u[13]\d\s+2 function:
% dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')" "y2FJ"
In addition to being difficult to guess because of their random components and reasonably large character set, these passwords are different for each site; should one password be compromised, the others are not immediately available to an attacker. Similarly, the written strings cannot be immediately exploited if they are stolen or copied. The strength of the method can be increased by making either or both PIN components longer, or chosen from a larger space of characters.
ACCOUNT
Either PASSWD (the default) or SIMPLE, case insensitively, to select between the item types passwds and simple, respectively. The requested item type must be configured (see \m[blue]dacs.conf(5)\m[]\s-2\u[14]\d\s+2).
USERNAME
The DACS username of interest.
FORMAT
By default, output is emitted in HTML. Several varieties of XML output can be selected, however, using the FORMAT argument (please refer to \m[blue]dacs(1)\m[]\s-2\u[15]\d\s+2 and \m[blue]dacs_passwd.dtd\m[]\s-2\u[16]\d\s+2).
The program exits 0 if everything was fine, 1 if an error occurred.
\m[blue]dacspasswd(1)\m[]\s-2\u[6]\d\s+2, \m[blue]dacs.conf(5)\m[]\s-2\u[17]\d\s+2
Distributed Systems Software (\m[blue]www.dss.ca\m[]\s-2\u[18]\d\s+2)
Copyright2003-2013 Distributed Systems Software. See the \m[blue]LICENSE\m[]\s-2\u[19]\d\s+2 file that accompanies the distribution for licensing information.
dacsoptions
http://dacs.dss.ca/man/dacs.1.html#dacsoptions
local_passwd_authenticate
http://dacs.dss.ca/man/dacs_authenticate.8.html#local_passwd_authenticate
http://httpd.apache.org/docs/2.2/programs/htpasswd.html
mod_auth
http://httpd.apache.org/docs-2.2/mod/mod_auth.html
mod_auth_dbm
http://httpd.apache.org/docs-2.2/mod/mod_auth_dbm.html
http://dacs.dss.ca/man/dacspasswd.1.html
http://dacs.dss.ca/man/dacs_admin.8.html
standard CGI arguments
http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args
ADMIN_IDENTITY
http://dacs.dss.ca/man/dacs.conf.5.html#ADMIN_IDENTITY
PASSWORD_OPS_NEED_PASSWORD
http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_OPS_NEED_PASSWORD
PASSWORD_CONSTRAINTS
http://dacs.dss.ca/man/dacs.conf.5.html#PASSWORD_CONSTRAINTS
this proposal
http://www.f-secure.com/weblog/archives/00001691.html
random()
http://dacs.dss.ca/man/dacs.exprs.5.html#random
dacs.conf(5)
http://dacs.dss.ca/man/dacs.conf.5.html#VFS
http://dacs.dss.ca/man/dacs.1.html
dacs_passwd.dtd
http://dacs.dss.ca/man/../dtd-xsd/dacs_passwd.dtd
dacs.conf(5)
http://dacs.dss.ca/man/dacs.conf.5.html
www.dss.ca
http://www.dss.ca
LICENSE
http://dacs.dss.ca/man/../misc/LICENSE