PMDF System Manager's Guide
Previous Contents Index

password

Set password for remote authentication, e.g., POP client (APOP), IMAP client (CRAM), or mailbox filter authentication.

Syntax

pmdf password [password]

Command Qualifiers Defaults
-create -create
-delete -create
-service=keyword -service=DEFAULT
-show -create
-test -create
-user=username See text

restrictions

On UNIX, all operations other than setting one's own password require privileges.

prompts

New password: password

Parameters

password

The password to set. Note that APOP passwords are case sensitive.

Description

The pmdf password utility is used to create and modify PMDF password database entries. This database may be used by POP clients issuing the APOP command, by IMAP or POP clients using the CRAM-MD5 authentication mechanism, or possibly by users authenticating themselves to modify their personal mailbox filters.

Note that in general, just which source of password authentication information is used---whether the PMDF password database, or some other source---is controlled by the PMDF security configuration file; see Chapter 14. That is, a connection comes in (POP, IMAP, or mailbox filtering) and is mapped to a security rule set; the security rule set in the PMDF security configuration then controls where and how authentication is performed for that connection.

For instance, the DEFAULT security rule set in PMDF's implicit security configuration (which applies if no security configuration file exists) checks first for a PMDF popstore profile password, next for a PMDF password database entry, and finally falls through to checking for a system password entry.

Note that APOP and CRAM-MD5 passwords cannot be stored in the system password file. Therefore, in order to support use of the POP protocol's APOP command or AUTH command with CRAM-MD5, or the IMAP protocol's authenticate command with CRAM-MD5, the user must have a password entry stored in an authentication source other than (or in addition to) the system password file. The PMDF password database can be that additional authentication source.

Thus for instance, for a POP or IMAP connection handled by the DEFAULT security rule set, a user must either be a PMDF Message Store or PMDF popstore user (in which case their PMDF user profile password is normally 1 sufficient for remote authentication), or if they are a legacy UNIX message store (Berkeley mailbox) user then they must have a PMDF password database entry in addition to their system password file entry.

For mailbox filter connections handled by the DEFAULT security rule set of PMDF's implicit security configuration, authentication will be performed preferentially against the PMDF user profile, if the user has a PMDF user profile entry, if not then against the PMDF password database, if the user has an entry in it, and finally, only if the user has neither sort of entry, against the system password file.

The above discussion regards whether the PMDF password database will actually be used as the source of authentication information. When the PMDF password database is used as the source of authentication information, then an additional issue can arise, namely which of a user's possibly multiple entries will be checked for the authentication. That is, a user can have multiple entries in the PMDF password database, one for each allowed -service value. The sort of connection (assuming that the PMDF password database is even checked) will control which -service entry is preferentially checked. Note that the sort of -service entry checked has nothing to do with the PMDF security configuration (which instead controlled whether or not the PMDF password database was queried at all); the sort of -service entry checked when the PMDF password database is queried has entirely to do with which component of PMDF is doing the querying (what sort of connection this regards).

Queries by the POP server will first check a user's -service=POP entry, but if such an entry does not exist will fall through to the user's -service=DEFAULT entry. Queries by the IMAP server will first check a user's -service=IMAP entry, but if such an entry does not exist will fall through to the user's -service=DEFAULT entry.

Queries for mailbox filtering will check which channel a user matches. For a user matching a msgstore channel, the mailbox filter query will preferentially use the user's -service=IMAP entry, but if such an entry does not exist will fall through to the user's -service=DEFAULT entry. For a user matching a popstore channel, the mailbox filter query will preferentially use the user's -service=POP entry, but if such an entry does not exist will fall through to the user's -service=DEFAULT entry. For a user matching the local channel, the mailbox filter query will use the user's -service=DEFAULT entry.

Most sites and users will not want to use -service specific password database entries. Then each user has one entry, their -service=DEFAULT entry, used whenever the PMDF password database is queried.

But for sites and users who do want to use -service specific password database entries, while the above description of -service specific probes may sound complicated, the goal is simply to query the "natural" password entry for each case.

Command Qualifiers

-create

Create a PMDF password database entry. This qualifier is the default.

-delete

Delete a user/password entry pair from the PMDF password database.

-service=keyword

Specify for what service a particular password method and password value apply. The default service keyword is DEFAULT; POP3 and IMAP are other possible keywords.

-show

Show a user/service/password-method entry in the PMDF password database. Note that this commmand does not show the password value.

-test

Compare a specified password against a password stored in the PMDF password database.

-user=username

Set or show a password entry in the PMDF password database for the specified user. To show all users' entries specify the asterisk as a value.

EXAMPLES

To add a user jsmith with password secret to the database, use the UNIX command 


# pmdf password -user=jsmith secret
The user jsmith may change his own password, with prompting so that the password is not printed on the screen, using the UNIX command 


% pmdf password
Password:

To list all usernames that have an entry in the PMDF password database, use the following command: 


# pmdf password -show -user="*"

Error messages


cannot open password file

The PMDF password database does not exist, or could not be opened. 


no world privilege

Must be superuser or in the pmdf_world group in order to specify an entry for a user other than oneself.

Note

1 The PMDF Message Store and PMDF popstore, however, have a PWD_ELSEWHERE flag to say that passwords are stored elsewhere; if this is set, even a PMDF Message Store or PMDF popstore user might use a PMDF password database entry.

Previous Next Contents Index