|
The dbpasswd utility may be used to create database password files and/or change
database passwords. This provides a convenient and secure alternative to change
database user passwords and avoid using clear text passwords.
Database password files may be used to authenticate with the database server
(for example, using the EQ_DBUSER environment variable). The dbpasswd utility
adds the option to use protected password files and to impose additional
restrictions on their use, such as expiration period, operating system user or host system.
It provides a convenient and secure option to avoid using clear text passwords
and to manage database passwords.
Password files specify the database user name and password and are referenced
by either the EQ_DBUSER environment variable or by the database password.
Eloquence versions before B.08.20 required a clear text password to be used in
a password file and could be secured by the file system permissions.
The dbpasswd utility adds the option to use protected password files which use
an encrypted password and allow to impose additional restrictions on their use,
such as expiration period, operating system user or host system.
usage: dbpasswd [options] [user]
options:
-help - show usage (this list)
-f fname - create password file
-r opt[,...] - restrict password file (comma separated list)
user[=name] - restrict to OS user
exp[=#[dhms]] - specify expiration period
ino - restrict copying password file
sys - restrict to current system
-c - change database user password
-v - verify password against database server
-t fname - test password file
-h host - host name or address (and service)
-s service - service name or port number
-d flags - debug flags
-P - use stdin to read password
The dbpasswd utility may be used to change the database password, verify
the database password and/or create a password file.
If the database user name is not present on the command line it is read
from stdin. By default the user password must be entered interactively
and is not echoed.
The option -f specifies to create a protected password file.
The database password is stored in encrypted form along with optional
restrictions on the use of the password file.
The option -r may be used to specify a comma separated list of password
file restrictions.
Any restrictions are verified when the password is subsequently used to connect
to the database server. This functionality is implemented in the database client
library and works across all Eloquence utilities and applications.
The option -c specifies to change the database password. The old and new
passwords must be entered interactively.
The option -v may be used to verify the user password against the database server.
This is useful to ensure the password file is valid. The option -v is implied when
changing a password.
If the option -c or -v is present, the database server is connected.
The -h and/or -s options may be used to specify the database server host and service.
When not present the default is used (the EQ_DBSERVER environment variable may be
used to specify the default).
The option -P enables dbpasswd to read the user password from stdin. It is intended
to allow using a subset of dbpasswd functionality in scripting.
The option -P may not be used when changing the database password.
For example:
$ dbpasswd -f $HOME/.dbpasswd -r exp=1h,user -v $USER
This creates the password file .dbpasswd in the user home directory.
The password file expires after one hour and is limited to the
current OS user.
The examples below demonstrate the use of a password file with the dbinfo
utility to authorize the database access.
$ export EQ_DBUSER=file:$HOME/.dbpasswd
$ dbinfo sample
$ dbinfo -u file:$HOME/.dbpasswd sample
Both examples are equivalent and have the same effect. The second example
specifies the password file directly while the first example uses the
EQ_DBUSER variable to specify the default database credentials.
|
