.
contact contact


dbpasswd utility and protected password files

 
.
  The dbpasswd utility may be used to create database password files and/or change database passwords. This provides a convenient and secure alternative to change database user passwords and avoid using clear text passwords.

Database password files may be used to authenticate with the database server (for example, using the EQ_DBUSER environment variable). The dbpasswd utility adds the option to use protected password files and to impose additional restrictions on their use, such as expiration period, operating system user or host system. It provides a convenient and secure option to avoid using clear text passwords and to manage database passwords.

Password files specify the database user name and password and are referenced by either the EQ_DBUSER environment variable or by the database password. Eloquence versions before B.08.20 required a clear text password to be used in a password file and could be secured by the file system permissions.

The dbpasswd utility adds the option to use protected password files which use an encrypted password and allow to impose additional restrictions on their use, such as expiration period, operating system user or host system.

usage: dbpasswd [options] [user]

options:
 -help         - show usage (this list)
 -f fname      - create password file
 -r opt[,...]  - restrict password file (comma separated list)
                  user[=name]    - restrict to OS user
                  exp[=#[dhms]]  - specify expiration period
                  ino            - restrict copying password file
                  sys            - restrict to current system
 -c            - change database user password
 -v            - verify password against database server
 -t fname      - test password file
 -h host       - host name or address (and service)
 -s service    - service name or port number
 -d flags      - debug flags
 -P            - use stdin to read password
The dbpasswd utility may be used to change the database password, verify the database password and/or create a password file.

If the database user name is not present on the command line it is read from stdin. By default the user password must be entered interactively and is not echoed.

The option -f specifies to create a protected password file. The database password is stored in encrypted form along with optional restrictions on the use of the password file.

The option -r may be used to specify a comma separated list of password file restrictions.

  • The restriction "user" limits use of the password file to the current OS user.

  • The restriction "user=name" restricts use of the password file to the named OS user.

  • The restriction "exp" specifies a default expiration period of 24 hours.

  • The restriction "exp=NX" specifies the expiration period where N indicates a numeric value and X the optional unit. The following units are supported:

    • "d" ("days") - 24 hours, 86400 seconds
    • "h" ("hours") - hours, 3600 seconds
    • "m" ("minutes") - minutes, 60 seconds
    • "s" ("seconds") - seconds

    For example, "exp=24h" specifies the password file to expire in 24 hours.

  • The restriction "ino" specifies the password file may not be copied (this option is not available on Windows). When using the "ino" restriction please keep in mind this will also invalidate any password file restored from a backup. When restoring a backup the password file must be re-created.

  • The restriction "sys" limits use of the password file to the current system. When using the "sys" restriction please keep in mind this will invalidate any password files restored from a backup to a different system. When restoring a backup to a different system the password file must be re-created.
Any restrictions are verified when the password is subsequently used to connect to the database server. This functionality is implemented in the database client library and works across all Eloquence utilities and applications.

The option -c specifies to change the database password. The old and new passwords must be entered interactively.

The option -v may be used to verify the user password against the database server. This is useful to ensure the password file is valid. The option -v is implied when changing a password.

If the option -c or -v is present, the database server is connected. The -h and/or -s options may be used to specify the database server host and service. When not present the default is used (the EQ_DBSERVER environment variable may be used to specify the default).

The option -P enables dbpasswd to read the user password from stdin. It is intended to allow using a subset of dbpasswd functionality in scripting. The option -P may not be used when changing the database password.

For example:

$ dbpasswd -f $HOME/.dbpasswd -r exp=1h,user -v $USER
This creates the password file .dbpasswd in the user home directory. The password file expires after one hour and is limited to the current OS user.

The examples below demonstrate the use of a password file with the dbinfo utility to authorize the database access.

$ export EQ_DBUSER=file:$HOME/.dbpasswd
$ dbinfo sample
  
$ dbinfo -u file:$HOME/.dbpasswd sample
Both examples are equivalent and have the same effect. The second example specifies the password file directly while the first example uses the EQ_DBUSER variable to specify the default database credentials.


 
 
.
 
 
  Privacy | Webmaster | Terms of use | Impressum Revision:  2012-10-31  
  Copyright © 2012 Marxmeier Software AG