GNATS password management

GNATS password management

[Yngve Svendsen]

Below is an outline of the two password-management tools I'd like to see 
implemented for GNATS 4. gnats-pwconv is intended for upgraders from 
version 3 to version 4, while gnats-pw partially mimics the functionality 
of Apache's htpasswd tool.

What do you all think?

Yngve Svendsen




gnats-pwconv
gnats-pwconv [-mp] infile outfile
gnats-pwconv -n[mp] infile

Converts the plaintext passwords in the GNATS 3 password file infile and 
writes the resulting complete version 4 password file to outfile. 
Infile=outfile should be disallowed.

-m, --md5	Use MD5 encryption, i.e. convert passwords to MD5 and add $1$ prefix
-n, --nocreate	Don't create file; display results on stdout.
-d, --crypt	Force CRYPT encryption of the passwords (default).
-p, --plaintext	Do not encrypt the passwords (plaintext). Prefixes existing 
passwords with $0$
-t, --test	Tests which encryption methods are supported by the system
-h --help
-V --version



gnats-pw
gnats-pw [-cmdps] passwordfile username accesslevel
gnats-pw -n[mdps] username accesslevel

Prompts for a password (twice), then inserts or edits the corresponding 
entry in the specified passwordfile. If the -n option is given, the 
resulting passwordfile entry is written to stdout instead.

-c, --create	Create a new file.
-n, --noupdate	Don't update file; display results on stdout.
-m, --md5	Force MD5 encryption of the password, i.e. convert the password 
to MD5 and add $1$ prefix
-d, --crypt	Force CRYPT encryption of the password (default).
-p, --plaintext	Do not encrypt the password (plaintext). Prefixes the 
entered password with $0$
-h, --help
-V, --version

Re: GNATS password management

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> Below is an outline of the two password-management tools I'd
    YS> like to see implemented for GNATS 4.

Thanks.

    YS> gnats-pwconv
    YS> gnats-pwconv [-mp] infile outfile
    YS> gnats-pwconv -n[mp] infile

[...]

    YS> -n, --nocreate	Don't create file; display results on stdout.

This option looks useless to me here.

    YS> gnats-pw
    YS> gnats-pw [-cmdps] passwordfile username accesslevel
    YS> gnats-pw -n[mdps] username accesslevel

I'd call it `gnats-passwd'.

I'm not sure I like specifying `passwordfile' this way (I know htpasswd
does it so).  I'd prefer having an `-f / --file' option instead, thus
making the argument optional, possibly combined with `-d / --database'
for specifying a particular database.  I think it's easier to handle for
GNATS admins -- they don't have to think about the exact names and
locations of the access files.

Using `-d' for database would cause a collision with:

    YS> -d, --crypt	Force CRYPT encryption of the password (default).

but maybe someone can find a better single letter for the --crypt
option.

Regards,

Milan Zamazal

-- 
I think any law that restricts independent use of brainpower is suspect.
                                               -- Kent Pitman in comp.lang.lisp

Re: GNATS password management

[Yngve Svendsen]

At 23:36 27.06.2001 +0200, Milan Zamazal wrote:
>    YS> -n, --nocreate  Don't create file; display results on stdout.
>
>This option looks useless to me here.

The rationale for this option is that people might then use it in more 
general contexts when they need to calculate an MD5 hash of a password for 
use in other applications than GNATS.

>    YS> gnats-pw
>     YS> gnats-pw [-cmdps] passwordfile username accesslevel
>     YS> gnats-pw -n[mdps] username accesslevel
>
>I'd call it `gnats-passwd'.

Yes, if that isn't too long?

>I'm not sure I like specifying `passwordfile' this way (I know htpasswd
>does it so).  I'd prefer having an `-f / --file' option instead, thus
>making the argument optional, possibly combined with `-d / --database'
>for specifying a particular database.  I think it's easier to handle for
>GNATS admins -- they don't have to think about the exact names and
>locations of the access files.

Yes, that would probably be the best way to do it.

>Using `-d' for database would cause a collision with:
>
>     YS> -d, --crypt     Force CRYPT encryption of the password (default).
>
>but maybe someone can find a better single letter for the --crypt
>option.

We could use -C, --create for "create new file", and -c, --crypt for "force 
DES encryption".

- Yngve

Re: GNATS password management

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> At 23:36 27.06.2001 +0200, Milan Zamazal wrote:
    YS> -n, --nocreate Don't create file; display results on stdout.
    >>  This option looks useless to me here.

    YS> The rationale for this option is that people might then use it
    YS> in more general contexts when they need to calculate an MD5 hash
    YS> of a password for use in other applications than GNATS.

But it's implied (unlike in the case of gnats-passwd) by omitting the
output file on the command line.

    >>  I'd call it `gnats-passwd'.

    YS> Yes, if that isn't too long?

It's not, with modern shell features like completion and aliases
intelligibility is preferred.

    YS> We could use -C, --create for "create new file", and -c, --crypt
    YS> for "force DES encryption".

That looks well to me.

Regards,

Milan Zamazal

-- 
Free software is about freedom, not about free beer.  If you care only about
the latter, you'll end up with no freedom and no free beer.

Re: GNATS password management

[Yngve Svendsen]

At 10:33 29.06.2001 +0200, Milan Zamazal wrote:
> >>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:
>
>    YS> At 23:36 27.06.2001 +0200, Milan Zamazal wrote:
>     YS> -n, --nocreate Don't create file; display results on stdout.
>
>But it's implied (unlike in the case of gnats-passwd) by omitting the
>output file on the command line.
>
>     >>  I'd call it `gnats-passwd'.
>
>     YS> Yes, if that isn't too long?
>
>It's not, with modern shell features like completion and aliases
>intelligibility is preferred.

OK. I think we agree, then? No -n option, and `gnats-passwd' it is.

- Yngve

Re: GNATS password management

[Milan Zamazal]

>>>>> "YS" == Yngve Svendsen <yngve.svendsen@clustra.com> writes:

    YS> OK. I think we agree, then? No -n option, and `gnats-passwd' it
    YS> is.

OK.

I'll try to write the program unless anyone else volunteers.

Regards,

Milan Zamazal

-- 
When you're in a fight with an idiot, it's difficult for other people to tell
which one the idiot is.                       -- Bruce Perens in debian-devel