XSPASSWD(1) BSD General Commands Manual XSPASSWD(1)NAMExspasswd — Manager for WWW authentication passwords
SYNOPSISxspasswd [-b | -d] [-l | -u] [-r] [-f filename] [username]
DESCRIPTION
‘xspasswd’ is a program that lets you manage the usercode/password data‐
base for the authentication feature of the xs-httpd webserver.
Authentication works very simply: if a file called .xsauth is present in
the directory in which a file is going to be retrieved, then the remote
user will be asked for a usercode and password before the file is allowed
to be retrieved. This program manages the .xsauth file. Using the -f
flag an alternative filename can be used; however these files are not
automatically recognised by the server as authentication files.
The program accepts the mutually exclusive arguments -l to lock an
account and -u to unlock an account. Locked accounts may not be changed
using the web-interface (see below). By default all accounts are
unlocked.
The other options are also mutually exclusive: -b to store passwords for
basic authentication (the old method, where passwords will be stored
encrypted, but sent over the wire in plain text) and -d to store pass‐
words for use with digest authentication (where more sensitive informa‐
tion is stored on disk, but only the checksum of user and password data
is sent over the wire). However in this case password hashes are also
stored to be able to handle basic authentication fallback in case the
client doesn't understand digest authentication.
For optimal security it is suggested local data is never made accessible
to other users of the system and that authentication details and sensi‐
tive content are transferred over a secure channel (i.e. using https).
In this case digest authentication does not add any additional security.
Use the -r option to remove a user from the authentication file. Note
that the options that control the account type will be ignored when -r is
given. That is: the named account will be removed even if these options
(locked, digest, ..) do not match.
EXAMPLES
Change your current directory to the directory that you wish to protect
with usercodes and passwords. Note that subdirectories of that subdirec‐
tory will also be protected. Then, type ‘xspasswd’. The program will
ask you for a username (unless you already supplied this as an argument
on the command line). Next, the program asks for a password for that
username.The program will ask you to re-enter the password after you have
given it. When you have done this, the program will update (or create)
the .xsauth file.
By running the program again, you can add as many usercodes and passwords
as you wish. You can also use this program to change passwords. Just type
an existing username when the program prompts you for a username. You do
not have to enter the old password. Be aware that the locked status and
digest hash may be lost if you don't specify -l and -d when changing a
password, since the options default to -u and -b.
DIAGNOSTICS
The xspasswd utility exits 0 on success, and >0 if an error occurs.
SEE ALSOhttpd(1), xschpass(1), xsauth(5)
The project homepage: http://www.xs-httpd.org/
STANDARDS
HTTP Authentication: Basic and Digest Access Authentication, RFC 2617,
June 1999.
xs-httpd/3.5 March 26, 1996 xs-httpd/3.5
