530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <refpurpose>obfuscate a clear text password</refpurpose>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </refnamediv>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <cmdsynopsis>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <arg choice='plain'><replaceable>[PASSWORD]</replaceable></arg>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </cmdsynopsis>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </refsynopsisdiv>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <command>sss_obfuscate</command> converts a given password into
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek human-unreadable format and places it into appropriate domain
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek section of the SSSD config file.
82bfb315f3dbacf4a6dbfc483cf1eb87f30c015cGowrishankar Rajaiyan The cleartext password is read from standard input or entered interactively.
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek The obfuscated password is put into <quote>ldap_default_authtok</quote>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek parameter of a given SSSD domain and the
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <quote>ldap_default_authtok_type</quote> parameter is set to
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <citerefentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </citerefentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek for more details on these parameters.
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek Please note that obfuscating the password provides <emphasis>no
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek real security benefit</emphasis> as it is still possible for an
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek attacker to reverse-engineer the password back. Using better
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek authentication mechanisms such as client side certificates or GSSAPI
a20fff2d9a99e75b475b12bf212de4d608c166bdMichal Zidek <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help_py.xml" />
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <varlistentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek The password to obfuscate will be read from standard
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </varlistentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <varlistentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek The SSSD domain to use the password in. The
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </varlistentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek <varlistentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek Read the config file specified by the positional
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek Default: <filename>/etc/sssd/sssd.conf</filename>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </varlistentry>
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek </variablelist>
544525ee1fc54d744c08465066e2b4a521f78224Stephen Gallagher <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />