From d8c2ca930673da858d63f2dea9526c259a2dd936 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Fri, 30 Jul 2021 21:10:21 +0200 Subject: Load the encrypted password from a file This is more secure, because you can restrict the password file to be only readable by the service user. --- doc/disfluid.texi | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/disfluid.texi b/doc/disfluid.texi index bebc61b..d2558b4 100644 --- a/doc/disfluid.texi +++ b/doc/disfluid.texi @@ -190,8 +190,11 @@ because a malicious user could set the identity header. The identity provider can only handle one user. If you want to handle multiple users, it is highly advised to use a different host name for each user, in case the server is accessed from a web browser. You can -set the identity of the user with @samp{--subject}, and the user’s -password with @samp{--encrypted-password}. +set the identity of the user with @samp{--subject}, and write the +user’s password in a file. Pass the file name with +@samp{--encrypted-password-file}. You can pass the encrypted password +directly with @samp{--encrypted-password}, but the encrypted password +will be public. The encrypted password format is defined by the crypt function in the C library. For glibc, it looks like this: -- cgit v1.2.3