z0.is
PASSLOCK(8) System Manager's Manual PASSLOCK(8)

passlockmanages and verify passwords

passlock-check [-v] [-s ms] -h pattern -p pattern cmd [...] 3<user-pass-string

passlock-set [-v] -p pattern user <passphrase

passlock-debug

The passlock toolset manages passwords using libsodium, and provides a password backend for various daemons.

Display the version.
path
Specifies the file to use as a password storage.
sleep
Wait for sleep seconds in case the password fails.

passlock-set sets the path specified by -p pattern to a libsodium(3) hash of the password read from stdin.

passlock-check is a checkpassword replacement: it execute its cmd [arg...] only if the authentication string from file descriptor 3 matches the password at the path specified by -p pattern. Password read follow this format (with the realm ignored): “user\0password\0realm”

passlock-debug simply logs the information sent to it to standard error and fails to log the user. This might reveal the password.

The pattern arguments will have all percent signs and the following character replaced according to the following character:

The domain part of an email address.
The local part of an email address.
The whole username.
Puts the percent sign itself, used for escaping the percent if needed.

The passlock utility exits 0 on success, and >0 if an error occurs.

$ authd passlock-check -p /etc/pass/%u protected-daemon -args
$ printf '%s\0' "$user" "$pass" "$(date +%s)" \
  | passlock-check -h /var/mail/%d/%l/Maildir -p /var/mail/%d/%l/pass 3>&0 \
      echo success

https://cr.yp.to/checkpwd.html

Josuah Demangeon <man@josuah.net>

July 7, 2020 OpenBSD 6.9