<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<reference>
<title>SSSD Manual pages</title>
<refentry>
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />

    <refmeta>
        <refentrytitle>sss_obfuscate</refentrytitle>
        <manvolnum>8</manvolnum>
    </refmeta>

    <refnamediv id='name'>
        <refname>sss_obfuscate</refname>
        <refpurpose>obfuscate a clear text password</refpurpose>
    </refnamediv>

    <refsynopsisdiv id='synopsis'>
        <cmdsynopsis>
            <command>sss_obfuscate</command>
            <arg choice='opt'>
                <replaceable>options</replaceable>
            </arg>
            <arg choice='plain'><replaceable>[PASSWORD]</replaceable></arg>
        </cmdsynopsis>
    </refsynopsisdiv>

    <refsect1 id='description'>
        <title>DESCRIPTION</title>
        <para>
            <command>sss_obfuscate</command> converts a given password into
            human-unreadable format and places it into appropriate domain
            section of the SSSD config file.
        </para>
        <para>
            The cleartext password is read from standard input or entered interactively.
            The obfuscated password is put into <quote>ldap_default_authtok</quote>
            parameter of a given SSSD domain and the
            <quote>ldap_default_authtok_type</quote> parameter is set to
            <quote>obfuscated_password</quote>. Refer to
            <citerefentry>
                <refentrytitle>sssd-ldap</refentrytitle>
                <manvolnum>5</manvolnum>
            </citerefentry>
            for more details on these parameters.
        </para>
        <para>
            Please note that obfuscating the password provides <emphasis>no
            real security benefit</emphasis> as it is still possible for an
            attacker to reverse-engineer the password back. Using better
            authentication mechanisms such as client side certificates or GSSAPI
            is <emphasis>strongly</emphasis> advised.
        </para>
    </refsect1>

    <refsect1 id='options'>
        <title>OPTIONS</title>
        <variablelist remap='IP'>
            <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
            <varlistentry>
                <term>
                    <option>-s</option>,<option>--stdin</option>
                </term>
                <listitem>
                    <para>
                        The password to obfuscate will be read from standard
                        input.
                    </para>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>
                    <option>-d</option>,<option>--domain</option>
                    <replaceable>DOMAIN</replaceable>
                </term>
                <listitem>
                    <para>
                        The SSSD domain to use the password in. The
                        default name is <quote>default</quote>.
                    </para>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>
                    <option>-f</option>,<option>--file</option>
                    <replaceable>FILE</replaceable>
                </term>
                <listitem>
                    <para>
                        Read the config file specified by the positional
                        parameter.
                    </para>
                    <para>
                        Default: <filename>/etc/sssd/sssd.conf</filename>
                    </para>
                </listitem>
            </varlistentry>
        </variablelist>
    </refsect1>

    <refsect1 id='see_also'>
        <title>SEE ALSO</title>
        <para>
            <citerefentry>
                <refentrytitle>sssd-ldap</refentrytitle>
                <manvolnum>5</manvolnum>
            </citerefentry>
        </para>
    </refsect1>
</refentry>
</reference>