Manual Reference Pages  - XSPASSWD (1)


xspasswd - Manager for WWW authentication passwords


See Also


xspasswd [-b-| -d ] [-l-| -u ] [-r] [-f filename] [username]


xspasswd’ is a program that lets you manage the usercode/password database for the authentication feature of the xs-httpd webserver.

Authentication works very simply: if a file called .xsauth is present in the directory in which a file is going to be retrieved, then the remote user will be asked for a usercode and password before the file is allowed to be retrieved. This program manages the .xsauth file. Using the -f flag an alternative filename can be used; however these files are not automatically recognised by the server as authentication files.

The program accepts the mutually exclusive arguments -l to lock an account and -u to unlock an account. Locked accounts may not be changed using the web-interface (see below). By default all accounts are unlocked.

The other options are also mutually exclusive: -b to store passwords for basic authentication (the old method, where passwords will be stored encrypted, but sent over the wire in plain text) and -d to store passwords for use with digest authentication (where more sensitive information is stored on disk, but only the checksum of user and password data is sent over the wire). However in this case password hashes are also stored to be able to handle basic authentication fallback in case the client doesn’t understand digest authentication.

For optimal security it is suggested local data is never made accessible to other users of the system and that authentication details and sensitive content are transferred over a secure channel (i.e. using https). In this case digest authentication does not add any additional security.

Use the -r option to remove a user from the authentication file. Note that the options that control the account type will be ignored when -r is given. That is: the named account will be removed even if these options (locked, digest, ..) do not match.


Change your current directory to the directory that you wish to protect with usercodes and passwords. Note that subdirectories of that subdirectory will also be protected. Then, type xspasswd’. The program will ask you for a username (unless you already supplied this as an argument on the command line). Next, the program asks for a password for that username.The program will ask you to re-enter the password after you have given it. When you have done this, the program will update (or create) the .xsauth file.

By running the program again, you can add as many usercodes and passwords as you wish. You can also use this program to change passwords. Just type an existing username when the program prompts you for a username. You do not have to enter the old password. Be aware that the locked status and digest hash may be lost if you don’t specify -l and -d when changing a password, since the options default to -u and -b .


.Ex -std xspasswd


httpd(1), xschpass(1), xsauth(5)

The project homepage:


.Rs HTTP Authentication: Basic and Digest Access Authentication

March 26, 1996 XSPASSWD (1) xs-httpd/3.5