Configure the password files

Available Password file formats

• Plain
• Base64MD5

Plain

The plain file has the following format:

# Plain password authentication file.
# default name : passwd
# Format <username>:<password>

As the contents of the file are plain text and the password is taken to be everything to the right of the ':'(colon). The password cannot contain a ':' colon, but this can be used to delimit the password.

Lines starting with a '#' are treated as comments.

Base64MD5

The Base64MD5 file uses the following format:

# Base64MD5 password authentication file
# default name : qpid.passwd
# Format <username>:<Base64 Encoded MD5 hash of the users password>

As with the Plain format the line is delimited by a ':'(colon). The password field contains the MD5 Hash of the users password encoded in Base64.

To create entries for the file there is a qpid-passwd tool that will generate the required lines for the file. Eventually it is planned for this tool to emulate the functionality of htpasswd for qpid passwd files.

Dynamic changes to password files.

The Plain password file is re-read from disk on every login. So changes to the file will take immediate effect to a running broker. However, the Base64MD5 format is only read once on start up.

To make changes dynamically there are two options, both require administrator access via the Management Console.

1. You can replace the file and use the console to reload its contents.
2. The management console provides an interface to create, delete and amend the users. These changes are written back to the active password file.

How password files and PrincipalDatases relate to authentication mechanisms

For each type of password file a PrincipalDatabase exists that parses the contents. These PrincipalDatabases load various SASL mechanism based on their supportability. e.g. the Base64MD5 file format can't support Plain authentication as the plain password is not available.

For details of SASL support see Qpid Interoperability Documentation