High Performance OPC UA Server SDK
UA Password Manager

The tool uapasswd is a command line program which can be used to manage passwords for user authentication. People who know the UNIX passwd command or SAMBA's smbpasswd command should feel familiar.

This tool also serves as an example on how to manage the SDK's passwd file when using the "internal" authentication backend. See also authentication for more information.

The source code of uapasswd can be found in src/tools/uapasswd.

Command Line Options

Like all good command line tools it has a built-in help which can be used to find out about the available options.

Usage: ./uapasswd -u username [-c configfile] [-f passwdfile] [-a algorithm] [-r] [-n] [-D] [-h]
-c: config file to load
-u: name of user to add, if already exists a new password is set
-f: file to write changes to, default is 'passwd'
-a: algorithm used to store password either 'cleartext', 'sha256' (default) or 'sha512'
-r: reset the passwdfile, all existing users are removed
-n: write the new user entry to stdout instead of file
-D: delete the user instead of adding
-h: print this help and exit
-V: print version information


The SDK provides example files for users, groups and passwords to use with the DemoServer and ServerExamples. When making a product do not use these files but create your own.

The passwords are stored in the file unreadable as hashes with salt, however it is still possible to start brute-force attacks against these hashes to retrieve the passwords. Therefore the password file should only be readable by the server process and no other user.

By default it will load the same settings.conf file as used by all our example servers. If you want to use a different configuration file you can do so using the option -c.

Creating a new User Password

To create or update a user's password invoke the command as shown in this example.

$> ./uapasswd -u joe
Changing password for user 'joe'.
New password:
Retype new password:
Successfully wrote file 'passwd'

The tool will prompt you for the new password twice as usual to avoid typing mistakes. It also performs password checks to ensure that secure passwords are chosen.

By default passwords must contain

  • a minimum length of 8 characters
  • upper and lower case characters
  • digits
  • special characters

When built with BUILD_WITH_CRACKLIB=on it will perform additional checks using cracklib to make the password robust against dictionary attacks. See https://github.com/cracklib/cracklib for more information on cracklib.

You can change these settings in src/tools/uapasswd/config.h.

Security Algorithm

The passwd file format allows to use different algorithms to be extendable and backwards-compatible. At the time of writing a salted SHA256 or SHA512 hash is used which is then converted to a HEX string to be stored in the plain text file.

It also supports cleartext passwords, but this is mainly useful for testing and should not be used in production. For this reason the default algorithm, if not specified, is SHA256.

Deleting a Password

To remove an entry from the file use the following command.

$> ./uapasswd -D -u joe

Resetting the File

By adding the option -r the tool will create a fresh file. All existing entries will be lost.

$> ./uapasswd -u joe -r
Changing password for user 'joe'.
New password:
Retype new password:
Successfully wrote file 'passwd'