*condor_check_password*
=======================

Examine HTCondor key files, looking for keys that prior version of HTCondor
will not fully read.

:index:`condor_check_password<single: condor_check_password; HTCondor commands>`
:index:`condor_check_password command`

Synopsis
--------

**condor_check_password** <**-h** | **-\-help**>

**condor_check_password** [**-\-truncate**] [*key*]

Description
-----------

Versions of HTCondor before 8.9.12 contained contained a bug in the code
used to read the pool password (hence the name of the tool): in some
cases the read would be truncated before end of the file.  Because the
same code is used to read IDTOKENS signing keys, this bug affects the
IDTOKENS authorization method, as well.

There was no backwards-compatible fix: versions 8.9.12 and later may
read the same file differently than earlier versions, meaning that
tokens issued before 8.9.12 may not be recognized by later versions.

This tool detects key files which will not be fully read by earlier versions
of HTCondor.  IDTOKENS generated by such a key will not be accepted by
later versions (which read the whole key file).  If you choose to
truncate these files on disk, later version of HTCondor will read only
the same bits as earlier versions, allowing them to accept tokens
issued by earlier versions, at the cost of weakening your pool's
resistance to brute-force attacks.

By default, this tool checks all the key files that will be
found by the current HTCondor configuration; you may specify a
specific *key* or *key*\ s to check, instead.

Options
-------

    **-h**, **-\-help**
        Print a usage reminder.

    **-\-truncate**
        When a potentially insecure key is encountered, truncate it to
        match the behavior prior to version 8.9.12.

Exit Status
-----------

Exits with code 0 if there were no signing keys to check or if all of
the checked keys were OK.  Exits with code 1 if at least one checked
key was not OK.  Exits non-zero if a problem was encountered
along the way.