HPlogo HP-UX Reference Volume 1 of 5 > p

passwd(1)
» 

Technical documentation

Complete book in PDF

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

passwd — change login password and associated attributes

SYNOPSIS

passwd [name]

passwd -r files [-F file] [name]

passwd -r files [-e [shell]] [-gh] [name]

passwd -r files -s [-a]

passwd -r files -s [name]

passwd -r files [-d|-l] [-f] [-n min] [-w warn] [-x max] name

passwd -r nis [-e [shell]] [-gh] [name]

passwd -r nisplus [-e [shell]] [-gh] [-D domain] [name]

passwd -r nisplus -s [-a]

passwd -r nisplus -s [-D domain] [name]

passwd -r nisplus [-l] [-f] [-n min] [-w warn] [-x max] [-D domain] name

passwd -r dce [-e [shell]] [-gh] [name]

DESCRIPTION

The passwd command modifies the password as well as the attributes associated with the login name. If name is omitted, it defaults to the invoking user's login name, which is determined using getlogin(3C)

The default password file is /etc/passwd. The -F option can be used to choose an alternate password file, where read and write permissions are required. This option is only available using the files repository.

Ordinary users can only change passwords corresponding to their login name. If an old password has been established, it is requested from the user. If valid, a new password is obtained. Once the new password is entered, it is determined if the old password has "aged" sufficiently. If password aging is not sufficient, the new password is rejected and passwd terminates (see passwd(4)).

If password aging and construction requirements are met, the password is re-entered to ensure consistency. If the new copy differs, passwd repeats the new password prompting cycle three times.

A superuser, whose effective user ID is zero (see id(1) and su(1)), is allowed to change any password and is not forced to comply with password aging. Superusers are not prompted for old passwords unless they are attempting to change the superuser's password in a trusted system. In addition, on untrusted systems, superusers are not forced to comply with password construction requirements. Null passwords can be created by entering a carriage return in response to the prompt for a new password.

The DCE repository (-r dce) is only available if Integrated Login has been configured, see auth.adm(1M). If Integrated Login has been configured, other considerations apply. A user with appropriate DCE privileges is capable of modifying a user's password, shell, gecos or home directory - this is not dependent upon superuser privileges.

If the repository is not specified, i.e. passwd [name], the password is changed in all existing repositories configured in /etc/nsswitch.conf. If password options are used, and no repository is specified, the default repository is files.

Options

The following options are recognized:

-D domain

Use the passwd.org_dir in the specified domain. This option is for nisplus repositories only. If not specified, the default domain is returned.

-e shell

Modify the default shell for the user's login name in the password file. If the shell is not provided, the user will be prompted to enter the default login shell.

-F name

Choose an alternative password file, where read and write permissions are required. This option is available for the files repository only.

-g

Change the gecos information in the password file, which is used by the finger command. The user is prompted for each subfield: name, location, work phone, and home phone.

-h

Modify the default home directory in the password file. Only superuser is allowed to exercise this option.

-r repository

Specify the repository to which the operation is to be applied. Supported repositories include files, nis, nisplus, and dce. If repository is not specified, the default is files.

-s name

Display password attributes associated with the specified name. Superuser privilege is required if the files repository is specified. For nisplus, there are no restrictions.

-s [-a]

Display password attributes for all users in the password file. The -a option must be used in conjunction with the -s option when no name is specified. For nisplus, this will display entries in the NIS+ passwd table in the local domain. For files, this is restricted to superuser.

Privileged User Options

A superuser can modify password aging characteristics associated with the user name using the following options:

-d

Allow user to login without a password by deleting it.

-f

Force user to change password upon next login by expiring the current password.

-l

Lock user account.

-n min

Determine the minimum number of days, min, that must transpire before the user can change the password.

-w warn

Specify the number of days, warn, prior to the password expiring when the user will be notified that the password needs to be changed. This option is only enabled when the system has been converted to a trusted, secure system. Refer to the Managing Systems and Workgroups manual for how to convert your HP-UX to a trusted, secure system.

-x max

Determine the maximum number of days, max, a password can remain unchanged. The user must enter another password after that number of days has transpired, known as the password expiration time.

The min and max arguments are each represented in units of days. These arguments will be rounded up to the nearest week on a nontrusted HP-UX system. If the system is then converted to a trusted system, the number of days will be based on those weeks. If only one of the two arguments is supplied, then, if the other one does not exist, it is set to zero.

Password Construction Requirements

Passwords must be constructed to meet the following requirements:

  • A password must have at least six characters. Only the first eight characters are significant in an untrusted system.

  • Characters must be from the 7-bit US-ASCII character set; letters from the English alphabet.

  • A password must contain at least two letters and at least one numeric or special character.

  • A password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an uppercase letter and its corresponding lowercase equivalent are treated as identical.

  • A new password must differ from the old one by at least three characters (one character for non super user if changed by the super user in a trusted system). For comparison purposes, an uppercase letter and its corresponding lowercase equivalent are treated as identical.

If the above restrictions are met, the /etc/nsswitch.conf file specifies the repositories for which the password must be modified. The following configurations are supported:

  • passwd: files

  • passwd: files nisplus

  • passwd: files nis

  • passwd: compat (--> files nis)

  • passwd: compat (--> files nisplus)

  • passwd_compat: nisplus

Smart Card Login

If the user account is configured to use a Smart Card, the user password is stored in the card. This password has characteristics identical to a normal password stored on the system.

The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it is not necessary to know the password, only the PIN.

Since passwd can be used with a Smart Card account, the Smart Card must be inserted into the Smart Card reader. The user is prompted for a PIN instead of a password during authentication.

Enter PIN:

If the system retrieves a valid old password from the card, a new password is requested (twice). If the new password meets all requirements, the system automatically overwrites the old password stored on the card with the new password.

Therefore, the new dialog resembles:

Enter PIN: New password: Re-enter new password:

A Smart Card account can be shared among users. If one user modifies the password, other users must use the scsync command to write the new password onto their cards.

The scpin command is used to change the Smart Card PIN.

SECURITY FEATURES

This section applies only to trusted systems. It describes additional capabilities and restrictions.

When passwd is invoked on a trusted system, the existing password is requested (if one is present). This initiates the password solicitation dialog which depends upon the type of password generation that has been enabled on the account. There are four possible options for password generation:

Random syllables

A pronounceable password made up of meaningless syllables.

Random characters

An unpronounceable password made up of random characters from the character set.

Random letters

An unpronounceable password made up of random letters from the alphabet.

User-supplied

A user-supplied password, subject to length and triviality restrictions.

Passwords can be greater than eight characters. The system administrator can specify the password length guidelines for the system generated options (random syllables, random characters, and random letters). The actual maximum password length depends upon several parameters set by the system administrator in the authentication database. System warnings are displayed if passwords lengths are either too long or short.

The system requires a minimum time to elapse before a password can be changed. This prevents reuse of an old password within an undesirable period of time.

A password expires after a period of time known as the expiration time. System warnings are displayed as expiration time approaches.

A password dies after a time period known as the password lifetime. After the lifetime passes, the account is locked until it is re-enabled by a system administrator. Once unlocked, the user is forced to change the password before account use.

The system administrator can enable accounts without passwords. If a user account is allowed to function without a password, the user can choose a null password by typing a carriage-return when prompted for a new password.

Password History

The system administrator can enable the password history feature to discourage users from reusing previously used passwords. To enable the password history feature, the system administrator should create a file (or open the file if it already exists) named security under directory /etc/default and append to it one line content PASSWORD_HISTORY_DEPTH= number. The line contains three keywords, PASSWORD_HISTORY_DEPTH, =, and a decimal number which is the desired depth for the password history check. If the number is 2, the user's new password will be checked against two previously used passwords. One is the current password, and the other one is the password used before the current password. A configuration of password history depth of 2 prevents users from alternating between two passwords. The maximum password history depth supported is 10 and the minimum password history depth supported is 1. A depth configuration of more than 10 will be treated as 10, and a depth configuration of less than 1 will be treated as 1.

The password history depth configuration is on a system basis and is supported in trusted system for users in files repository only. This feature does not support the users in NIS or NISPLUS repositories. Once the feature is enabled, all the users on the system are subject to the same check. If the password history configuration file /etc/default/security does not exist, or if the file exists but the required line is missing, or if the line exists but any of the three required keywords is missing, the password history check feature is automatically disabled. When the feature is disabled, the password history check depth is set to 1 and a password change is subject to all of the other rules for a new password including a check with the current password.

EXTERNAL INFLUENCES

International Code Set Support

Characters from single-byte character code sets are supported in passwords.

EXAMPLES

Change the password expiration date of user to 42 days in the files repository:

passwd -r files -x 42 user

Modify the minimum time between password changes of user1 to 7 days in the nisplus repository:

passwd -r nisplus -n 7 user1

Force user2 to establish a new password on the next login which will expire in 70 days and prohibit the user from changing the password until 7 days have transpired:

passwd -r files -f -x 70 -n 7 user2

DEPENDENCIES

Pluggable Authentication Modules (PAM)

PAM is an Open Group standard for user authentication, password modification, and account validation. In particular, pam_chauthtok() is invoked to perform all functions related to passwd. This includes establishing and changing a password, using passwd options, and displaying error messages.

WARNING

Avoid password characters which have special meaning to the tty driver, such as # (erase) and @ (kill). You may not be able to login with these characters.

FILES

/etc/passwd

Standard password file used by HP-UX.

/tcb/files/auth/*/*

Protected password database used when system is converted to trusted system.

SEE ALSO

chfn(1), id(1), login(1), su(1), crypt(3C), getlogin(3C), passwd(4), auth(5), auth.adm(1M), auth.dce(5).

Managing Systems and Workgroups

Pluggable Authentication Modules (PAM)

pam_chauthtok(3), pam(3), pam.conf(4), pam_user.conf(4).

HP-UX Smart Card Login

scpin(1), scsync(1).

STANDARDS CONFORMANCE

passwd: SVID2, SVID3, XPG2



pack
  		 


paste  
© Hewlett-Packard Development Company, L.P.