HPlogo HP-UX Reference Volume 3 of 5 > p

passwd(4)
» 

Technical documentation

Complete book in PDF

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

passwd — password file, pwd.h

DESCRIPTION

passwd contains the following information for each user:

  • login name

  • encrypted password

  • numerical user ID

  • numerical group ID

  • reserved field, which can be used for identification

  • initial working directory

  • program to use as shell

This is an ASCII file. Each field within each user's entry is separated from the next by a colon. Each user is separated from the next by a newline. This file resides in the /etc directory. It can and does have general read permission and can be used, for example, to map numerical user IDs to names. If the password field is null and the system has not been converted to a trusted system, no password is demanded.

If the shell field is null, /usr/bin/sh is used.

The encrypted password consists of 13 characters chosen from a 64-character set of "digits" described below, except when the password is null, in which case the encrypted password is also null. Login can be prevented by entering in the password field a character that is not part of the set of digits (such as *).

The characters used to represent "digits" are . for 0, / for 1, 0 through 9 for 2 through 11, A through Z for 12 through 37, and a through z for 38 through 63.

Password aging is put in effect for a particular user if his encrypted password in the password file is followed by a comma and a nonnull string of characters from the above alphabet. (Such a string must be introduced in the first instance by a superuser.) This string defines the "age" needed to implement password aging.

The first character of the age, M, denotes the maximum number of weeks for which a password is valid. A user who attempts to login after his password has expired is forced to supply a new one. The next character, m, denotes the minimum period in weeks that must expire before the password can be changed. The remaining characters define the week (counted from the beginning of 1970) when the password was last changed (a null string is equivalent to zero). M and m have numerical values in the range 0 through 63 that correspond to the 64-character set of "digits" shown above. If m = M = 0 (derived from the string . or ..), the user is forced to change his password next time he logs in (and the "age" disappears from his entry in the password file). If m > M (signified, for example, by the string ./), then only a superuser (not the user) can change the password. Not allowing the user to ever change the password is discouraged, especially on a trusted system.

Trusted systems support password aging and password generation. For more information on converting to trusted system and on password, see Managing Systems and Workgroups and sam(1M).

getpwent(3C) designates values to the fields in the following structure declared in <pwd.h>:

struct passwd { char *pw_name; char *pw_passwd; uid_t pw_uid; gid_t pw_gid; char *pw_age; char *pw_comment; char *pw_gecos; char *pw_dir; char *pw_shell; aid_t pw_audid; int pw_audflg; };

It is suggested that the range 0-99 not be used for user and group IDs (pw_uid and pw_gid in the above structure) so that IDs that might be assigned for system software do not conflict.

The user's full name, office location, extension, and home phone stored in the pw_gecos field of the passwd structure can be set by use of the chfn command (see chfn(1)) and is used by the finger(1) command. These two commands assume the information in this field is in the order listed above. A portion of the user's real name can be represented in the pw_gecos field by an & character, which some utilities (including finger) expand by substituting the login name for it and shifting the first letter of the login name to uppercase.

SECURITY FEATURES

On trusted systems, the encrypted password for each user is stored in the file /tcb/files/auth/c/user_name (where c is the first letter in user_name). Password information files are not accessible to the public. The encrypted password can be longer than 13 characters . For example, the password file for user david is stored in /tcb/files/auth/d/david. In addition to the password, the user profile in /tcb/files/auth/c/user_name also contains:

  • numerical audit ID

  • numerical audit flag

Like /etc/passwd, this file is an ASCII file. Fields within each user's entry are separated by colons. Refer to authcap(4) and prpwd(4) for details. The passwords contained in /tcb/files/auth/c/* take precedence over those contained in the encrypted password field of /etc/passwd. User authentication is done using the encrypted passwords in this file . The password aging mechanism described in passwd(1), under the section called SECURITY FEATURES, applies to this password .

NETWORKING FEATURES

NIS

The passwd file can have entries that begin with a plus (+) or minus (-) sign in the first column. Such lines are used to access the Network Information System network database. A line beginning with a plus (+) is used to incorporate entries from the Network Information System. There are three styles of + entries:

+

Insert the entire contents of the Network Information System password file at that point;

+name

Insert the entry (if any) for name from the Network Information System at that point

+@name

Insert the entries for all members of the network group name at that point.

If a + entry has a nonnull password, directory, gecos, or shell field, they override what is contained in the Network Information System. The numerical user ID and group ID fields cannot be overridden.

The passwd file can also have lines beginning with a minus (-), which disallow entries from the Network Information System. There are two styles of - entries:

-name

Disallow any subsequent entries (if any) for name.

-@name

Disallow any subsequent entries for all members of the network group name.

WARNINGS

User ID (uid) 17 is reserved for the Pascal Language operating system. User ID (uid) 18 is reserved for the BASIC Language operating system. These are operating systems for Series 300 and 400 computers that can coexist with HP-UX on the same disk. Using these uids for other purposes may inhibit file transfer and sharing.

The login shell for the root user (uid 0) must be /sbin/sh. Other shells such as sh, ksh, and csh are all located under the /usr directory which may not be mounted during earlier stages of the bootup process. Changing the login shell of the root user to a value other than /sbin/sh may result in a non-functional system.

The information kept in the pw_gecos field may conflict with unsupported or future uses of this field. Use of the pw_gecos field for keeping user identification information has not been formalized within any of the industry standards. The current use of this field is derived from its use within the Berkeley Software Distribution. Future standards may define this field for other purposes.

The following fields have character limitations as noted:

  • Login name field can be no longer than 8 characters;

  • Initial working directory field can be no longer than 63 characters;

  • Program field can be no longer than 44 characters.

  • Results are unpredictable if these fields are longer than the limits specified above.

The following fields have numerical limitations as noted:

  • The user ID is an integer value between -2 and UID_MAX inclusive.

  • The group ID is an integer value between 0 and UID_MAX inclusive.

  • If either of these values are out of range, the getpwent(3C) functions reset the ID value to (UID_MAX).

EXAMPLES

NIS Example

Here is a sample /etc/passwd file:

root:3Km/o4Cyq84Xc:0:10:System Administrator:/:/sbin/sh joe:r4hRJr4GJ4CqE:100:50:Joe User,Post 4A,12345:/home/joe:/usr/bin/ksh +john: -bob: +@documentation:no-login: -@marketing: +:::Guest

In this example, there are specific entries for users root and joe, in case the Network Information System are out of order.

  • User john's password entry in the Network Information System is incorporated without change.

  • Any subsequent entries for user bob are ignored.

  • The password field for anyone in the netgroup documentation is disabled.

  • Users in netgroup marketing are not returned by getpwent(3C) and thus are not allowed to log in.

  • Anyone else can log in with their usual password, shell, and home directory, but with a pw_gecos field of Guest.

NIS Warnings

The plus (+) and minus (-) features are NIS functionality; therefore, if NIS is not installed, they do not work. Also, these features work only with /etc/passwd, but not with a system that has been converted to a trusted system. When the system has been converted to a trusted system, the encrypted passwords can be accessed only from the protected password database, /tcb/files/auth/*/*. Any user entry in the Network Information System database also must have an entry in the protected password database.

The uid of -2 is reserved for remote root access by means of NFS. The pw_name usually given to this uid is nobody. Since uids are stored as signed values, the following define is included in <pwd.h> to match the user nobody.

UID_NOBODY (-2)

FILES

/tcb/files/auth/*/*

Protected password database used when system is converted to trusted system.

/etc/passwd

Standard password file used by HP-UX.

SEE ALSO

chfn(1), finger(1), login(1), passwd(1), a64l(3C), crypt(3C), getprpwent(3), getpwent(3C), authcap(4), limits(5).

STANDARDS CONFORMANCE

passwd: SVID2, SVID3, XPG2



pam_user.conf
  		 


pcf  
© Hewlett-Packard Development Company, L.P.