passwd.1 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

passwd(1) passwd(1)

hpux.security.password, shell

Allows a user to use the -e

option (or chsh) to change the default shell of any non-root user.

hpux.security.password, warndate

Allows a user to use the -w

option to specify, for non-root users, the number of days prior to a

password’s expiration that the user will be notiﬁed.

Smart Card Login

If the user account is conﬁgured to use a Smart Card, the user password is stored in the card. This pass-

word has characteristics identical to a normal password stored on the system.

The Smart Card must be inserted into the Smart Card reader. The user is prompted for a PIN instead of

a password during authentication.

Enter PIN:

The password is retrieved automatically from the Smart Card when a valid PIN is entered. Therefore, it

is not necessary to know the password, only the PIN.

If the system retrieves a valid old password from the card, a new password is requested (twice). If the

new password meets all requirements, the system automatically overwrites the old password stored on

the card with the new password.

Therefore, the new dialog resembles:

Enter PIN:

New password:

Re-enter new password:

A Smart Card account can be shared among users. If one user modiﬁes the password, other users must

use the scsync command to write the new password onto their cards.

The

scpin command is used to change the Smart Card PIN.

SECURITY FEATURES

This section applies only to trusted systems. It describes additional capabilities and restrictions.

When passwd is invoked on a trusted system, the existing password is requested (if one is present). This

initiates the password solicitation dialog which depends upon the type of password generation (format

policy) that has been enabled on the account doing the passwd command. There are four possible

options for password generation:

Random syllables A pronounceable password made up of meaningless syllables.

Random characters An unpronounceable password made up of random characters from the

character set.

Random letters An unpronounceable password made up of random letters from the

alphabet.

User-supplied A user-supplied password, subject to length and triviality restrictions.

Passwords can be greater than eight characters, but it is recommended that they be less than 40 charac-

ters. System warnings are displayed if passwords lengths are either too long or short. The system

administrator can specify a maximum password length guideline for the system generated options (ran-

dom syllables, random characters, and random letters). The actual maximum password length depends

upon several parameters in the authentication database and in the algorithm.

The system requires a minimum time to elapse before a password can be changed. This prevents reuse of

an old password within an undesirable period of time.

A password expires after a period of time known as the expiration time. System warnings are displayed

as expiration time approaches.

A password dies after a time period known as the password lifetime . After the lifetime passes, the

account is locked until it is re-enabled by a system administrator. Once unlocked, the user is forced to

change the password before account use.

The system administrator can enable accounts without passwords. If a user account is allowed to func-

tion without a password, the user can choose a null password by typing a carriage-return when prompted

for a new password.

4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010