passwd.4 (2010 09)
p
passwd(4) passwd(4)
The first character of the age, M, denotes the maximum number of weeks for which a password is valid.
A user who attempts to login after his password has expired is forced to supply a new one. The next char-
acter, m, denotes the minimum period in weeks that must expire before the password can be changed.
The remaining two characters define the week when the password was last changed (a null string is
equivalent to zero). M and m have numerical values in the range 0 through 63 that correspond to the 64-
character set of "digits" shown above.
If m = M = 0 (derived from the string
. or ..), the user is forced to change his password next time he
logs in (and the "age" disappears from his entry in the password file). If m > M (signified, for example, by
the string
./), then only a superuser (not the user) can change the password. Not allowing the user to
ever change the password is discouraged.
SECURITY FEATURES
This section applies only to trusted systems. Note that HP-UX 11i Version 3 is the last release to support
trusted systems functionality.
On a trusted system the password field always contains
* by default. Password and aging information
are instead part of the Protected Password Database.
On trusted systems, the encrypted password for each user is stored in the file
/tcb/files/auth/
c
/user_name (where c is the first letter in user_name ). Password information files are not accessible to
the public. The encrypted password can be longer than 13 characters. For example, the password file for
user
david is stored in /tcb/files/auth/d/david
. In addition to the password, the user profiles
in
/tcb/files/auth/*/*
also have many other fields, including:
• numerical audit ID
• numerical audit flag
Like
/etc/passwd, this file is an ASCII file. Fields within each user’s entry are separated by colons.
Refer to authcap (4) and prpwd (4) for details. The passwords contained in /tcb/files/auth/*/*
take precedence over those contained in the encrypted password field of /etc/passwd. User authenti-
cation is done using the encrypted passwords in this file. For a description of the password aging
mechanism, see the SECURITY FEATURES section of passwd (1).
For more information about passwords and converting to a trusted system, see HP-UX System
Administrator’s Guide and sam(1M).
NETWORKING FEATURES
NIS
The
passwd file can have entries that begin with a plus (+) or minus (
-) sign in the first column. Such
lines are used to access the Network Information System database. A line beginning with a plus (
+)is
used to incorporate entries from the Network Information System. There are three styles of
+ entries:
+ Insert the entire contents of the Network Information System password file at that
point;
+name Insert the entry (if any) for name from the Network Information System at that point
+@name Insert the entries for all members of the network group name at that point.
If a
+ entry has a non-null password, directory, gecos, or shell field, they override what is contained in
the Network Information System. The numerical user ID and group ID fields cannot be overridden.
The
passwd file can also have lines beginning with a minus (-), which disallow entries from the Network
Information System. There are two styles of - entries:
-name Disallow any subsequent entries (if any) for name.
-@name Disallow any subsequent entries for all members of the network group name .
NIS Warnings
The plus (
+) and minus (-) features are NIS functionality; therefore, if NIS is not installed, they do not
work. Also, these features work only with /etc/passwd.
The uid of −2 is reserved for remote root access by means of NFS. The user name usually given to this
uid is nobody. Since uids are stored as signed values, the following define is included in <pwd.h> to
match the user nobody.
UID_NOBODY (-2)
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010