HP-UX Reference (11i v1 00/12) - 4 File Formats (vol 8)
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man4/!!!intro.4
________________________________________________________________
___ ___
p
prpwd(4) prpwd(4)
NAME
prpwd - protected password authentication database files used for trusted systems
SYNOPSIS
/tcb/files/auth/...
DESCRIPTION
An authentication profile is maintained for each user on the system. A user profile is kept in a protected
password database file that is accessible only to the System Administrator. The protected password data-
base files contain among other things the encrypted password for the user account. On a trusted system,
the passwords are hidden from normal users.
The protected password database files do not obviate the need for the /etc/passwd and the /etc/group files.
Users must be defined in the /etc/passwd file in order to use the system. The protected password database
file for a user contains the user name and user id to provide a correlation to the user’s /etc/passwd entry.
These must match or the user account will be treated as invalid.
Protected password database files are maintained in the /tcb/files/auth hierarchy. This directory contains
other directories each named with a single letter from the alphabet. User authentication profiles are stored
in these directories based on the first letter of the user account name. This enables an efficient search
operation to locate the file for a specific user name. For instance, the authentication profile for the root
account is located in the /tcb/files/auth/r directory and can be accessed by opening the file
/tcb/files/auth/r/root.
Fields defined in a file are user specific values. These values override the system default values. Trusted
programs check first for the existence of user specific parameters before using a system default value.
A protected password database file contains keyword field identifiers and, depending on the field type, a
value for that field (certain field types do not require an explicit value). The exact syntax for field
specifications is described in authcap(4). Field specification is consistent for all system authentication data-
bases. The keyword field identifiers supported by the protected password database file and their associated
function are given in the following descriptions:
u_name This is the user name for the account which must match the name of the file and the user
name from the corresponding /etc/passwd entry.
u_id This is the user id for the account which must match the user id field of the corresponding
/etc/passwd entry.
u_pwd This field contains the encrypted password for the account if the account has a password.
u_owner This field contains the owner of the account.
u_booauth If this field exists and contains a value greater than zero (typically 1), and the boot authen-
ticate flag is set in the system default file, then this user has authority to boot the system.
If the boot authenticate flag is not set in the system default file then this field is not used.
u_audid This field contains the audit ID for the user.
u_auditflag This field contains the audit flag for the user.
u_minchg This field specifies the minimum password change time in seconds. If non-zero, the pass-
word cannot be changed until the specified number of seconds since the last successful pass-
word change have passed unless the person changing the password is authorized to over-
ride this constraint.
u_maxlen This field specifies the maximum length of the user account password and should be less
than the system-wide maximum value defined by the <prot.h>constant
AUTH_MAX_PASSWD_LENGTH.
u_exp This field is a time_t value that specifies when the account password will expire. When a
password expires, system authentication programs will request that the password be
changed when the user logs into the system. If the password lifetime expires before the
password is changed, the account will be locked.
u_life This field is a time_t value that specifies the lifetime of a password. If this time is reached,
the account will be locked and can only be unlocked by an authorized system administrator.
u_succhg This field is a time_t value that indicates the time of the last successful password change.
This field should only be set by programs that can be used to change the account password.
HP-UX Release 11i: December 2000 − 1 − Section 4−−231
___
___