HP-UX Reference (11i v1 05/09) - 4 File Formats (vol 8)
p
passwd(4) passwd(4)
remaining two characters define the week when the password was last changed (a null string is equivalent
to zero). M and m have numerical values in the range 0 through 63 that correspond to the 64-character set
of "digits" shown above.
If m = M = 0 (derived from the string
. or ..), the user is forced to change his password next time he logs
in (and the "age" disappears from his entry in the password file). If m > M (signified, for example, by the
string
./), then only a superuser (not the user) can change the password. Not allowing the user to ever
change the password is discouraged.
SECURITY FEATURES
This section applies only to trusted systems. On a trusted system the password field always contains
* by
default. Password and aging information are instead part of the Protected Password Database.
On trusted systems, the encrypted password for each user is stored in the file
/tcb/files/auth/
c
/user_name (where c is the first letter in user_name). Password information files are not accessible to
the public. The encrypted password can be longer than 13 characters. For example, the password file for
user
david is stored in /tcb/files/auth/d/david
. In addition to the password, the user profiles
in
/tcb/files/auth/*/*
also have many other fields, including:
• numerical audit ID
• numerical audit flag
Like
/etc/passwd , this file is an ASCII file. Fields within each user’s entry are separated by colons.
Refer to authcap(4) and prpwd(4) for details. The passwords contained in /tcb/files/auth/*/*
take
precedence over those contained in the encrypted password field of
/etc/passwd . User authentication is
done using the encrypted passwords in this file. For a description of the password aging mechanism, see
the SECURITY FEATURES section of passwd(1).
For more information about passwords and converting to a trusted system, see Managing Systems and
Workgroups and sam(1M).
NETWORKING FEATURES
NIS
The
passwd file can have entries that begin with a plus (+) or minus (
-) sign in the first column. Such
lines are used to access the Network Information System database. A line beginning with a plus (
+) is used
to incorporate entries from the Network Information System. There are three styles of
+ entries:
+ Insert the entire contents of the Network Information System password file at that point;
+name Insert the entry (if any) for name from the Network Information System at that point
+@name Insert the entries for all members of the network group name at that point.
If a + entry has a non-null password, directory, gecos, or shell field, they override what is contained in the
Network Information System. The numerical user ID and group ID fields cannot be overridden.
The passwd file can also have lines beginning with a minus (-), which disallow entries from the Network
Information System. There are two styles of - entries:
-name Disallow any subsequent entries (if any) for name.
-@name Disallow any subsequent entries for all members of the network group name.
NIS Warnings
The plus (+) and minus (-) features are NIS functionality; therefore, if NIS is not installed, they do not
work. Also, these features work only with /etc/passwd , but not with a system that has been converted
to a trusted system. When the system has been converted to a trusted system, the encrypted passwords
can be accessed only from the protected password database, /tcb/files/auth/*/*. Any user entry
in the Network Information System database also must have an entry in the protected password database.
The uid of −2 is reserved for remote root access by means of NFS. The user name usually given to this uid
is
nobody. Since uids are stored as signed values, the following define is included in <pwd.h> to match
the user nobody.
UID_NOBODY (-2)
WARNINGS
The login shell for the root user (uid 0) must be /sbin/sh to guarantee the system can always boot.
Other shells such as sh, ksh, and csh are all located under the /usr directory which may not be mounted
HP-UX 11i Version 1: September 2005 − 2 − Hewlett-Packard Company Section 4−−201