HP-UX Reference (11i v2 07/12) - 1 User Commands N-Z (vol 2)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

121

122

123

124

125

126

127

128

129

130

passwd(1) passwd(1)

Password Aging

The following description applies to all repositories except nis, which does not support password aging.

The system requires a minimum time to elapse before a password can be changed. This prevents reuse of

an old password within too brief a period of time. System warnings are displayed as the expiration time

approaches.

A password is no longer usable after a time period known as the password lifetime. After the lifetime

passes, the account is locked until it is re-enabled by a system administrator. Once unlocked, the user is

forced to change the password before using the account.

The

-n min and -x max arguments are each represented in units of days. These arguments are

rounded up to the nearest week on a standard system. If only one of the two arguments is supplied and the

other argument does not exist, then the number of days is set to zero.

Default values may be set in the /etc/default/security

ﬁle for the -n min, -x max, and -w

warn

options. See security(4). The attributes to select password aging defaults are:

PASSWORD_MINDAYS

PASSWORD_MAXDAYS

PASSWORD_WARNDAYS

Password Construction Requirements

Passwords must be constructed to meet the following requirements:

• On an untrusted system, only the ﬁrst eight characters of a password are signiﬁcant.

• On an untrusted system, passwords of non-root users must have at least six characters. On a trusted

system, passwords of all users must have at least six characters. This restriction on the password

length can be increased to a value larger than six. Refer to the security(4) manual page for detailed

information on conﬁgurable attributes that affect the behavior of this command. The attribute to

select the minimum password length is

MIN_PASSWORD_LENGTH

• Characters must be from the 7-bit US-ASCII character set; letters from the English alphabet.

• A password must contain at least two letters and at least one numeric or special character.

• A password must differ from the user’s login name and any reverse or circular shift of that login

name. For comparison purposes, an uppercase letter and its corresponding lowercase equivalent are

treated as identical.

• A new password must differ from the old one by at least three characters (one character for non super

user if changed by the super user in a trusted system).

Repository Conﬁguration

The

/etc/nsswitch.conf

ﬁle speciﬁes the repositories for which the password must be modiﬁed. The

following conﬁgurations are supported:

• passwd: ﬁles

• passwd: ﬁles nisplus

• passwd: ﬁles nis

• passwd: compat (--> ﬁles nis)

• passwd: compat (--> ﬁles nisplus)

• passwd_compat: nisplus

Authorizations

When the Role-Based Access Control product (RBAC) version B.11.23.04 (or later) is installed, users with

speciﬁc authorizations can be granted access to some of the

passwd options that normally require

privileged user access when the ﬁles or NIS repositories are used. Refer to rbac(5) for more information on

the Role-Based Access Control product. Following is a list of the required authorizations for running

passwd with particular options:

hpux.security.password, change

Allows a user modify the password of any non-root user.

128 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: December 2007 Update