HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
p
passwd(4) passwd(4)
remaining two characters define the week when the password was last changed (a null string is equivalent
to zero). M and m have numerical values in the range 0 through 63 that correspond to the 64-character set
of "digits" shown above.
If m = M = 0 (derived from the string
. or ..), the user is forced to change his password next time he logs
in (and the "age" disappears from his entry in the password file). If m > M (signified, for example, by the
string
./), then only a superuser (not the user) can change the password. Not allowing the user to ever
change the password is discouraged.
SECURITY FEATURES
This section applies only to trusted systems. Note that HP-UX 11i Version 3 is the last release to support
trusted systems functionality.
On a trusted system the password field always contains
* by default. Password and aging information are
instead part of the Protected Password Database.
On trusted systems, the encrypted password for each user is stored in the file
/tcb/files/auth/
c
/user_name (where c is the first letter in user_name). Password information files are not accessible to
the public. The encrypted password can be longer than 13 characters. For example, the password file for
user
david is stored in /tcb/files/auth/d/david
. In addition to the password, the user profiles
in
/tcb/files/auth/*/*
also have many other fields, including:
• numerical audit ID
• numerical audit flag
Like
/etc/passwd , this file is an ASCII file. Fields within each user’s entry are separated by colons.
Refer to authcap(4) and prpwd(4) for details. The passwords contained in /tcb/files/auth/*/*
take
precedence over those contained in the encrypted password field of
/etc/passwd . User authentication is
done using the encrypted passwords in this file. For a description of the password aging mechanism, see
the SECURITY FEATURES section of passwd(1).
For more information about passwords and converting to a trusted system, see HP-UX System
Administrator’s Guide and sam(1M).
NETWORKING FEATURES
NIS
The
passwd file can have entries that begin with a plus (+) or minus (
-) sign in the first column. Such
lines are used to access the Network Information System database. A line beginning with a plus (
+) is used
to incorporate entries from the Network Information System. There are three styles of
+ entries:
+ Insert the entire contents of the Network Information System password file at that point;
+name Insert the entry (if any) for name from the Network Information System at that point
+@name Insert the entries for all members of the network group name at that point.
If a + entry has a non-null password, directory, gecos, or shell field, they override what is contained in the
Network Information System. The numerical user ID and group ID fields cannot be overridden.
The passwd file can also have lines beginning with a minus (-), which disallow entries from the Network
Information System. There are two styles of
- entries:
-name Disallow any subsequent entries (if any) for name.
-@name Disallow any subsequent entries for all members of the network group name.
NIS Warnings
The plus (+) and minus (-) features are NIS functionality; therefore, if NIS is not installed, they do not
work. Also, these features work only with /etc/passwd.
The uid of −2 is reserved for remote root access by means of NFS. The user name usually given to this uid
is nobody. Since uids are stored as signed values, the following define is included in <pwd.h> to match
the user nobody.
UID_NOBODY (-2)
WARNINGS
The login shell for the root user (uid 0) must be /sbin/sh to guarantee the system can always boot.
Other shells such as sh, ksh, and csh are all located under the /usr directory which may not be mounted
during earlier stages of the bootup process. Changing the login shell of the root user to a value other than
304 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: February 2007