For your password information
passwd -s |
passwd -s -a |
passwd -s username |
-
Without password aging: username status
-
With password aging: username status mm/dd/yy min max warn expire inactive
|
Field |
Description |
For Further Information |
|---|---|---|
|
username
|
The user's login name. |
|
|
status
|
The user's password status. PS indicates the account has a password. LK indicates
the password is locked. NP indicates the account has no password. |
See "Locking a Password". |
|
mm/dd/yy
|
The date, based on Greenwich mean time, that the user's password was last changed. |
|
|
min
|
The minimum number of days since the last change that must pass before the password can be changed again. |
See "Setting Minimum Password Life". |
|
max
|
The maximum number of days the password can be used without having to change it. |
See "Setting a Password Age Limit". |
|
warn
|
The number of days' notice that users are given before their passwords have to be changed. |
See "Establishing a Warning Period". |
|
expire
|
A date on which users loose the ability to log in to their accounts. |
See "Password Privilege Expiration". |
|
inactive
|
A limit on the number of days that an account can go without being
logged in to. Once that limit is passed without a log in users can no
longer access their accounts. |
See "Specifying Maximum Number of Inactive Days". |
To display entries from a passwd table in another domain, use the -D option:
For all users in another domain
passwd -s -a -D domainname |
passwd -s -D domainname username
Changing Passwords
New passwords must meet the criteria described in "Password Requirements".Changing Your Own Password
To change your password, type
station1% passwd |
Changing Someone Else's Password
To change someone else' password, use:To change another user's password in the same domain
passwd username |
passwd -D domainname username |
Changing Root's Password
When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.To change a root password, follow these steps:
-
Log in as root.
-
Change root's password using passwd.
Do not use nispasswd.
-
Run chkey -p.
You must use the -p option.
Locking a Password
When operating in an NIS+ environment (see "The passwd Command and "NIS+ Environment""), an administrator (a group member) with modify rights to a user's entry in the passwd table can use the passwd command to lock a password. An account with a locked password cannot be used. When a password is locked, the user will receive a Login incorrect message after each login attempt.Keep in mind that locked passwords have no effect on users who are already logged in. A locked password only prevents users from performing those operations that require giving a password such as login, rlogin, ftp, or telnet.
Note also that if a user with a locked password is already logged in, and that user uses the passwd command to change passwords, the lock is broken.
You can use this feature to:
-
Temporarily lock a user's password while that user is on vacation or
leave. This prevents anyone from logging in as the absent user.
-
Immediately lock one or more user passwords in the case of suspected security problem.
-
Quickly lock a dismissed employee out of the system. This is quicker
and easier than eliminating that user's account and is an easy way of
preserving any data stored in that account.
-
If you have assigned passwords to UNIX processes, you can lock those
passwords. This allows the process to run, but prevents anyone from
logging in as those processes even if they know the process password.
(In most cases, processes would not be set up as NIS+ principals, but
would maintain their password information in /etc files. In such a case you would have to run the passwd command in files mode to lock /etc stored passwords.)
passwd -l username |
Unlocking a Password
To unlock a user's password, you simply change it. You can "change" it back to the exact same password that it was when it was locked. Or you can change it to something new.For example, to unlock jody's password, you would enter:
station1% passwd jody |
Managing Password Aging
Password aging is a mechanism you can use to force users to periodically change their passwords.Password aging allows you to:
-
Force a user to choose a new password the next time the user logs in. (See "Forcing Users to Change Passwords" for details.)
-
Specify a maximum number of days that a password can be used before it has to be changed. (See "Setting a Password Age Limit" for details.)
-
Specify a minimum number of days that a password has to be in existence before it can be changed. (See "Setting Minimum Password Life" for details.)
-
Specify that a warning message be displayed whenever a user logs in a
specified number of days before the user's password time limit is
reached. (See "Establishing a Warning Period" for details.)
-
Specify a maximum number of days that an account can be inactive. If
that number of days pass without the user logging in to the account, the
user's password will be locked. (See "Specifying Maximum Number of Inactive Days" for details.)
-
Specify an absolute date after which a user's password cannot be
used, thus denying the user the ability to log on to the system. (See "Password Privilege Expiration" for details.)
Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:
-
login
-
rlogin
-
telnet
-
ftp
Forcing Users to Change Passwords
There are two ways to force a user to change passwords the next time the user logs in:Force change keeping password aging rules in effect
passwd -f username |
passwd -x 0 username |
Setting a Password Age Limit
The -max argument to the passwd command sets an age limit for the current password. In other words, it specifies the number of days that a password remains valid. After that number of days, a new password must be chosen by the user. Once the maximum number of days have passed, the next time the user tries to login with the old password a Your password has been expired for too long message is displayed and the user is forced to choose a new password in order to finish logging in to the system.The max argument uses the following format:
passwd -x max username |
-
username is the login ID of the user
-
max is one of the following values:
-
Greater than zero. Any number greater than zero sets that number of days before the password must be changed.
-
Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.
-
Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user.
-
Greater than zero. Any number greater than zero sets that number of days before the password must be changed.
station1% passwd -x 45 schweik |
Setting Minimum Password Life
The min argument to the passwd command specifies the number of days that must pass before a user can change passwords. If a user tries to change passwords before the minimum number of days has passed, a Sorry less than N days since the last change message is displayed.The min argument uses the following format:
passwd -x max -n min username |
-
username is the login ID of the user
-
max is the maximum number of days a password is valid as described in the section above
-
min is the minimum number of days that must pass before the password can be changed.
station1% passwd -x 45 -n 7 eponine |
-
You do not have to use a min argument or specify a minimum number of days before a password can be changed.
-
If you do use the min argument, it must always be used in conjunction with the -max argument. In other words, in order to set a minimum value you must also set a maximum value.
-
If you set min to be greater than max, the user is unable to change passwords at all. For example, the command passwd -x 7 -n 8 prevents the user from changing passwords. If the user tries to change passwords, the You may not change this password message is displayed. Setting the min value greater than the max value has two effects:
-
The user is unable to change password. In this case, only someone
with administer privileges could change the password. For example, in
situations where multiple users share a common group password, setting
the min value for that password greater than the max value would prevent any individual user from changing the group password.
-
The password is only valid for the length of time set by the max value, but the user cannot change it because the min value is greater than the max value. Thus, there is no way for the user to prevent the password from becoming invalid at the expiration of the max time period. In effect, this prevents the user from logging in after the max time period unless an administrator intervenes.
-
The user is unable to change password. In this case, only someone
with administer privileges could change the password. For example, in
situations where multiple users share a common group password, setting
the min value for that password greater than the max value would prevent any individual user from changing the group password.
Establishing a Warning Period
The warn argument to the passwd command specifies the number of days before a password reaches its age limit that users will start to seeing a Your password will expire in N days message (where N is the number of days) when they log in.For example, if a user's password has a maximum life of 30 days (set with the -max argument) and the warn value is set to 7 days, when the user logs in on the 24th day (one day past the warn value) the warning message Your password will expire in 7 days is displayed. When the user logs in on the 25th day the warning message Your password will expire in 6 days is displayed.
Keep in mind that the warning message is not sent by Email or displayed in a user's console window. It is displayed only when the user logs in. If the user does not log in during this period, no warning message is given.
Keep in mind that the warn value is relative to the max value. In other words, it is figured backwards from the deadline set by the max value. Thus, if the warn value is set to 14 days, the Your password will expire in N days message will begin to be displayed two weeks before the password reaches its age limit and must be changed.
Because the warn value is figured relative to the max value, it only works if a max value is in place. If there is no max value, warn values are meaningless and are ignored by the system.
The warn argument uses the following format:
passwd -x max -w warn username |
-
username is the login ID of the user.
-
max is the maximum number of days a password is valid as described on "Setting a Password Age Limit".
-
warn is the number of days before the password reaches its age limit that the warning message will begin to be displayed.
station1% passwd -x 45 -w 5 nilovna |
-
You do not have to use the warn argument or specify a warning message. If no warn value is set, no warning message is displayed prior to a password reaching its age limit.
-
If you do use the warn argument, it must always be used in conjunction with the max argument. In other words, in order to set a warning value you must also set a maximum value.
Note - You can also use Solstice AdminSuiteTM to set a warn value for a user's password.
Turning Off Password Aging
There are two ways to turn off password aging for a given user:Turn off aging while allowing user to retain current password
passwd -x -1 username |
passwd -x 0 username |
For example, to force the user mendez to change passwords the next time he logs in and then turn off password aging you would type the command:
station% passwd -x 0 mendez |
Note - You can also use Solstice AdminSuiteTM to set this parameter for a user's password.
You can also use the nistbladm command to set this value. For example, to turn off password aging for the user otsu and allow her to continue using her current password, you would type:
station1% nistbladm -m `shadow=0:0:-1:0:0:0:0' [name=otsu],passwd.org_dir |
Password Privilege Expiration
You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.For example, if you specify an expire date of December 31, 1997, for a user named pete, on January 1, 1998 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.
Password Aging Versus Expiration
Expiration of a user's password privilege is not the same as password aging.-
Password aging. A password that has not been changed for longer than the aging time limit is sometimes referred to as an expired password. But that password can still be used to log in one more time. As part of that last login process the user is forced to choose a new password.
-
Expiration of password privilege. When a user's password privilege expires, the user cannot log in at all with any password.) In other words, it is the user's permission to log in to the network that has expired.
Setting an Expiration Date
Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.Note - If you have Solstice AdminSuiteTM tools available, do not use nistbladm to set an expiration date. Use Solstice AdminSuiteTM tools because they are easier to use and provide less chance for error.
To set an expiration date with the nistbladm command:
nistbladm -m `shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir |
-
login is the user's login ID
-
n indicates the values in the other fields of the shadow column.
-
n6 is the date on which the user's password privilege
expires. This date is entered as a number of days since January 1, 1970
(see Table 11-2). n6 can be one of the following values:
-
Minus one (-1). A value of minus one (-1) turns off the
expiration feature. If a user's password has already expired, changing
this value to -1 restores (un-expires) it. If you do not want to set any
expiration date, type -1 in this field.
-
Greater than zero. A value greater than zero sets the expiration
date to that number of days since 1/1/70. If you enter today's date or
earlier, you immediately expire the user's password.
-
Minus one (-1). A value of minus one (-1) turns off the
expiration feature. If a user's password has already expired, changing
this value to -1 restores (un-expires) it. If you do not want to set any
expiration date, type -1 in this field.
station1% nistbladm -m `shadow=n:n:n:n:n:9493:n' [name=pete],passwd.org_dir |
Caution - All of the fields must be filled in with valid values.Turning Off Password Privilege Expiration
To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:
station1% nistbladm -m `shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir |
Specifying Maximum Number of Inactive Days
You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network.
For example, suppose you specify a maximum inactivity period of 10 days for the user sam. On January 1, sam logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, sam logs in on machine-B and then logs out. Nine days after that on January 13, sam can still log in to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.
Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.
Caution - Do
not set inactivity maximums unless your users are instructed to log out
at the end of each workday. The inactivity feature only relates to
logins; it does not check for any other type of system use. If a user
logs in and then leaves the system up and running at the end of each
day, that user will soon pass the inactivity maximum because there has
been no login for many days. When that user finally does reboot or log
out, he or she won't be able to log in.Note - If you have Solstice AdminSuiteTM tools available, do not use nistbladm to set an inactivity maximum. Use Solstice AdminSuite tools because they are easier to use and provide less chance for error.
To set a login inactivity maximum, you must use the nistbladm command in the format:
nistbladm -m `shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir |
-
login is the user's login ID
-
n indicates the values in the other fields of the shadow column.
-
n5 is the number of days the user is allowed to go between logins. Inactive can be one of the following values:
-
Minus one (-1). A value of minus one (-1) turns off the
inactivity feature. The user can be inactive for any number of days
without losing login privileges. This is the default.
-
Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.
-
Minus one (-1). A value of minus one (-1) turns off the
inactivity feature. The user can be inactive for any number of days
without losing login privileges. This is the default.
station1% nistbladm -m `shadow=n:n:n:n:n:7:n:n' [name=sam],passwd.org_dir |
Specifying Password Criteria and Defaults
The following subsections describe various password-related defaults and general criteria that you can specify.The /etc/defaults/passwd File
The /etc/defaults/passwd file is used to set four general password defaults for users whose nsswitch.conf file points to files. The defaults set by the /etc/defaults/passwd file apply only to those users whose operative password information is taken from /etc files; they do not apply to anyone using either NIS maps or NIS+ tables. An /etc/defaults/passwd file on an NIS+ server only affects local users who happen to be obtaining their password information from those local files. An /etc/defaults/passwd file on an NIS+ server has no effect on the NIS+ environment or users whose nsswitch.conf file points to either nis or nisplus.The four general password defaults governed by the /etc/defaults/passwd file are:
-
Maximum number of weeks the password is valid
-
Minimum number of weeks the password is valid
-
The number of weeks before the password becomes invalid that the user is warned
-
The minimum number of characters that a password must contain
-
For users who obtain password information from local /etc files, individual password aging maximums, minimums and warnings set by the password command or Solstice AdminSuite or AdminTool override any /etc/defaults/passwd defaults. In other words, defaults set in the /etc/defaults/passwd file are not only applied to those users who do not have corresponding individual settings in their entries in their passwd table.
-
Except for password length, all the /etc/defaults/passwd file defaults are expressed as a number of weeks. (Remember that individual password aging times are expressed as a number of days.)
-
The MAXWEEKS, MINWEEKS, and WARNWEEKS defaults are all counted forward from the date of the user's last password change. (Remember that individual warn values are counted backwards from the maximum date.)
MAXWEEKS= MINWEEKS= PASSLENGTH= |
MAXWEEKS=4 MINWEEKS= PASSLENGTH= |
Maximum weeks
You can use the MAXWEEKS default in the /etc/defaults/passwd file to set the maximum number of weeks that a user's password is valid. To set a default maximum time period, type the appropriate number of weeks after the equal sign in the MAXWEEKS= line:
MAXWEEKS=N |
Minimum Weeks
You can use the MINWEEKS default in the /etc/defaults/passwd file to set the minimum nuber of weeks that must pass before a user can change passwords. To set a default minimum time period, type the appropriate number of weeks after the equal sign on the MINWEEKS= line:
MINWEEKS=N |
Warning Weeks
You can add a WARNWEEKS default to the /etc/defaults/passwd file set the number of weeks prior to a password becoming invalid due to aging that user is warned. for example, if you have set the MAXWEEKS default to 9, and you want users to be warned two weeks before their passwords become invalid, you would set the MAXWEEKS default to 7.There is no point in setting the WARNWEEKS default unless you also set a MAXWEEKS default.
Remember that WARNWEEKS are counted forward from the date of the user's last password change, not backwards from the MAXWEEKS expiration date. Thus, WARNWEEKS must always be less than MAXWEEKS and cannot be equal to or greater than MAXWEEKS .
A WARNWEEKS default will not work unless there is also a MAXWEEKS default.
To set the warning time period, type the appropriate number of weeks after the equal sign on the WARNWEEKS= line.
WARNWEEKS=N |
Minimum Password Length
By default, the passwd command assumes a minimum length of six characters. You can use the PASSLENGTH default in the /etc/defaults/passwd files to change that by setting the minimum number of characters that a user's password must contain to some other number.To set the minimum number of characters to something other than six, type the appropriate number of characters after the equal sign in the PASSLENGTH= line:
PASSLENGTH=N |
Password Failure Limits
You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.
Maximum Number of Tries
To set the maximum number of times a user can try to change a password without succeeding, use the -a number argument with rpc.nispasswdd, where number is the number of allowed tries. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)For example, to limit users to no more than four attempts (the default is 3), you would type:
station1# rpc.nispasswdd -a 4 |
Maximum Login Time Period
To set the maximum amount a time a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)For example, to specify that users must successfully log in within 2 minutes, you would type:
station1# rpc.nispasswdd -c 2 |
- © 2010, Oracle Corporation and/or its affiliates
