Using Passwords

When logging in to a machine, users must enter both a user name (also known as a login ID) and a password. Although login IDs are publicly known, passwords must be kept secret by their owners.

Logging In

Logging in to a system is a two-step process:

1. Type your login ID at the Login: prompt.

2. Type your password at the Password: prompt. (To maintain password secrecy, your password is not displayed on your screen when you type it.)

If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.

The Login incorrect Message

The Login incorrect message indicates that:

• You have entered the wrong login ID or the wrong password. This is the most common cause of the Login incorrect message. Check your spelling and repeat the process. Note that most systems limit to five the number of unsuccessful login tries you can make:

  · If you exceed a number of tries limit, you will get a Too many failures - try later message and not be allowed to try again until a designated time span has passed.

  · If you fail to successfully log in within a specified amount of time you will receive a Too many tries; try again later message, and not be allowed to try again until a designated time span has passed.

• Another possible cause of the Login incorrect message is that an administrator has locked your password and you cannot use it until it is unlocked. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.
• Another possible cause of the Login incorrect message is that an administrator has expired your password privileges and you cannot use your password until your privileges are restored. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.

The password expired Message

If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See "Choosing a Password" on page 142, for criteria that a new password must meet.)

In this case, choosing a new password is a three-step process:

1. Type your old password at the Enter login password (or similar) prompt.

   Your keystrokes are not shown on your screen.

2. Type your new password at the Enter new password prompt. Your keystrokes are not shown on your screen.

3. Type your new password again at the Re-enter new password prompt. Your keystrokes are not shown on your screen.

The will expire Message

If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).

In essence, this message is telling you to change your password now. (See "Changing Your Password" on page 140.)

The Permission denied Message

After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations you cannot log in until an administrator unlocks your password or reactivates your account or privileges. Consult your system administrator.

Changing Your Password

To maintain security, you should change your password regularly. (See "Choosing a Password" on page 142" for password requirements and criteria.)

---

Note - The passwd command now performs all functions previously performed by nispasswd. For operations specific to a NIS+ name space, use passwd -r nisplus.

---

Changing your password is a four-step process:

1. Run the passwd command at a system prompt.

2. Type your old password at the Enter login password (or similar) prompt.

   Your keystrokes are not shown on your screen.

• If you receive a Sorry: less than N days since the last change message, it means that your old password has not been in use long enough and you will not be allowed to change it at this time. You are returned to your system prompt. Consult your system administrator to find out the minimum number of days a password must be in use before it can be changed.
• If you receive a You may not change this password message, it means that your network administrator has blocked any change.

3. Type your new password at the Enter new password prompt. Your keystrokes are not shown on your screen.

   At this point the system checks to make sure that your new password meets the requirements:

• If it does meet the requirements, you are asked to enter it again.
• If your new password does not meet the system requirements, a message is displayed informing you of the problem. You must then enter a new password that does meet the requirements.

See "Password Requirements" on page 142 for the requirements a password must meet.

4. Type your new password again at the Re-enter new password prompt. Your keystrokes are not shown on your screen.

   If your second entry of the new password is not identical to your first entry, you are prompted to repeat the process.

---

Note - When changing root's password, you must always run chkey -p immediately after changing the password. (See "Changing Root Keys From Root" on page 102 and "Changing Root Keys From Another Machine" on page 104 for information on using chkey -p to change root's keys.) Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

---

Password Change Failures

Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)

If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)

Choosing a Password

Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.

Password Requirements

A password must meet the following requirements:

• Length. By default, a password must have at least six characters. Only the first eight characters are significant. (In other words, you can have a password that is longer than eight characters, but the system only checks the first eight.) Because the minimum length of a password can be changed by a system administrator, it may be different on your system.
• Characters. A password must contain at least two letters (either upper- or lower-case) and at least one numeral or symbol such as @,#,%. For example, you can use dog#food or dog2food as a password, but you cannot use dogfood.

• Not your login ID. A password cannot be the same as your login ID, nor can it be a rearrangement of the letters and characters of your login ID. (For the purpose of this criteria, upper and lower case letters are considered to be the same.) For example, if your login ID is Claire2 you cannot have e2clair as your password.
• Different from old password. Your new password must differ from your old one by at least three characters. (For the purpose of this criterion, upper-and lower-case letters are considered to be the same.) For example, if your current password is Dog#fooD you can change it to dog#Meat but you cannot change it to daT#Food.

Bad Choices for Passwords

Bad choices for passwords include:

• Any password based on your name
• Names of family members or pets
• Car license numbers
• Telephone numbers
• Social Security numbers
• Employee numbers
• Names related to a hobby or interest
• Seasonal themes, such as Santa in December
• Any word that is in a standard dictionary

Good Choices for Passwords

Good choices for passwords include:

• Phrases plus numbers or symbols (beam#meup)
• Nonsense words made up of the first letters of every word in a phrase plus a number or symbol (swotrb7 for SomeWhere Over The RainBow)
• Words with numbers, or symbols substituted for letters (sn00py for snoopy)

Administering Passwords

This section describes how to administer passwords in an NIS+ namespace.

---

Note - The passwd command now performs all functions previously performed by nispasswd. For operations specific to a NIS+ namespace, use passwd -r nisplus.

---

nsswitch.conf File Requirements

In order to properly implement the passwd command and password aging on your network, the passwd entry of the nsswitch.conf file on every machine must be correct. This entry determines where the passwd command will go for password information and where it will update password information.

Only five passwd configurations are permitted:

• passwd: files
• passwd: files nis
• passwd: files nisplus
• passwd: compat
• passwd: compat passwd_compat: nisplus

---

Caution - All of the nsswitch.conf files on all of your network's workstations must use one of the passwd configurations shown above. If you configure the passwd entry in any other way, users may not be able to log in.

---

The nispasswd Command

All functions previously performed by the nispasswd command are now performed by the passwd command. When issuing commands from the command line, you should use passwd, not nispasswd.

Note that nispasswd is still retained with all of its functionality for the purpose of backward compatibility.

The yppasswd Command

All functions previously performed by the yppasswd command are now performed by the passwd command. When issuing commands from the command line, you should use passwd, not yppasswd.

Note that yppasswd is still retained with all of its functionality for the purpose of backward compatibility.

The passwd Command

The passwd command performs various operations regarding passwords. The passwd command replaces the nispasswd command. You should use the passwd command for all activities which used to be performed with the nispasswd command. (See the passwd command man page for a complete description of all passwd flags, options, and arguments.)

The passwd command allows users to perform the following operations:

• Change their passwords
• List their password information

Administrators can use the passwd command to perform the following operations:

• Force users to change their passwords the next time the log in
• Lock a user's password (prevent it from being used)
• Set a minimum number of days before a user can change passwords
• Specified when a user is warned to change passwords
• Set a maximum number of days a password can be used without being changed

passwd and the nsswitch.conf File

The name service switch determines where the passwd command (and other commands) obtains and stores password information. If the passwd entry of the applicable nsswitch.conf file points to:

• nisplus. Password information will be obtained, modified, and stored in the passwd and cred tables of the appropriate domain.
• nis. Password information will be obtained, modified, and stored in passwd maps.

• files. Password information will be obtained, modified, and stored in the /etc/passwd and /etc/shadow files.

The passwd -r Option When you run the passwd command with the -r nisplus, -r nis, or -r files arguments, those options override the nsswitch.conf file setting. You will be warned that this is the case. If you continue, the -r option will cause the passwd command to ignore the nsswitch.conf file sequence and update the information in the password information storage location pointed to by the -r flag.

For example, if the passwd entry in the applicable nsswitch.conf file reads:

 passwd: files nisplus

files is the first (primary) source, and passwd run without the -r option will get its password information from the /etc/passwd file. If you run the command with the -r nisplus option, passwd will get its information from the appropriate NIS+ passwd table and make its changes to that table, not to the /etc/passwd file.

The -r option should only be used when you cannot use the nsswitch.conf file because the search sequence is wrong. For example, when you need to update password information that is stored in two places, you can use the order specified in the nsswitch.conf file for the first one, but for the second one you have to force the use of the secondary or tertiary source.

The message:

Your specified repository is not defined in the nsswitch file!

indicates that your change will be made to the password information in the repository specified by the -r option, but that change will not affect anyone until the nsswitch.conf file is changed to point to that repository. For example, suppose the nsswitch.conf file reads passwd: files nis and you use the -r nisplus option to establish password-aging limits in a NIS+ passwd table. Those password-aging rules will sit in that table unused because the nsswitch.conf file is directing everyone to other places for their password information.

The passwd Command and "NIS+ Environment"

In this chapter, the phrase NIS+ environment refers to situations where the passwd entry of the applicable nsswitch.conf file is set to nisplus, or the passwd command is run with the -r nisplus argument.

The passwd Command and Credentials

When run in an NIS+ environment (see above), the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).

The passwd Command and Permissions

In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.

By default, in a normal NIS+ environment the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:

• Assign table ownership to someone else with the nischown command.
• Grant some or all of read, modify, create, and destroy rights to the table's group, or even to the world or nobody class. (Of course, granting such rights to world or nobody seriously weakens NIS+ security.)
• Change the permissions granted to any class with the nisdefaults, nischmod, or nistbladm commands.

---

Note - Regardless of what permissions they have, everyone in the world, and nobody classes are forced to comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password has aged past its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.

---

To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:

Table 8-1 passwd

This Operation	Requires These Rights	To This Object
Displaying information	read	passwd table entry
Changing Information	modify	passwd table entry
Adding New Information	modify	passwd table

The passwd Command and Keys

If you use passwd in a NIS+ environment to change a principal's password, it tries to update the principal's private (secret) key in the cred table.

• If you have modify rights to the DES entry in the cred table and if the principal's login and Secure RPC passwords are the same, passwd will update the private key in the cred table.
• If you do not have modify rights to the DES entry in the cred table or if the principal's login and Secure RPC passwords are not the same, the passwd command will change the password, but not change the private key.

  If you do not have modify rights to the DES entry, it means that the private key in the cred table will have been formed with a password that is now different from the one stored in the passwd table. In this case, the user will have to change keys with the chkey command or run keylogin after each login.

The passwd Command and Other Domains

To operate on the passwd table of another domain, use:

passwd [options] -D domainname

The nistbladm Command

The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.

It is possible to use the nistbladm command to:

• Create new passwd table entries
• Delete an existing entry
• Change the UID and GID fields in the passwd table
• Change access rights and other security-related attributes of the passwd table
• Set expiration and inactivity periods for a user's account (see "Password Privilege Expiration" on page 164 and "Specifying Maximum Number of Inactive Days" on page 166.)
• Set password parameters for multiple users at once (see "Setting Password Aging Criteria for Multiple Users" on page 168).

---

Caution - To perform password operations using the nistbladm command you must apply nistbladm to the shadow column of the passwd table. Applying nistbladm to the shadow column is complex and tricky. Therefore, you should not use the nistbladm command for any operation that can more easily be performed by the passwd command or by using the AdminTool or Solstice AdminSuite tools. You should use the passwd command or Solstice AdminSuite tools to perform the following operations:

• Changing a password
• Setting the maximum period that a password can be used (password aging).
• Setting the minimum period that a password must be used.
• Setting the password warning period.
• Turning off password aging

---

nistbladm and Shadow Column Fields

You use the nistbladm command to set password parameters by specifying the values of the different fields in the shadow column. These fields are entered in the format:

Where:

• N1 Lastchange. The date of the last password change expressed as a number of days since January 1, 1970. The value in this field is automatically updated each time the user changes passwords. (See "nistbladm And the Number of Days" on page 152 for important information regarding the number of days.) If the field is blank, or contains a zero, it indicates that there has not been any change in the past.

  Note that the number of days in the lastchange field is the base from which other fields and operations are calculated. Thus, an incorrect change in this field could have unintended consequence in regards to minimum, maximum, warning, and inactive time periods.

• N2 Min. The minimum number of days that must pass since the last time the password was changed before the user can change passwords again. For example, if the value in the lastchange field is 9201 (that is, 9201 days since 1/1/70) and the value in the min field is 8, the user is unable to change passwords until after day 9209. See "Setting Minimum Password Life" on page 161 for additional information on password minimums.

  Where min is one of the following values:

  · Zero (0). A value of zero in this field (or a blank space) means that there is no minimum period

  · Greater than zero. Any number greater than zero sets that number of days as the minimum password life.

  · Greater than max. A value in this field that is greater than the value in the max field prevents the user from ever changing passwords. The message: You may not change this password is displayed when the user attempts to change passwords.

• N3 Max. The maximum number of days that can pass since the last time the password was changed. Once this maximum number of days is exceeded, the user is forced to choose a new password the next time the user logs in. For example, if the value in the lastchange field is 9201 and the value in the max field is 30, after day 9231 (figured 9201+30=9231), the user is forced to choose a new password at the next login. See "Setting a Password Age Limit" on page 160 for additional information on password maximums.

  Where max is one of the following values:

  · Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.

  · Greater than zero. Any number greater than zero sets that number of days before the password must be changed.

• Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user. A blank space in the field is treated as if it were a minus one.

• N4 Warn. The number of days before a password reaches its maximum that the user is warned to change passwords. For example, suppose the value in the lastchange field is 9201, the value in the max field is 30, and the value in the warn field is 5. Then after day 9226 (figured 9201+30-5=9226) the user starts receiving "change your password" type warnings at each longing time. See "Establishing a Warning Period" on page 162 for additional information on password warning times.

  Where warn is one of the following values:

  · Zero (0). No warning period.

  · Greater than zero. A value of zero (0) sets the warning period to that number of days.

• N5 Inactive. The maximum number of days between logins. If this maximum is exceeded, the user is not allowed to log in. For example, if the value of this field is 6, and the user does not log in for six days, on the seventh day the user is no longer allowed to log in. See "Specifying Maximum Number of Inactive Days" on page 166 for additional information on account inactivity.

  Where inactive is one of the following values:

  · Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default.

  · Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.

• N6 Expire. The date on which a password expires, expressed as a number of days since January 1, 1970. After this date, the user can no longer log in. For example, if this field is set to 9739 (September 1, 1995) on September 2, 1995 GMT, the user will not be able to login and will receive a Login incorrect message after each try. See "Password Privilege Expiration" on page 164 for additional information on password expiration.

  Where expire is one of the following values:

• Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores it. If you do not want to set any expiration date, type a -1 in this field.
• Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately deactivate the users password.

• N7 Unused. This field is not currently used. Values entered in this field will be ignored.
• Login is the user's login ID

---

Caution - When using nistbladm on the shadow column of the password table, all of the numeric fields must contain appropriate values. You cannot leave a field blank, or enter a zero, as a no change placeholder.

---

For example, to specify that the user amy last changed her password on day 9246 (MaY 1, 1995), cannot change her password until it has been in use for 7 days, must change her password after 30 days, will be warned to change her password after the 25th day, must not remain inactive more than 15 days, and has an account that will expire on day number 9255, you would type:

master# nistbladm -m shadow=9246:7:30:5:15:9255:0 [name=amy],passwd.org_dir

nistbladm And the Number of Days

Most password aging parameters are expressed in number of days. The following principles and rules apply:

• Days are counted from January 1, 1970. That is day zero. January 2, 1970, is day 1.
• NIS+ uses Greenwich mean time (GMT) in figuring and counting days. In other words, the day count changes at midnight GMT.
• When you specify a number of days, you must use a whole number. You cannot use fractions of days.

• When the number of days is used to specify some action, such as locking a password, the change takes effect on the day. For example, if you specify that a user's password privilege expires on day 9125 (January 2, 1995), that is the last day that the user can use the password. On the next day, the user can no longer use the password.

Values are entered in both the lastchange the expire fields as a number of days since January 1, 1970. For example:

Table 8-2

Date	Day Number
January 1, 1970	0
January 2, 1970	1
January 2, 1971	365
January 2, 1995	9125
March 1, 1995	9184
May 1, 1995	9246
July 1, 1995	9306
September 1, 1995	9369
November 1, 1995	9431
January 1, 1996	9493
March 1, 1996	9553
May 1, 1996	9615
July 1, 1996	9677
September 1, 1996	9739
November 1, 1996	9801
January 1, 1997	9863

Related Commands

The passwd and nistbladm commands provide capabilities that are similar to those offered by other commands. Table 8-3 summarizes their differences.

Table 8-3

Command	Description
yppasswd	Is now linked to the passwd command. Using yppasswd simply invokes the passwd command.
nispasswd	Is now linked to the passwd command. Using nispasswd simply invokes the passwd command.
niscat	Can be used to display the contents of the passwd table.

Displaying Password Information

You can use the passwd command to display password information about all users in a domain or about one particular user:

For your password information

passwd -s

For all users in current domain

passwd -s -a

For a particular user

passwd -s username

Only the entries and columns for which you have read permission will be displayed. Entries are displayed with the following format:

• Without password aging: username status

• With password aging: username status mm/dd/yy min max warn where

Table 8-4 NIS+ Password Display Format

Field	Description	For Further Information
username	The user's login name.
status	The user's password status. PS indicates the account has a password. LK indicates the password is locked. NP indicates the account has no password.	See "Locking a Password" on page 157.
mm/dd/yy	The date, based on Greenwich mean time, that the user's password was last changed.
min	The minimum number of days since the last change that must pass before the password can be changed again.	See "Setting Minimum Password Life" on page 161.
max	The maximum number of days the password can be used without having to change it.	See "Setting a Password Age Limit" on page 160.
warn	The number of days' notice that users are given before their passwords have to be changed.	See "Establishing a Warning Period" on page 162.
expire	A date on which users loose the ability to log in to their accounts.	See "Password Privilege Expiration" on page 164.
inactive	A limit on the number of days that an account can go without being logged in to. Once that limit is passed without a log in users can no longer access their accounts.	See "Specifying Maximum Number of Inactive Days" on page 166.

To display entries from a passwd table in another domain, use the -D option:

For all users in another domain

passwd -s -a -D domainname

For a particular user

passwd -s -D domainname username

Changing Passwords

New passwords must meet the criteria described in "Password Requirements" on page 142.

Changing Your Own Password

To change your password, type

station1% passwd

You will be prompted for your old password and then the new password and then the new password a second time to confirm it.

Changing Someone Else's Password

To change someone else' password, use:

To change another user's password in the same domain

passwd username

To change another user's password in a different domain

passwd -D domainname username

When using the passwd command in a NIS+ environment (see page 147) to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.

Changing Root's Password

When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

To change a root password, follow these steps:

1. Log in as root.

2. Change root's password using passwd.

   Do not use nispasswd.

3. Run chkey -p.

   You must use the -p option.

Locking a Password

When operating in a NIS+ environment (see page 147), an administrator (a group member) with modify rights to a user's entry in the passwd table can use the passwd command to lock a password. An account with a locked password cannot be used. When a password is locked, the user will receive a Login incorrect message after each login attempt.

Keep in mind that locked passwords have no effect on users who are already logged in. A locked password only prevents users from performing those operations that require giving a password such as login, rlogin, ftp, or telnet.

Note also that if a user with a locked password is already logged in, and that user uses the passwd command to change passwords, the lock is broken.

You can use this feature to

• Temporarily lock a user's password while that user is on vacation or leave. This prevents anyone from logging in as the absent user.
• Immediately lock one or more user passwords in the case of suspected security problem.
• Quickly lock a fired employee out of the system. This is quicker and easier than eliminating that user's account and is an easy way of preserving any data stored in that account.

• If you have assigned passwords to UNIX processes, you can lock those passwords. This allows the process to run, but prevents anyone from logging in as those processes even if they know the process password. (In most cases, processes would not be set up as NIS+ principals, but would maintain their password information in /etc files. In such a case you would have to run the passwd command in files mode to lock /etc stored passwords.)

To lock a password, use:

passwd -l username

Unlocking a Password

To unlock a user's password, you simply change it. You can "change" it back to the exact same password that it was when it was locked. Or you can change it to something new.

For example, to unlock jody's password, you would type:

station1% passwd jody

Managing Password Aging

Password aging is a mechanism you can use to force users to periodically change their passwords.

Password aging allows you to:

• Force a user to choose a new password the next time the user logs in. (See "Forcing Users to Change Passwords" on page 159 for details.)
• Specify a maximum number of days that a password can be used before it has to be changed. (See "Setting a Password Age Limit" on page 160 for details.)
• Specify a minimum number of days that a password has to be in existence before it can be changed. (See "Setting Minimum Password Life" on page 161 for details.)

• Specify that a warning message be displayed whenever a user logs in a specified number of days before the user's password time limit is reached. (See "Establishing a Warning Period" on page 162 for details.)
• Specify a maximum number of days that an account can be inactive. If that number of days pass without the user logging in to the account, the user's password will be locked. (See "Specifying Maximum Number of Inactive Days" on page 166 for details.)
• Specify an absolute date after which a user's password cannot be used, thus denying the user the ability to log on to the system. (See "Password Privilege Expiration" on page 164 for details.)

Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above features. They can continue to work as normal.

Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:

• login
• rlogin
• telnet
• ftp

These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters as described in "The /etc/defaults/passwd File" on page 168.)

Forcing Users to Change Passwords

There are two ways to force a user to change passwords the next time the user logs in:

Force change keeping password aging rules in effect

passwd -f username

Force change and turn off password aging rules

passwd -x 0 username

Setting a Password Age Limit

The max argument to the passwd command sets an age limit for the current password. In other words, it specifies the number of days that a password remains valid. After that number of days, a new password must be chosen by the user. Once the maximum number of days have passed, the next time the user tries to login with the old password a Your password has been expired for too long message is displayed and the user is forced to choose a new password in order to finish logging in to the system.

The max argument uses the following format:

passwd -x max username

Where:

• username is the login ID of the user
• max is one of the following values:

  · Greater than zero. Any number greater than zero sets that number of days before the password must be changed.

  · Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.

  · Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user.

For example, to force the user schweik to change passwords every 45 days, you would type the command:

station1% passwd -x 45 schweik

Setting Minimum Password Life

The min argument to the passwd command specifies the number of days that must pass before a user can change passwords. If a user tries to change passwords before the minimum number of days has passed, a Sorry less than N days since the last change message is displayed.

The min argument uses the following format:

passwd -x max -n min username

Where:

• username is the login ID of the user
• max is the maximum number of days a password is valid as described in the section above
• min is the minimum number of days that must pass before the password can be changed.

For example, to force the user eponine to change passwords every 45 days, and prevent him from changing it for the first 7 days you would type the command:

station1% passwd -x 45 -n 7 eponine

The following rules apply to the min argument:

• You do not have to use a min argument or specify a minimum number of days before a password can be changed.
• If you do use the min argument, it must always be used in conjunction with the max argument. In other words, in order to set a minimum value you must also set a maximum value.
• If you set min to be greater than max, the user is unable to change passwords at all. For example, the command passwd -x 7 -n 8 prevents the user from changing passwords. If the user tries to change passwords, the You may not change this password message is displayed.

Establishing a Warning Period

The warn argument to the passwd command specifies the number of days before a password reaches its age limit that users will start to seeing a Your password will expire in N days message (where N is the number of days) when they log in.

For example, if a user's password has a maximum life of 30 days (set with the max argument) and the warn value is set to 7 days, when the user logs in on the 24th day (one day past the warn value) the warning message Your password will expire in 7 days is displayed. When the user logs in on the 25th day the warning message Your password will expire in 6 days is displayed.

Keep in mind that the warning message is not sent by Email or displayed in a user's console window. It is displayed only when the user logs in. If the user does not log in during this period, no warning message is given.

Keep in mind that the warn value is relative to the max value. In other words, it is figured backwards from the deadline set by the max value. Thus, if the warn value is set to 14 days, the Your password will expire in N days message will begin to be displayed two weeks before the password reaches its age limit and must be changed.

Because the warn value is figured relative to the max value, it only works if a max value is in place. If there is no max value, warn values are meaningless and are ignored by the system.

The warn argument uses the following format:

passwd -x max -w warn username

Where:

• username is the login ID of the user.
• max is the maximum number of days a password is valid as described on page 160.
• warn is the number of days before the password reaches its age limit that the warning message will begin to be displayed.

For example, to force the user nilovna to change passwords every 45 days, and display a warning message 5 days before the password reaches its age limit you would type the command:

station1% passwd -x 45 -w 5 nilovna

The following rules apply to the warn argument:

• You do not have to use the warn argument or specify a warning message. If no warn value is set, no warning message is displayed prior to a password reaching its age limit.
• If you do use the warn argument, it must always be used in conjunction with the max argument. In other words, in order to set a warning value you must also set a maximum value.

Turning Off Password Aging

There are two ways to turn off password aging for a given user:

Turn off aging while allowing user to retain current password

passwd -x -1 username

Force user to change password at next login, and then turn off aging

passwd -x 0 username

This sets the max value to either zero or -1 (see "Setting a Password Age Limit" on page 160 for more information on this value).

For example, to force the user mendez to change passwords the next time he logs in and then turn off password aging you would type the command:

station% passwd -x 0 mendez

You can also use the nistbladm command to set this value. For example, to turn off password aging for the user otsu and allow her to continue using her current password, you would type:

station1% nistbladm -m 'shadow=0:0:-1:0:0:0:0' [name=otsu],passwd.org_dir

For additional information on using the nistbladm command, see "The nistbladm Command" on page 148.

Password Privilege Expiration

You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.

For example, if you specify an expire date of December 31, 1995, for a user named petew, on January 1, 1996 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.

Password Aging versus Expiration Expiration of a user's password privilege is not the same as password aging.

• Password aging. A password that has not been changed for longer than the aging time limit is sometimes referred to as an expired password. But that password can still be used to log in one more time. As part of that last login process the user is forced to choose a new password.
• Expiration of password privilege. When a user's password privilege expires, the user cannot log in at all with any password.) In other words, it is the user's permission to log in to the network that has expired.

Setting an Expiration Date Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which

time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.

---

Note - If you have Solstice AdminSuite tools available, do not use nistbladm to set an expiration date. Use Solstice AdminSuite tools because they are easier to use and provides less chance for error.

---

To set an expiration date with the nistbladm command:

nistbladm -m 'shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir

Where:

• login is the user's login ID
• n indicates the values in the other fields of the shadow column.
• n6 is the date on which the user's password privilege expires. This date is entered as a number of days since January 1, 1970 (see Table 8-2 on page 153). n6 can be one of the following values:

  · Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores (un-expires) it. If you do not want to set any expiration date, type -1 in this field.

  · Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately expire the user's password.

For example, to specify an expiration date for the user petew of December 31, 1995 you would type:

station1% nistbladm -m 'shadow=n:n:n:n:n:9493:n' [name=petew],passwd.org_dir

---

Caution - All of the fields must be filled in with valid values.

---

Turning Off Password Privilege Expiration To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:

station1% nistbladm -m 'shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir

Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.

Specifying Maximum Number of Inactive Days

You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.

This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network. However, the date on which a user last logged in to a given machine is maintained on a machine-by-machine basis in the machine's /var/adm/utmp file.

For example, suppose you specify a maximum inactivity period of 10 days for the user samh. On January 1, samh logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, samh logs in on machine-B and then logs out. Nine days after that on January 13, samh can still log -n to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.

Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.

---

Caution - Do not set inactivity maximums unless your users are instructed to log out at the end of each workday. The inactivity feature only relates to logins; it does not check for any other type of system use. If a user logs in and then leaves the system up and running at the end of each day, that user will soon pass the inactivity maximum because there has been no login for many days. When that user finally does reboot or log out, he or she won't be able to log in.

---

---

Note - If you have Solstice AdminSuite tools available, do not use nistbladm to set an inactivity maximum. Use Solstice AdminSuite tools because they are easier to use and provide less chance for error.

---

To set a login inactivity maximum, you must use the nistbladm command in the format:

nistbladm -m 'shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir

Where:

• login is the user's login ID
• n indicates the values in the other fields of the shadow column.
• n5 is the number of days the user is allowed to go between logins. Inactive can be one of the following values:

  · Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default.

  · Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.

For example, to specify that the user samh must log in at least once every seven days, you would type:

station1% nistbladm -m 'shadow=n:n:n:n:n:7:n:n' [name=samh],passwd.org_dir

To clear an inactivity maximum and allow a user who has been prevented from logging in to log in again, use nistbladm to set the inactivity value to -1.

Setting Password Aging Criteria for Multiple Users

You can use the nistbladm command globally specify password max, min, warn, inactive, and expire, values for all principals listed in a given passwd table.

To globally change password aging values for all users listed in a given password table, you use the nistbladm command without an indexed entry between the square brackets. For example, to globally set a minimum of 7 days, a maximum of 30 days, a warning period of 5 days, and no inactivity limit or expire date you would type:

station1% nistbladm -m 'shadow=n:7:30:5:-1:-1:0' [],passwd.org_dir

You can also use the nistbladm command to turn off password aging for all users in a given password table by globally setting their max value to -1 or 0 as described in "Turning Off Password Aging" on page 163.

---

Note - The value you enter in the lastchange field (the first field) will be applied to all the users. In effect, you will be resetting everyone's last change date to that value.

---

Specifying Password Criteria and Defaults

The following subsections describe various password-related defaults and general criteria that you can specify.

The /etc/defaults/passwd File

The /etc/defaults/passwd file is used to set four general password defaults for users whose nsswitch.conf file points to files. The defaults set by the /etc/defaults/passwd file apply only to users whose operative password information is taken from /etc files; they do not apply to anyone using either NIS maps or NIS+ tables. An /etc/defaults/passwd file on an NIS+ server only affects local users who happen to be obtaining their password information from those local files. An /etc/defaults/passwd file on an NIS+ server has no effect on the NIS+ environment or users whose nsswitch.conf file points to either nis or nisplus.

The four general password defaults governed by the /etc/defaults/passwd file are:

• Maximum number of weeks the password is valid
• Minimum number of weeks the password is valid
• The number of weeks before the password becomes invalid that the user is warned
• The minimum number of characters that a password must contain

The following principles apply to defaults set with an /etc/defaults/passwd file:

• For users who obtain password information from local /etc files, individual password aging maximums, minimums and warnings set by the passwd command or Solstice AdminSuite or AdminTool override any /etc/defaults/passwd defaults. In other words, defaults set in the /etc/defaults/passwd file are only applied to those users who do not have corresponding individual settings in their entries in their passwd table.
• Except for password length, all the /etc/defaults/passwd file defaults are expressed as a number of weeks. (Remember that individual password aging times are expressed as a number of days.)
• The MAXWEEKS, MINWEEKS, and WARNWEEKS defaults are all counted forward from the date of the user's last password change. (Remember that individual warn values are counted backwards from the maximum date.)

By default, /etc/defaults/passwd files already contain the entries:

MAXWEEKS= MINWEEKS= PASSLENGTH=

To implement an entry, simply type the appropriate number after the equal sign. Entries that do not have a number after the equal sign are inactive and have no affect on any user. Thus, to set a MAXWEEKS default of 4, you would change the /etc/defaults/passwd file to read:

MAXWEEKS=4 MINWEEKS= PASSLENGTH=

Maximum Weeks You can use the MAXWEEKS default in the /etc/defaults/passwd file to set the maximum number of weeks that a user's password is valid. To set a default maximum time period, type the appropriate number of weeks after the equal sign on the MAXWEEKS= line:

MAXWEEKS=N

Where N is a number of weeks. For example, MAXWEEKS=9.

Minimum Weeks You can use the MINWEEKS default in the /etc/defaults/passwd file to set the minimum number of weeks that must pass before a user can change passwords. To set a default minimum time period, type the appropriate number of weeks after the equal sign on the MINWEEKS= line:

MINWEEKS=N

Where N is a number of weeks. For example, MINWEEKS=2.

Warning Weeks You can add a WARNWEEKS= default to the /etc/defaults/passwd file to set the number of weeks prior to a password becoming invalid due to aging that the user is warned. For example, if you have set the MAXWEEKS default to 9, and you want users to be warned two weeks before their passwords become invalid, you would set the WARNWEEKS default to 7.

Remember that WARNWEEKS are counted forward from the date of the user's last password change, not backward from the MAXWEEKS expiration date. Thus, WARNWEEKS must always be less than MAXWEEKS and cannot be equal to or greater than MAXWEEKS.

To set the warning time period, type the appropriate number of weeks after the equal sign on the WARNWEEKS= line:

WARNWEEKS=N

Where N is a number of weeks. For example, WARNWEEKS=1.

Minimum Password Length By default, the passwd command assumes a minimum length of six characters. You can use the PASSLENGTH default in the /etc/defaults/passwd file to change that by setting the minimum number of characters that a user's password must contain to some other number.

To set the minimum number of characters to something other than six, type the appropriate number of characters after the equal sign on the PASSLENGTH= line:

PASSLENGTH=N

Where N is a number of characters. For example, PASSLENGTH=7.

Password Failure Limits

You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.

Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.

Maximum Number of Tries To set the maximum number of times a user can try to change a password without succeeding, use the -a number argument with rpc.nispasswdd, where number is the number of allowed tries. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to limit users to no more than four attempts (the default is 3), you would type:

station1# rpc.nispasswdd -a 4

In this case, if a user's fourth attempt at logging in is unsuccessful, the message Too many failures - try later is displayed. No further attempts are permitted for that user ID until a specified period of time has passed.

Maximum Login Time Period To set the maximum amount a time a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to specify that users must successfully log in within 2 minutes, you would type:

station1# rpc.nispasswdd -c 2

In this case, if a user is unable to successfully change a password within 2 minutes, the message is displayed at the end of the two-minute period. No further attempts are permitted for that user ID until a specified period of time has passed.