This section describes how to use the passwd command from the point of view of an ordinary user and of a system administrator. You can also use Web-based System Manager or SMIT to do these tasks, both of which can be more convenient than running the passwd command as described in this section. This section assumes you have adequate understanding of the NIS+ security system in general--in particular of the role that login passwords play in that system (see the Security chapter). This section covers:
Logging in to a system is a two-step process:
(To maintain password secrecy, your password is not displayed on your screen when you type it.)
If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.
The Login incorrect message indicates that:
If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See Choosing a Password, for criteria that a new password must meet.)
In this case, choosing a new password is a three-step process:
Your keystrokes are not shown on your screen.
Your keystrokes are not shown on your screen.
Your keystrokes are not shown on your screen.
If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).
In essence, this message is telling you to change your password now. (See Changing Your Password.)
After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations a user cannot log in until an administrator unlocks the user password or reactivates the account or privileges.
To maintain security, you should change your password regularly. (See Choosing a Password for password requirements and criteria.) Note that you can also use Web-based System Manager or SMIT to change your password. You may find that more convenient than running the passwd command as described in this manual.
Changing your password is a four-step process:
Your keystrokes are not shown on your screen.
At this point the system checks to make sure that your new password meets the requirements:
See Password Requirements for the requirements a password must meet.
Your keystrokes are not shown on your screen.
Note:When changing root's password, you must always run chkey -p immediately after changing the password. (See Changing Root Keys From Root and Changing Root Keys From Another Machine for information on using chkey -p to change root's keys.) Failure to run chkey -p after changing root's password will result in root being unable to properly log in.
Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)
If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)
Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.
A password should meet the following suggested requirements:
For further information, see the /etc/security/user file description.
Bad choices for passwords include:
Good choices for passwords include:
The passwd command performs various operations regarding passwords. The yppasswd command is still retained with all of its functionality for the purpose of backward compatibility.
When run in an NIS+ environment, the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).
In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.
By default, in a normal NIS+ environment the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:
Note: Regardless of what permissions they have, everyone in the world, and nobody classes are forced to comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password has aged past its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.
To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:
This Operation | Requires These Rights | To This Object |
---|---|---|
Displaying information | read | passwd table entry |
Changing Information | modify | passwd table entry |
Adding New Information | modify | passwd table |
If you use passwd in a NIS+ environment to change a principal's password, it tries to update the principal's private (secret) key in the cred table.
If you do not have modify rights to the DES entry, it means that the private key in the cred table will have been formed with a password that is now different from the one stored in the passwd table. In this case, the user will have to change keys with the chkey command or run keylogin after each login.
The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.
It is possible to use the nistbladm command to:
New passwords must meet the criteria described in Password Requirements.
To change your password, type
station1% passwd
You will be prompted for your old password and then the new password and then the new password a second time to confirm it.
To change someone else' password, use:
To change another user's password in the same domain
passwd username
When using the passwd command in a NIS+ environment to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.
When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.
To change a root password, follow these steps:
Do not use nispasswd.
You must use the -p option.
Password aging is a mechanism you can use to force users to periodically change their passwords.
Password aging encompasses the following tasks:
Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above tasks. They can continue to work as normal.
Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:
These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters as described in the /etc/security/user file description.)
You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.
For example, if you specify an expire date of December 31, 1995, for a user named petew, on January 1, 1996 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.
Expiration of a user's password privilege is not the same as password aging.
Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.
Note: Security Tip: Whenever possible, use Web-based System Manager or SMIT instead of nistbladm to set an expiration date. Web-based System Manager or SMIT are easier to use and provides less chance for error.
To set an expiration date with the nistbladm command:
nistbladm -m 'shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir
Where:
For example, to specify an expiration date for the user petew of December 31, 1995 you would type:
station1% nistbladm -m 'shadow=n:n:n:n:n:9493:n' [name=petew],passwd.org_dir
Note: All of the fields must be filled in with valid values.
To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:
station1% nistbladm -m 'shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir
Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.
You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.
This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network. However, the date on which a user last logged in to a given machine is maintained on a machine-by-machine basis in the machine's /var/adm/utmp and/or /var/adm/wtmp (if it exists) file.
For example, suppose you specify a maximum inactivity period of 10 days for the user samh. On January 1, samh logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, samh logs in on machine-B and then logs out. Nine days after that on January 13, samh can still log -n to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.
Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.
Note: Do not set inactivity maximums unless your users are instructed to log out at the end of each workday. The inactivity feature only relates to logins; it does not check for any other type of system use. If a user logs in and then leaves the system up and running at the end of each day, that user will soon pass the inactivity maximum because there has been no login for many days. When that user finally does reboot or log out, he or she will not be able to log in.
Note: Whenever possible, use Web-based System Manager or SMIT instead of nistbladm to set an inactivity maximum. Web-based System Manager or SMIT are easier to use and provides less chance for error. to set an inactivity maximum.
To set a login inactivity maximum, you must use the nistbladm command in the format:
nistbladm -m 'shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir
Where:
For example, to specify that the user samh must log in at least once every seven days, you would type:
station1% nistbladm -m 'shadow=n:n:n:n:n:7:n:n' [name=samh],passwd.org_dir
To clear an inactivity maximum and allow a user who has been prevented from logging in to log in again, use nistbladm to set the inactivity value to -1.
You can use the nistbladm command globally specify password max, min, warn, inactive, and expire, values for all principals listed in a given passwd table.
To globally change password aging values for all users listed in a given password table, you use the nistbladm command without an indexed entry between the square brackets. For example, to globally set a minimum of 7 days, a maximum of 30 days, a warning period of 5 days, and no inactivity limit or expire date you would type:
station1% nistbladm -m 'shadow=n:7:30:5:-1:-1:0' [],passwd.org_dir
You can also use the nistbladm command to turn off password aging for all users in a given password table by globally setting their max value to -1 or 0.
Note: The value you enter in the lastchange field (the first field) will be applied to all the users. In effect, you will be resetting everyone's last change date to that value.
Read the /etc/security/user file description for information on password-related defaults and general criteria that you can specify.
You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.
Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.
Security Tip: To set the maximum number of times a user can try to change a password without succeeding, use the -a number argument with rpc.nispasswdd, where number is the number of allowed tries. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)
For example, to limit users to no more than four attempts (the default is 3), you would type:
station1# rpc.nispasswdd -a 4
In this case, if a user's fourth attempt at logging in is unsuccessful, the message Too many failures - try later is displayed. No further attempts are permitted for that user ID until a specified period of time has passed.
To set the maximum amount a time a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)
For example, to specify that users must successfully log in within 2 minutes, you would type:
station1# rpc.nispasswdd -c 2
In this case, if a user is unable to successfully change a password within 2 minutes, the message is displayed at the end of the two-minute period. No further attempts are permitted for that user ID until a specified period of time has passed.