[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Network Information Services (NIS and NIS+) Guide

Administering Passwords

This section describes how to use the passwd command from the point of view of an ordinary user and of a system administrator. You can also use Web-based System Manager or SMIT to do these tasks, both of which can be more convenient than running the passwd command as described in this section. This section assumes you have adequate understanding of the NIS+ security system in general--in particular of the role that login passwords play in that system (see the Security chapter). This section covers:

Logging In

Logging in to a system is a two-step process:

  1. Type your login ID at the Login: prompt.
  2. Type your password at the Password: prompt.

    (To maintain password secrecy, your password is not displayed on your screen when you type it.)

If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.

The Login incorrect Message

The Login incorrect message indicates that:

The password expired Message

If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See Choosing a Password, for criteria that a new password must meet.)

In this case, choosing a new password is a three-step process:

  1. Type your old password at the Enter login password (or similar) prompt.

    Your keystrokes are not shown on your screen.

  2. Type your new password at the Enter new password prompt.

    Your keystrokes are not shown on your screen.

  3. Type your new password again at the Re-enter new password prompt.

    Your keystrokes are not shown on your screen.

The will expire Message

If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).

In essence, this message is telling you to change your password now. (See Changing Your Password.)

The Permission denied Message

After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations a user cannot log in until an administrator unlocks the user password or reactivates the account or privileges.

Changing Your Password

To maintain security, you should change your password regularly. (See Choosing a Password for password requirements and criteria.) Note that you can also use Web-based System Manager or SMIT to change your password. You may find that more convenient than running the passwd command as described in this manual.

Changing your password is a four-step process:

  1. Run the passwd command at a system prompt.
  2. Type your old password at the Enter login password (or similar) prompt.
  3. Your keystrokes are not shown on your screen.
  4. Type your new password at the Enter new password prompt

    Your keystrokes are not shown on your screen.

At this point the system checks to make sure that your new password meets the requirements:

Password Change Failures

Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)

If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)

Choosing a Password

Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.

Password Requirements

A password should meet the following suggested requirements:

For further information, see the /etc/security/user file description.

Bad Choices for Passwords

Bad choices for passwords include:

Good Choices for Passwords

Good choices for passwords include:

The passwd Command

The passwd command performs various operations regarding passwords. The yppasswd command is still retained with all of its functionality for the purpose of backward compatibility.

The passwd Command and Credentials

When run in an NIS+ environment, the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).

The passwd Command and Permissions

In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.

By default, in a normal NIS+ environment the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:

Note: Regardless of what permissions they have, everyone in the world, and nobody classes are forced to comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password has aged past its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.

To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:

Access Rights for passwd Command
This Operation Requires These Rights To This Object
Displaying information read passwd table entry
Changing Information modify passwd table entry
Adding New Information modify passwd table

The passwd Command and Keys

If you use passwd in a NIS+ environment to change a principal's password, it tries to update the principal's private (secret) key in the cred table.

If you do not have modify rights to the DES entry, it means that the private key in the cred table will have been formed with a password that is now different from the one stored in the passwd table. In this case, the user will have to change keys with the chkey command or run keylogin after each login.

The nistbladm Command

The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.

It is possible to use the nistbladm command to:

Changing Passwords

New passwords must meet the criteria described in Password Requirements.

Changing Your Own Password

To change your password, type

station1% passwd

You will be prompted for your old password and then the new password and then the new password a second time to confirm it.

Changing Someone Else's Password

To change someone else' password, use:

To change another user's password in the same domain

passwd username

When using the passwd command in a NIS+ environment to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.

Changing Root's Password

When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

To change a root password, follow these steps:

  1. Log in as root.
  2. Change root's password using passwd.

    Do not use nispasswd.

  3. Run chkey -p.

    You must use the -p option.

Managing Password Aging

Password aging is a mechanism you can use to force users to periodically change their passwords.

Password aging encompasses the following tasks:

Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above tasks. They can continue to work as normal.

Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:

These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters as described in the /etc/security/user file description.)

Password Privilege Expiration

You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.

For example, if you specify an expire date of December 31, 1995, for a user named petew, on January 1, 1996 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.

Password Aging versus Expiration

Expiration of a user's password privilege is not the same as password aging.

Setting an Expiration Date

Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.

Note: Security Tip: Whenever possible, use Web-based System Manager or SMIT instead of nistbladm to set an expiration date. Web-based System Manager or SMIT are easier to use and provides less chance for error.

To set an expiration date with the nistbladm command:

nistbladm -m 'shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir

Where:

Turning Off Password Privilege Expiration

To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:

station1% nistbladm -m 'shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir

Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.

Specifying Maximum Number of Inactive Days

You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.

This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network. However, the date on which a user last logged in to a given machine is maintained on a machine-by-machine basis in the machine's /var/adm/utmp and/or /var/adm/wtmp (if it exists) file.

For example, suppose you specify a maximum inactivity period of 10 days for the user samh. On January 1, samh logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, samh logs in on machine-B and then logs out. Nine days after that on January 13, samh can still log -n to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.

Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.

Note: Do not set inactivity maximums unless your users are instructed to log out at the end of each workday. The inactivity feature only relates to logins; it does not check for any other type of system use. If a user logs in and then leaves the system up and running at the end of each day, that user will soon pass the inactivity maximum because there has been no login for many days. When that user finally does reboot or log out, he or she will not be able to log in.
Note: Whenever possible, use Web-based System Manager or SMIT instead of nistbladm to set an inactivity maximum. Web-based System Manager or SMIT are easier to use and provides less chance for error. to set an inactivity maximum.

To set a login inactivity maximum, you must use the nistbladm command in the format:

nistbladm -m 'shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir

Where:

Setting Password Aging Criteria for Multiple Users

You can use the nistbladm command globally specify password max, min, warn, inactive, and expire, values for all principals listed in a given passwd table.

To globally change password aging values for all users listed in a given password table, you use the nistbladm command without an indexed entry between the square brackets. For example, to globally set a minimum of 7 days, a maximum of 30 days, a warning period of 5 days, and no inactivity limit or expire date you would type:

station1% nistbladm -m 'shadow=n:7:30:5:-1:-1:0' [],passwd.org_dir

You can also use the nistbladm command to turn off password aging for all users in a given password table by globally setting their max value to -1 or 0.

Note: The value you enter in the lastchange field (the first field) will be applied to all the users. In effect, you will be resetting everyone's last change date to that value.

Specifying Password Criteria and Defaults

Read the /etc/security/user file description for information on password-related defaults and general criteria that you can specify.

Password Failure Limits

You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.

Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.

Maximum Number of Tries

Security Tip: To set the maximum number of times a user can try to change a password without succeeding, use the -a number argument with rpc.nispasswdd, where number is the number of allowed tries. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to limit users to no more than four attempts (the default is 3), you would type:

station1# rpc.nispasswdd -a 4

In this case, if a user's fourth attempt at logging in is unsuccessful, the message Too many failures - try later is displayed. No further attempts are permitted for that user ID until a specified period of time has passed.

Maximum Login Time Period

To set the maximum amount a time a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to specify that users must successfully log in within 2 minutes, you would type:

station1# rpc.nispasswdd -c 2

In this case, if a user is unable to successfully change a password within 2 minutes, the message is displayed at the end of the two-minute period. No further attempts are permitted for that user ID until a specified period of time has passed.


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]