h17045 s 00004/00004/01023 d D 1.12 98/10/14 09:40:45 clyde 12 11 c Update history depth & age descriptions e s 00003/00003/01024 d D 1.11 98/09/16 14:41:02 clyde 11 10 c Change PrintOnly to PrintableOnly e s 00031/00005/00996 d D 1.10 98/08/17 13:26:55 clyde 10 9 c 1. Add passwd.WhiteSpace directive c 2. Fix some typos and mismatches with code e s 00002/00002/00999 d D 1.9 98/07/20 16:01:16 clyde 9 8 c Spell check e s 00009/00009/00992 d D 1.8 98/07/16 09:09:36 clyde 8 7 c Update path token e s 00000/00003/01001 d D 1.7 98/07/09 15:27:30 clyde 7 6 c Remove unused debug levels e s 00422/00515/00582 d D 1.6 98/07/08 17:02:27 clyde 6 5 c 1. Put directives into alpha order c 2. Cleanup e s 00019/00016/01078 d D 1.5 98/07/02 15:59:32 clyde 5 4 c Add symbolic debug levels e s 00011/00010/01083 d D 1.4 98/06/26 09:55:36 clyde 4 3 c 1. Fix signature c 2. Add more links to top e s 00011/00005/01082 d D 1.3 98/06/24 17:14:28 clyde 3 2 c Minor changes e s 00003/00003/01084 d D 1.2 98/06/02 15:55:24 clyde 2 1 c Fix typos e s 01087/00000/00000 d D 1.1 98/05/22 13:59:00 clyde 1 0 c date and time created 98/05/22 13:59:00 by clyde e u U f e 0 t T I 1 Npasswd Reference Manual D 4 E 4 I 4 E 4
D 4 E 4 D 6

Reference Manual

E 6 I 6

Npasswd Reference Manual

E 6 D 4 E 4
D 6

Introduction to the configuration file

E 6 I 6

Introduction to the configuration file

E 6

D 6 The configuration file is passwd.conf in the install directory. This location can changed only by re-running Configure in the top level dirctory and rebuilding. E 6 I 6 D 8 The configuration file is @NPASSWD-LIB@/passwd.conf. E 8 I 8 The configuration file is @NPASSWD-HOME@/passwd.conf. E 8 This location can changed only by running Configure and rebuilding. E 6

D 6 Npasswd will abort if the configuration file has syntax errors. Additional security requirements are enforced: E 6 I 6 Npasswd will abort if the configuration file has syntax errors, or or fails any of the following security requirements: E 6

D 6 Configuration file syntax can be checked with the -XC option, D 4 which disables the above security checks. E 4 I 4 which disables these security checks. E 6 I 6 The syntax of a configuration file can be checked with the -XC option, which disables the security checks. E 6 E 4

D 6


Syntax of the configuration file

E 6 I 6

Syntax of the configuration file

E 6

D 6 Blank lines and lines starting with "#" are ignored. E 6 I 6 Blank lines and lines starting with "#" are ignored. E 6

Npasswd performs the functions of three standard UNIX utilities: D 6 passwd, chfn and chsh. E 6 I 6 passwd, chfn and chsh. E 6 Each of these sub-programs have their configuration directives.

D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6
Configuration directive syntax
sub-program option value
Configuration directive syntax
sub-program option value
One of passwd, chfn, chsh, or empty. E 6 I 6
One of passwd, chfn, chsh, or empty. E 6 A non-empty sub-program must be followed by a period (".") D 6 E 6 I 6 E 6 Sub-program option (see below) D 6 One or more whitespace charactersOne or more whitespace characters E 6 I 6 E 6 Value for option (see below) D 6
Value types
number E 6 I 6
Value types
number E 6 May be decimal (with an optional leading minus sign), octal (format 0NNN) or hex (format 0xNNNN) D 6
path UNIX pathname
path UNIX pathname
boolean
boolean E 6 I 6 E 6 One of the strings "1", "true" "yes" or "on". Any other value is interpreted as false D 6
string E 6 I 6
string E 6 Strings can optionally be enclosed in single (') or double (") quotes D 6
E 6 I 6
E 6 Non-printable ASCII characters can be specified thusly: D 6
  • ^<caret>char" e.g. ^X for control-x E 6 I 6
    • ^<caret>char" e.g. ^X for control-x E 6
    • "\<backslash>char" for C special characters (\b \f \h \n \r \t \\)
    • "\0NNN" where NNN is the character value in octal
    • D 6
    • "\0xNNN" where NNN is the character value in hex
E 6 I 6

  • "\0xNN" where NN is the character value in hex
  • E 6

    D 6


    Summary of configuration directives

    E 6 I 6

    Summary of configuration directives

    E 6

    D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 D 11 E 11 I 11 E 11 E 6 D 6 E 6 D 6 E 6 I 6 E 6 I 10 E 10 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6 D 6 E 6 D 6 E 6 I 6 E 6
    Npasswd configuration directives
    E 6 I 6
    Npasswd configuration directives
    E 6 D 2 Directive and options are case-insenstive E 2 I 2 Directive and options are case-insensitive E 2 D 6
    Directive Value
    Type
    DescriptionDirective Value
    Type
    Description
    Directives applicable to all sub-programs
    PasswdToleranceMatchTriesnumberTolerance between old and new passwd filesChances to give user to correctly enter a password.
    ShadowToleranceMatchWaitnumberTolerance between old and new shadow filesDelay after the user enters an incorrect password.
    MatchTriesPasswdTolerancenumberChances to give user to correctly enter a passwordTolerance between old and new passwd files.
    MatchWaitShadowTolerancenumberDelay after the user enters an incorrect passwordTolerance between old and new shadow files.
    Directives for sub-program "passwd"
    passwd.Dictionaries path Add to dictionary lookup pathpasswd.AlphaOnly boolean Allow alpha-only passwords
    passwd.SingleCase boolean Allow single-case passwords passwd.CharClasses number Set number of required character classes.
    passwd.AlphaOnly boolean Allow alpha-only passwordspasswd.Dictionaries path Add to dictionary lookup path.
    passwd.MinPasswordpasswd.DisallowedChars string Set which characters are not allowed in passwords.
    number Minimum password length
    passwd.Help path Help file for passwd.
    passwd.MaxPassword number Maximum effective password lengthpasswd.History See below Configure history mechanism.
    passwd.LengthWarn booleanWarn about passwords over MaxPassword lengthWarn about passwords over maximum length.
    passwd.PrintOnly boolean Deny non-printable characterspasswd.MaxPassword number Maximum effective password length.
    passwd.MaxRepeatnumberHow many adjacent repeat characters allowedHow many adjacent repeat characters allowed.
    passwd.DisallowedChars string Set which characters are not allowed in passwordspasswd.Message path Message of the day.
    passwd.CharClassespasswd.MinPasswordnumberSet number of required character classesMinimum password length.
    passwd.Help path Help file for passwd
    passwd.PasswordChecksstringSelect password check functionsSelect password checks.
    passwd.Message path Message of the daypasswd.PrintOnlypasswd.PrintableOnlyboolean Deny non-printable characters.
    passwd.History See below Configure history mechanismpasswd.SingleCase boolean Allow single-case passwords.
    passwd.WhiteSpace boolean Allow whitespace characters in passwords.
    Directives for sub-program "chfn"
    chfn.HelppathHelp file for chfnHelp file for chfn.
    chfn.MessagepathMessage of the dayMessage of the day.
    Directives for sub-program "chsh"
    chsh.HelppathHelp file for chshHelp file for chsh.
    chsh.MessagepathMessage of the dayMessage of the day.
    chsh.ShellspathList of blessed shellsList of blessed shells.

    I 4 Top E 4 D 6


    E 6 I 6


    E 6

    Directives applicable to all sub-programs

    D 6

    PasswdTolerance

    E 6 I 6


    MatchTries

    MatchWait

    PasswdTolerance

    E 6 I 6 E 6

    D 6 This setting may need tuning if there are problems with chfn. E 6 I 6

    ShadowTolerance

    E 6 D 6

    Changing one shadow entry should not change the total size of the file by more than ShadowTolerance bytes.

    This setting is much smaller than PasswdTolerance. E 6

    I 6 Top

    E 6


    D 6

    MatchTries

    E 6 I 6

    Directives for sub-program "passwd"


    E 6 D 7 E 7 I 6

    passwd.AlphaOnly

    E 6 I 6

    passwd.CharClasses

    E 6

    D 6 Refer to The Anatomy of Password Checking for more information.


    passwd.Dictionaries

    E 6 I 6

    passwd.Dictionaries

    E 6 D 6 E 6 I 6

    passwd.DisallowedChars

    passwd.Help

    E 6 D 6

    Controls whether alpha-only passwords will be accepted. If this option is set, the requirement for non-alpha characters in a passwords is dismissed. Other character diversity requirements remain in effect. E 6 I 6

    passwd.History

    E 6 D 6

    Sets the maximum effective length for passwords. This reflects a limitation of the standard crypt(3), which encrypts only the initial 8 characters of the plaintext. On Ultrix and Digital UNIX (aka OSF/1) with enhanced security, this limit is 16.

    It is not an error for a password to be longer than the maximum, but the password checker can be configured to issue a warning under these circumstances. See passwd.LengthWarn.


    passwd.LengthWarn

    E 6 I 6

    passwd.LengthWarn

    passwd.MaxPassword

    E 6 I 6

    passwd.MaxRepeat

    E 6

    D 6


    passwd.DisallowedChars

    E 6 I 6

    passwd.Message

    E 6 D 6


    passwd.CharClasses

    E 6 I 6

    passwd.MinPassword

    E 6

    D 6


    passwd.Help

    E 6 I 6

    passwd.PasswordChecks

    E 6

    D 6


    passwd.Message

    E 6 I 6 D 11

    passwd.PrintOnly

    E 11 I 11

    passwd.PrintableOnly

    E 11 E 6 D 6

    D 3 Npasswd can be configured to maintain a E 3 I 3 Npasswd can maintain E 3 D 2 password history to discourages too-frequent reuse. E 2 I 2 password history to discourage too-frequent reuse. E 2

    See the history section of The Anatomy of Password Checking for details.

    E 6 I 6

    passwd.SingleCase

    E 6 D 6 D 3 E 3 I 3 E 3 D 3 E 3 I 3 E 3 D 3 E 3 I 3 E 3 D 3 E 3 I 3 E 3 I 3 E 3
    Directive Type Default value Description
    Age number 180 (days)Passwords in the history older than this ignoredPasswords in the history older than this ignored.
    Depth number 5Use the most recent N passwordsUse only the most recent N passwords.
    Database See below dbm install-directory/history Select password history database method and location
    none Password history is disabled
    file /path/to/fileStore history in file /path/to/fileStore history in file /path/to/file.
    dbm /path/to/fileStore history in DBM database in /path/to/fileStore history in DBM database in /path/to/file.
    nis map-name Store history in NIS map map-name. This option is available only if npasswd is built with support for Sun Secure RPC.
    This option is not yet supported.
    nisplus map-name Store history in NIS+ table "map-name.org_dir".
    This option is not yet supported.


    passwd.PasswordChecks

    E 6 D 6 E 6 D 6 E 6 D 6 E 6 I 6 D 10 E 10 I 10 E 10 E 6
    DirectiveTypeDefault value
    passwd.PasswordChecks string lexical passwd local history dictionarypasswd.SingleCase booleanfalsetrue
    I 6 E 6

    D 6 Specifies the order of new password checks. See PasswordChecks.html for details. E 6 I 6 Controls whether single-case passwords are accepted. Character case is determined by using isupper(3) and islower(3). If this option is set the mixed-case requirement is dismissed. Other character diversity requirements remain in effect. E 6 I 10

    passwd.WhiteSpace

    E 10

    I 4 Top E 4 D 6


    Directives for sub-program "chfn"

    E 6


    D 6

    chfn.Help

    E 6 I 6

    Directives for sub-program "chfn"


    E 6 I 6

    chfn.Help

    E 6

    D 6


    chfn.Message

    E 6 I 6

    chfn.Message

    E 6

    I 4 Top E 4 D 6


    Directives for sub-program "chsh"

    E 6

    I 6


    E 6

    I 6

    Directives for sub-program "chsh"

    E 6


    D 6

    chsh.Help

    E 6 I 6

    chsh.Help

    E 6 D 6 E 6 D 6 E 6 D 6 E 6 D 6 E 6 I 6 D 8 E 8 I 8 E 8 E 6
    DirectiveTypeDefault value
    chsh.Helppathinstall-directory/chsh.help@NPASSWD-LIB@/chsh.help@NPASSWD-HOME@/chsh.help

    Help file for chsh. The help file is presented to the user in response to "?" input. D 6 E 6 I 6 E 6

    D 6


    chsh.Message

    E 6 I 6

    chsh.Message

    E 6

    D 6


    chsh.Shells

    E 6 I 6

    chsh.Shells

    E 6 I 6

    E 6 I 4 Top E 4


    Command line options

    D 9 Tha main command line options of npasswd control the platform-independent E 9 I 9 The main command line options of npasswd control the platform-independent E 9 features.

    Some operating-system specific options may also be supported (e.g. SunOS 4, SunOS 5 and HP-UX). Others may be deferred to the vendor passwd program (usually preserved during D 6 the initial npasswd installation). E 6 I 6 the initial installation). E 6

    I 3 Refer to the manual page for the full list of supported options.

    E 3 D 6 E 6 I 6 E 6 I 5 D 6 E 5 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6 D 5 D 5 E 5 I 5 D 6 E 6 I 6 E 6 E 5 D 5 E 5 I 5 D 6 E 6 I 6 D 7 E 7 E 6 E 5 D 6 E 6 I 6
    This option is restricted to root. E 6 D 6 E 6 I 6 E 6 D 6 E 6 I 6 E 6
    Command line optionsCommand line options
    Multiple -X options may be given
    -XcRead the configuration file, output settings and exit. E 6 I 6 Read the configuration file, output settings and exit with 0 status. E 6
    -XC config-file-XCconfig-fileCheck syntax of config-file and terminate.
    Exit status is 0 if file was ok, 1 if not. D 6
    This option disables configuration file security checks. E 6 I 6
    This option disables configuration file security checks. E 6
    -XD debug-level-XDdebug-levelSet debug output level (0 - 9).
    Debug levels are cumulative - the higher the number, the more debugging output is produced.
    This option is restricted to root. E 5 I 5
    Set debug output level. E 5
    Debug levelsDebug levels
    symbolic (numeric)
    Debug levels
    0Debugging off (default)
    1Mild verbosity
    2Trace lookup of user info
    3Trace updating of user info
    4Trace configuration directive processing
    5Not used
    6Not used
    7Trace new password checking
    8More detailed tracing
    9Turn on all debugging traces
    none (0)None
    verbose (1)Mild verbosity
    lookup (2)Trace user lookup
    update (3)Trace user updating
    config (4)Trace configuration processing
    misc1 (5)Reserved
    misc2 (6)Reserved
    pwcheck (7)Trace password checking
    detail (8)More detailed tracing
    all (9)All debugging
    none None.
    verboseMild verbosity.
    lookupTrace user lookup.
    updateTrace user updating.
    configTrace configuration processing.
    misc1Reserved.
    misc2Reserved.
    pwcheckTrace password checking.
    detailMore detailed tracing.
    allAll debugging.
    -XFSuppress new password checking E 6 I 6 Suppress new password checking. E 6
    This option is restricted to root and should be used very sparingly.
    -XI Read passwords from standard input instead of /dev/tty D 6
    This option is restricted to root
    -XV Print version and patch level identification.
    -XfPerform the "chfn" (change finger name) functionPerform the "chfn" (change finger name) function.
    -XsPerform the "chsh" (change login shell) functionPerform the "chsh" (change login shell) function.


    D 4 Manual Home Top of page E 4 I 4 Top    Home E 4


    Document id %Z% %M% %I%
    Version %I%
    Last modified %G%

    D 6 Clyde Hoover
    Academic Computing Services and Instructional Technology Services
    The University of Texas at Austin
    Copyright 1998, The University of Texas at Austin. All rights reserved. E 6 I 6 Clyde Hoover
    Academic Computing Services and Instructional Technology Services
    The University of Texas at Austin
    Copyright 1998, The University of Texas at Austin. All rights reserved. E 6
    E 1