h17045 s 00004/00004/01023 d D 1.12 98/10/14 09:40:45 clyde 12 11 c Update history depth & age descriptions e s 00003/00003/01024 d D 1.11 98/09/16 14:41:02 clyde 11 10 c Change PrintOnly to PrintableOnly e s 00031/00005/00996 d D 1.10 98/08/17 13:26:55 clyde 10 9 c 1. Add passwd.WhiteSpace directive c 2. Fix some typos and mismatches with code e s 00002/00002/00999 d D 1.9 98/07/20 16:01:16 clyde 9 8 c Spell check e s 00009/00009/00992 d D 1.8 98/07/16 09:09:36 clyde 8 7 c Update path token e s 00000/00003/01001 d D 1.7 98/07/09 15:27:30 clyde 7 6 c Remove unused debug levels e s 00422/00515/00582 d D 1.6 98/07/08 17:02:27 clyde 6 5 c 1. Put directives into alpha order c 2. Cleanup e s 00019/00016/01078 d D 1.5 98/07/02 15:59:32 clyde 5 4 c Add symbolic debug levels e s 00011/00010/01083 d D 1.4 98/06/26 09:55:36 clyde 4 3 c 1. Fix signature c 2. Add more links to top e s 00011/00005/01082 d D 1.3 98/06/24 17:14:28 clyde 3 2 c Minor changes e s 00003/00003/01084 d D 1.2 98/06/02 15:55:24 clyde 2 1 c Fix typos e s 01087/00000/00000 d D 1.1 98/05/22 13:59:00 clyde 1 0 c date and time created 98/05/22 13:59:00 by clyde e u U f e 0 t T I 1
D 6 The configuration file is passwd.conf in the install directory. This location can changed only by re-running Configure in the top level dirctory and rebuilding. E 6 I 6 D 8 The configuration file is @NPASSWD-LIB@/passwd.conf. E 8 I 8 The configuration file is @NPASSWD-HOME@/passwd.conf. E 8 This location can changed only by running Configure and rebuilding. E 6
D 6 Npasswd will abort if the configuration file has syntax errors. Additional security requirements are enforced: E 6 I 6 Npasswd will abort if the configuration file has syntax errors, or or fails any of the following security requirements: E 6
D 6 Configuration file syntax can be checked with the -XC option, D 4 which disables the above security checks. E 4 I 4 which disables these security checks. E 6 I 6 The syntax of a configuration file can be checked with the -XC option, which disables the security checks. E 6 E 4
D 6
D 6 Blank lines and lines starting with "#" are ignored. E 6 I 6 Blank lines and lines starting with "#" are ignored. E 6
Npasswd performs the functions of three standard UNIX utilities: D 6 passwd, chfn and chsh. E 6 I 6 passwd, chfn and chsh. E 6 Each of these sub-programs have their configuration directives.
Configuration directive syntax | ||||||
---|---|---|---|---|---|---|
sub-program | option | value | ||||
Configuration directive syntax | ||||||
sub-program | option | value | ||||
One of passwd, chfn, chsh, or empty. E 6 I 6 | ||||||
One of passwd, chfn, chsh, or empty. E 6 A non-empty sub-program must be followed by a period (".") D 6 | E 6 I 6 E 6 D 6E 6 I 6 | E 6 Sub-program option (see below) D 6 | E 6 I 6 E 6 D 6One or more whitespace characters | E 6 I 6One or more whitespace characters | E 6 D 6E 6 I 6 | E 6 Value for option (see below) D 6 |
Value types | ||||||
number | E 6 I 6 | |||||
Value types | ||||||
number | E 6 May be decimal (with an optional leading minus sign), octal (format 0NNN) or hex (format 0xNNNN) D 6 | |||||
path | UNIX pathname | |||||
path | UNIX pathname | |||||
boolean | E 6 I 6||||||
boolean | E 6 D 6E 6 I 6 | E 6 One of the strings "1", "true" "yes" or "on". Any other value is interpreted as false D 6 | E 6 I 6 E 6 D 6||||
string | E 6 I 6 | |||||
string |
E 6
Strings can optionally be enclosed in single (') or double (") quotes
D 6
E 6 I 6 E 6 Non-printable ASCII characters can be specified thusly: D 6
|
D 6
Npasswd configuration directives E 6 I 6 | Npasswd configuration directives E 6 D 2 Directive and options are case-insenstive E 2 I 2 Directive and options are case-insensitive E 2 D 6 |
E 6
I 6
E 6
|||||
---|---|---|---|---|---|---|
Directive | Value Type |
Description | E 6 I 6Directive | Value Type |
Description | E 6|
Directives applicable to all sub-programs | ||||||
PasswdTolerance | E 6 I 6MatchTries | E 6number | D 6Tolerance between old and new passwd files | E 6 I 6Chances to give user to correctly enter a password. | E 6||
ShadowTolerance | E 6 I 6MatchWait | E 6number | D 6Tolerance between old and new shadow files | E 6 I 6Delay after the user enters an incorrect password. | E 6||
MatchTries | E 6 I 6PasswdTolerance | E 6number | D 6Chances to give user to correctly enter a password | E 6 I 6Tolerance between old and new passwd files. | E 6||
MatchWait | E 6 I 6ShadowTolerance | E 6number | D 6Delay after the user enters an incorrect password | E 6 I 6Tolerance between old and new shadow files. | E 6||
Directives for sub-program "passwd" | ||||||
passwd.Dictionaries | path | Add to dictionary lookup path | E 6 I 6passwd.AlphaOnly | boolean | Allow alpha-only passwords | E 6|
passwd.SingleCase | boolean | Allow single-case passwords | E 6 I 6passwd.CharClasses | number | Set number of required character classes. | E 6|
passwd.AlphaOnly | boolean | Allow alpha-only passwords | E 6 I 6passwd.Dictionaries | path | Add to dictionary lookup path. | E 6|
passwd.MinPassword | E 6 I 6passwd.DisallowedChars | string | Set which characters are not allowed in passwords. | number | Minimum password length | E 6 I 6|
passwd.Help | path | Help file for passwd. | E 6||||
passwd.MaxPassword | number | Maximum effective password length | E 6 I 6passwd.History | See below | Configure history mechanism. | E 6|
passwd.LengthWarn | boolean | D 6Warn about passwords over MaxPassword length | E 6 I 6Warn about passwords over maximum length. | E 6|||
passwd.PrintOnly | boolean | Deny non-printable characters | E 6 I 6passwd.MaxPassword | number | Maximum effective password length. | E 6|
passwd.MaxRepeat | D 6 E 6number | D 6How many adjacent repeat characters allowed | E 6 I 6How many adjacent repeat characters allowed. | E 6|||
passwd.DisallowedChars | string | Set which characters are not allowed in passwords | E 6 I 6passwd.Message | path | Message of the day. | E 6|
passwd.CharClasses | E 6 I 6passwd.MinPassword | E 6number | D 6Set number of required character classes | E 6 I 6Minimum password length. | E 6||
passwd.Help | path | Help file for passwd | ||||
passwd.PasswordChecks | D 6 E 6string | D 6Select password check functions | E 6 I 6Select password checks. | E 6|||
passwd.Message | path | Message of the day | E 6 I 6 D 11passwd.PrintOnly | E 11 I 11passwd.PrintableOnly | E 11boolean | Deny non-printable characters. | E 6
passwd.History | See below | Configure history mechanism | E 6 I 6passwd.SingleCase | boolean | Allow single-case passwords. | E 6|
passwd.WhiteSpace | boolean | Allow whitespace characters in passwords. | ||||
Directives for sub-program "chfn" | ||||||
chfn.Help | D 6 E 6path | D 6Help file for chfn | E 6 I 6Help file for chfn. | E 6|||
chfn.Message | D 6 E 6path | D 6Message of the day | E 6 I 6Message of the day. | E 6|||
Directives for sub-program "chsh" | ||||||
chsh.Help | D 6 E 6path | D 6Help file for chsh | E 6 I 6Help file for chsh. | E 6|||
chsh.Message | D 6 E 6path | D 6Message of the day | E 6 I 6Message of the day. | E 6|||
chsh.Shells | D 6 E 6path | D 6List of blessed shells | E 6 I 6List of blessed shells. | E 6
I 4
Top
E 4
D 6
E 6
Directives applicable to all sub-programs
D 6
Directive | Type | Default value |
---|---|---|
MatchTries | number | 3 |
How many chances to give the user to correctly enter a password (old or new).
Directive | Type | Default value |
---|---|---|
MatchWait | number | 2 |
How many seconds to wait after the user enters an incorrect password.
PasswdTolerance
E 6
I 6
Usage | D 6Argument | E 6 I 6Type | E 6Default value |
---|---|---|---|
PasswdTolerance | D 6 E 6number | D 6 E 6128 |
After the passwd file changes are done, the size of the new file is compared to the size of the old file, to guard against data loss due to disk or file system error. PasswdTolerance sets how many bytes the new password file can be shorter than the original. D 6
Changing one passwd entry should not change the total size of the file by more than PasswdTolerance bytes. E 6 In order to accommodate changes to the finger information, the default for this tolerance is generous. I 6
D 6
This setting may need tuning if there are problems with chfn.
E 6
I 6
ShadowTolerance
D 6
Usage | D 6Argument | E 6 I 6Type | E 6Default value |
---|---|---|---|
ShadowTolerance | number | 32 |
After shadow changes are made, the size of the new shadow file is compared to the size of the old shadow file, to guard against data loss due to disk or file system error. ShadowTolerance sets how many bytes the new shadow file can be shorter than the original. I 6 This setting is much smaller than PasswdTolerance.
Changing one shadow entry should not change the total size of the file by more than ShadowTolerance bytes.
This setting is much smaller than PasswdTolerance. E 6
I 6
Top
E 6
Directives for sub-program "passwd"
Directive | Type | Default value | ||||
---|---|---|---|---|---|---|
MatchTries | number | 3 | E 6 I 6passwd.AlphaOnly | boolean | D 10false | E 10 I 10true | E 10 E 6
How many chances to give the user to correctly enter a password (old or new). E 6 D 6
Controls whether alpha-only passwords will be accepted. If this option is set, the requirement for non-alpha characters in a passwords is dismissed. Other character diversity requirements remain in effect.
Directive | Type | Default value | ||
---|---|---|---|---|
MatchWait | E 6 I 6passwd.CharClasses | E 6number | D 102 | E 10 I 101 | E 10
How many seconds to wait after the user enters an incorrect password. E 6 I 6
Sets how many classes of characters are required.
The character classes are:
I 4
D 6
Top
E 4
D 6 Refer to The Anatomy of Password Checking for more information.
Usage | D 6Argument | E 6 I 6Type | E 6Default value | |
---|---|---|---|---|
passwd.Dictionaries | path ... path | D 6install-directory/dictionaries | E 6 I 6 D 8@NPASSWD-LIB@/dictionaries | E 8 I 8@NPASSWD-DICT@ | E 8 E 6
Passwd.Dictionaries specifies directories containing password check dictionaries. Each directory is scanned for hashed dictionary files. Multiple directories can be specified either in one directive, or by multiple directives.
It is a fatal error if any of the following are encountered:
E 6 I 6
Directive | Type | Default value | ||||
---|---|---|---|---|---|---|
passwd.SingleCase | boolean | false | E 6 I 6passwd.DisallowedChars | string | D 10ctrl-s ctrl-q ctrl-d ctrl-h ctrl-j ctrl-m ctrl-o ctrl-r ctrl-y ctrl-z ESC ctrl-\ DEL | E 10 I 10ctrl-c ctrl-s ctrl-q ctrl-d ctrl-h ctrl-j ctrl-m ctrl-o ctrl-r ctrl-y ctrl-z ctrl-] ESC ctrl-\ DEL | E 10 E 6
Controls whether single-case passwords are accepted. Character case is determined by using isupper(3) and islower(3). If this option is set the mixed-case requirement is dismissed. Other character diversity requirements remain in effect. E 6 I 6
Sets the list of characters (usually non-printable) not allowed in passwords. The default list includes the typical terminal special characters. To supplement the list, put a plus sign as the first character of the string. E 6
D 6
Directive | Type | Default value | ||||
---|---|---|---|---|---|---|
passwd.AlphaOnly | boolean | false | E 6 I 6passwd.Help | path | D 8@NPASSWD-LIB@/passwd.help | E 8 I 8@NPASSWD-HOME@/passwd.help | E 8 E 6
This file is presented if the user enters "?" in response to the new password prompt.
Controls whether alpha-only passwords will be accepted.
If this option is set, the requirement for
non-alpha characters in a passwords is dismissed.
Other character diversity requirements remain in effect.
E 6
I 6
passwd.History
D 6
E 6 D 6
Usage | E 6 I 6Directive | E 6Type | Default value | I 6Description | E 6|
---|---|---|---|---|---|
passwd.MinPassword | E 6 I 6Age | number | 180 (days) | D 12Passwords in the history older than this ignored. E 12 I 12 | Use only passwords younger than N days. E 12 |
Depth | E 6number | I 6 D 125 | Use only the most recent N passwords. E 12 I 12 | 2 | Use only the most recent N old passwords. E 12 | 6 | E 6 I 6
Database | See below | D 8dbm @NPASSWD-HIST@/history | E 8 I 8dbm @NPASSWD-HIST@ | E 8Select password history database method and location | E 6
Sets the minimum acceptable password length. Passwords shorter than six characters (the default) are very vulnerable to guessing attacks.
Usage | E 6 I 6none | Password history is disabled | Type | Default value | E 6 I 6||
---|---|---|---|---|---|---|
file /path/to/file | Store history in file /path/to/file. | E 6|||||
passwd.MaxPassword | number | 8* | E 6 I 6dbm /path/to/file | Store history in DBM database in /path/to/file. | E 6
Sets the maximum effective length for passwords. This reflects a limitation of the standard crypt(3), which encrypts only the initial 8 characters of the plaintext. On Ultrix and Digital UNIX (aka OSF/1) with enhanced security, this limit is 16.
It is not an error for a password to be longer than the maximum, but the password checker can be configured to issue a warning under these circumstances. See passwd.LengthWarn.
Directive | Type | Default value |
---|---|---|
passwd.LengthWarn | boolean | false |
Controls whether a warning message is issued for new passwords D 6 longer than MaxPassword. E 6 I 6 longer than MaxPassword. E 6 This warning is to inform the user that the excess characters are not effective. The default is to suppress this message. D 6
Directive | E 6 I 6Usage | E 6Type | D 6Default value | E 6 I 6Default value | E 6|
---|---|---|---|---|---|
passwd.PrintOnly | boolean | false | E 6 I 6passwd.MaxPassword | number | 8* | E 6
Controls whether non-printable ASCII characters are allowed in passwords. Character printability is determined by using isprint(3). If this is set, passwords which contain non-printable characters will be rejected. Other character diversity requirements remain in effect. E 6 I 6
Sets the maximum effective length for passwords. This reflects a limitation of the standard crypt(3), which encrypts only the initial 8 characters of the plaintext. On Ultrix and Digital UNIX (aka OSF/1) with enhanced security, this limit is 16. E 6 D 6
It is not an error for a password to be longer than the maximum, but the password checker can be configured to issue a warning. See passwd.LengthWarn.
Directive | Type | Default value |
---|---|---|
passwd.MaxRepeat | number | 3 |
Controls how many adjacent repeated characters are allowed in passwords. I 6
D 6
Directive | Type | Default value | ||||
---|---|---|---|---|---|---|
passwd.DisallowedChars | string | ctrl-s ctrl-q ctrl-d ctrl-h ctrl-j ctrl-m ctrl-o ctrl-r ctrl-y ctrl-z ESC ctrl-\ DEL | E 6 I 6passwd.Message | path | D 8@NPASSWD-LIB@/passwd.motd | E 8 I 8@NPASSWD-HOME@/passwd.motd | E 8 E 6
Sets the list of characters (usually non-printable) not allowed in passwords. The default list includes the typical terminal special characters. D 2 To suppliment the default list, put "+" as the first character of the string. E 2 I 2 To supplement the default list, put "+" as the first character of the string. E 6 E 2
D 6 If non-printable characters are allowed in passwords (the default), it would be wise to check your system, and add any terminal special characters not in the standard list. E 6 I 6 This file contains the "message of the day" for passwd.
Directive | E 6 I 6Usage | E 6Type | Default value | |
---|---|---|---|---|
passwd.CharClasses | E 6 I 6passwd.MinPassword | E 6number | D 62 | E 6 I 66 | E 6
Sets how many classes of characters are required.
The character classes are:
The higher the class setting, the more diverse mixture of characters required.
E 6 I 6
Sets the minimum acceptable password length. Passwords shorter than six characters (the default) are very vulnerable to guessing attacks.
D 6
Directive | Type | Default value | |||
---|---|---|---|---|---|
passwd.Help | path | install-directory/passwd.help | E 6 I 6passwd.PasswordChecks | string | lexical passwd local history dictionary | E 6
D 6 This file is presented if the user enters "?" in response to the new password prompt. E 6 I 6 Specifies the order of password checks. See Npasswd Administration Guide.
D 6
Directive | Type | Default value | ||||
---|---|---|---|---|---|---|
passwd.Message | path | install-directory/passwd.motd | E 6 I 6 D 11passwd.PrintOnly | E 11 I 11passwd.PrintableOnly | E 11boolean | false | E 6
This file contains the "message of the day" for passwd.
I 4
Top
E 4
Controls whether non-printable ASCII characters are allowed in passwords. Character printability is determined by using isprint(3). If this is set, passwords which contain non-printable characters will be rejected. Other character diversity requirements remain in effect.
D 3 Npasswd can be configured to maintain a E 3 I 3 Npasswd can maintain E 3 D 2 password history to discourages too-frequent reuse. E 2 I 2 password history to discourage too-frequent reuse. E 2
See the history section of The Anatomy of Password Checking for details.
Directive | Type | Default value | Description | ||
---|---|---|---|---|---|
Age | number | 180 (days) | D 3Passwords in the history older than this ignored | E 3 I 3Passwords in the history older than this ignored. | E 3|
Depth | number | 5 | D 3Use the most recent N passwords | E 3 I 3Use only the most recent N passwords. | E 3|
Database | See below | dbm install-directory/history | Select password history database method and location | ||
none | Password history is disabled | ||||
file /path/to/file | D 3Store history in file /path/to/file | E 3 I 3Store history in file /path/to/file. | E 3|||
dbm /path/to/file | D 3Store history in DBM database in /path/to/file | E 3 I 3Store history in DBM database in /path/to/file. | E 3|||
nis map-name | Store history in NIS map map-name.
This option is available only
if npasswd is built with support for Sun Secure RPC.
This option is not yet supported. |
||||
nisplus map-name | Store history in NIS+ table "map-name.org_dir".
This option is not yet supported. |
Directive | D 6 E 6Type | D 6 E 6Default value | ||||
---|---|---|---|---|---|---|
passwd.PasswordChecks | string | lexical passwd local history dictionary | E 6 I 6passwd.SingleCase | boolean | D 10false | E 10 I 10true | E 10 E 6
D 6 Specifies the order of new password checks. See PasswordChecks.html for details. E 6 I 6 Controls whether single-case passwords are accepted. Character case is determined by using isupper(3) and islower(3). If this option is set the mixed-case requirement is dismissed. Other character diversity requirements remain in effect.
Directive | Type | Default value |
---|---|---|
passwd.WhiteSpace | boolean | true |
Controls whether whitespace characters are allowed in passwords. Isspace(3) is used to determine if a character is whitespace.
I 4
Top
E 4
D 6
Directives for sub-program "chfn"
E 6
I 6
chfn.Help
Directive | Type | Default value | ||
---|---|---|---|---|
chfn.Help | path | D 6install-directory/chfn.help | E 6 I 6 D 8@NPASSWD-LIB@/chfn.help | E 8 I 8@NPASSWD-HOME@/chfn.help | E 8 E 6
The help file is presented to the user in response to "?" input. I 6
D 6
Directive | D 6 E 6Type | D 6 E 6Default value | ||
---|---|---|---|---|
chfn.Message | D 6 E 6path | D 6install-directory/chfn.motd | E 6 I 6 D 8@NPASSWD-LIB@/chfn.motd | E 8 I 8@NPASSWD-HOME@/chfn.motd | E 8 E 6
D 6 The message of the day file for chfn. E 6 I 6 The message of the day file for chfn.
I 4
Top
E 4
D 6
I 6
I 6
Directives for sub-program "chsh"
E 6
Directive | D 6 E 6Type | D 6 E 6Default value | ||
---|---|---|---|---|
chsh.Help | D 6 E 6path | D 6install-directory/chsh.help | E 6 I 6 D 8@NPASSWD-LIB@/chsh.help | E 8 I 8@NPASSWD-HOME@/chsh.help | E 8 E 6
Help file for chsh. The help file is presented to the user in response to "?" input. D 6 E 6 I 6
D 6
Directive | Type | Default value | ||
---|---|---|---|---|
chsh.Message | path | D 6install-directory/chsh.motd | E 6 I 6 D 8@NPASSWD-LIB@/chsh.motd | E 8 I 8@NPASSWD-HOME@/chsh.motd | E 8 E 6
The message of the day file for chsh. D 6 E 6 I 6
D 6
Directive | D 6 E 6Type | D 6 E 6Default value |
---|---|---|
chsh.Shells | path | /etc/shells |
The list of blessed shells that users can select. If D 6 getusershell(3) is available, this directive is ignored.
E 6 I 6 getusershell(3) is available, this directive is ignored.
E 6
I 4
Top
E 4
D 9 Tha main command line options of npasswd control the platform-independent E 9 I 9 The main command line options of npasswd control the platform-independent E 9 features.
Some operating-system specific options may also be supported (e.g. SunOS 4, SunOS 5 and HP-UX). Others may be deferred to the vendor passwd program (usually preserved during D 6 the initial npasswd installation). E 6 I 6 the initial installation). E 6
I 3 Refer to the manual page for the full list of supported options.
E 3
Command line options | E 6 I 6Command line options Multiple -X options may be given |
E 6
|||||
---|---|---|---|---|---|---|
-Xc | D 6Read the configuration file, output settings and exit. E 6 I 6 | Read the configuration file, output settings and exit with 0 status. E 6 | ||||
-XC config-file | E 6 I 6-XCconfig-file | E 6Check syntax of config-file and terminate.
Exit status is 0 if file was ok, 1 if not. D 6 This option disables configuration file security checks. E 6 I 6 This option disables configuration file security checks. E 6 |
||||
-XD debug-level | E 6 I 6-XDdebug-level | E 6 D 5Set debug output level (0 - 9).
Debug levels are cumulative - the higher the number, the more debugging output is produced. This option is restricted to root. E 5 I 5 | Set debug output level. E 5 | |||
D 5 | Debug levels | E 5 I 5 D 6Debug levels symbolic (numeric) |
E 6
I 6
Debug levels | E 6 E 5|||
0 | Debugging off (default) | |||||
1 | Mild verbosity | |||||
2 | Trace lookup of user info | |||||
3 | Trace updating of user info | |||||
4 | Trace configuration directive processing | |||||
5 | Not used | |||||
6 | Not used | |||||
7 | Trace new password checking | |||||
8 | More detailed tracing | |||||
9 | Turn on all debugging traces | |||||
none (0) | None | |||||
verbose (1) | Mild verbosity | |||||
lookup (2) | Trace user lookup | |||||
update (3) | Trace user updating | |||||
config (4) | Trace configuration processing | |||||
misc1 (5) | Reserved | |||||
misc2 (6) | Reserved | |||||
pwcheck (7) | Trace password checking | |||||
detail (8) | More detailed tracing | |||||
all (9) | All debugging | |||||
none | None. | |||||
verbose | Mild verbosity. | |||||
lookup | Trace user lookup. | |||||
update | Trace user updating. | |||||
config | Trace configuration processing. | |||||
misc1 | Reserved. | |||||
misc2 | Reserved. | |||||
pwcheck | Trace password checking. | |||||
detail | More detailed tracing. | |||||
all | All debugging. | |||||
-XF | D 6Suppress new password checking E 6 I 6 | Suppress new password checking.
E 6
This option is restricted to root and should be used very sparingly. |
||||
-XI | Read passwords from standard input instead of /dev/tty
D 6
This option is restricted to root |
E 6
I 6
|||||
-XV | Print version and patch level identification. | |||||
-Xf | D 6Perform the "chfn" (change finger name) function | E 6 I 6Perform the "chfn" (change finger name) function. | E 6||||
-Xs | D 6Perform the "chsh" (change login shell) function | E 6 I 6Perform the "chsh" (change login shell) function. | E 6
D 4
Manual Home
Top of page
E 4
I 4
Top
Home
E 4
Document id %Z% %M% %I%
Version %I%
Last modified %G%
D 6 Clyde Hoover