unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



default(4)							   default(4)



NAME

  default - System default database file (Enhanced Security)

DESCRIPTION

  The system default database is unique	in that	it defines system-wide global
  values. It is	designed to provide values for users and devices at a global
  level	so that	an administrator is not	required to replicate values in	user
  or device databases when they	are all	the same. In addition to being easier
  to specify global values, it is also much easier to make a global system
  change if necessary.

  The system default database contains four types of values:

  system-wide
	    System-wide	values that do not have	corresponding specifications
	    in any other system	database. If a system-wide value is not
	    specified in the default database, then it is undefined.

  user	    User values, which are typically specified in a protected pass-
	    word database file.

  terminal  Terminal control values, which are typically specified in the
	    terminal control, database file.

  device assignment
	    Device assignment values, which are	typically specified in the
	    device assignment database file.

  The field names for each value type begin with an identifying	prefix.	 The
  following list of prefixes also lists	the reference page that	explains the
  associated database:

  d_   Defaults	database field.	(this reference	page)

  t_   Terminal	control	database field.	(ttys(4))

  u_   Protected password database field. (prpasswd(4))

  v_   Device assignment database field. (devassign(4))

  System default parameters can	be specified for fields	found in the pro-
  tected password, terminal control, and device	assignment databases. When a
  specific entry is retrieved from one of these	databases, a structure called
  ufld that contains all of the	explicitly specified values is provided	to
  the caller. A	second structure, called sfld, is also provided; it defines
  those	values supplied	from the system	default	database.

  Each of these	structures has a corresponding flag structure called uflg and
  sflg respectively that indicates which fields	in each	structure have been
  specified and	are valid for use.  Programs honor the user-specific or
  device-specific value	if one is provided.  Otherwise,	programs use the
  system default value if one has been specified. If neither value is speci-
  fied,	the program may	supply a reasonable default value or abort.

  The following	fields are defined only	in the defaults	database:


  d_pw_expire_warning
	    This field contains	the value, measured in seconds,	used to	con-
	    trol whether a password expiration warning is given	at login
	    time.  If the password expiration time contained in	the user's
	    protected password database	file falls within this time interval
	    (measured from the current system time), a warning is given.

  d_pw_site_callout
	    This field is a string that	specifies the full path	name of	the
	    program or script to call for site-specific	security policy	con-
	    formance decisions.

  d_name    This field contains	the name which is set by default to the
	    string default.

  d_boot_authenticate
	    This flag field is not currently used.

  d_audit_enable
	    This flag is for MLS+ compatibility	only.  It's ignored in DIGI-
	    TAL	UNIX Version 4.0.

  d_secclass
	    This field is an ASCII identifier of the security class supported
	    by the system and is used for informational	purposes only. The
	    choices include a1,	b1, b2,	b3, c1,	c2, and	d.

  d_admin_preexpire_psw
	    A boolean expression indicating that the password set by the
	    administrator should be set	to expire immediately.	This flag
	    controls whether auto-migration requires a password	change at the
	    time it creates the	account, or whether it assumes the password
	    was	set at the present time.  It also controls the forced-
	    expiration-required	action of dxchpwd when an administrator
	    changes a user's password.

  d_skip_ttys_updates
	    A boolean expression indicating that the ttys database is not
	    updated during logins. This	flag (if set in	the system defaults
	    database) causes login attempts (successful	or not)	to skip
	    updating the ttys database.	 This speeds up	logins at the expense
	    of not doing break-in evasion.

  d_auto_migrate_users
	    A boolean expression that causes a new extended profile to be
	    created if no extended profile exists, but there is	a valid	base
	    profile.  If this flag (in the system defaults database) is	set,
	    and	a user attempts	to log in with no extended profile, but	the
	    user does have a legitimate	BSD-style profile, an extended pro-
	    file is created for	that user (all defaults, except	where
	    specific information is required, like username and	UID).

  d_max_vacation_future
	    A numeric value is seconds indicating how far into the future a
	    user-initiated vacation can	be scheduled.  If either
	    d_max_vacation_future or d_max_vacation_duration is	zero, no
	    user-initiated use of the vacationing feature is possible.	This
	    field (in the system defaults database) are	zero (implicitly) as
	    shipped.

  d_max_vacation_duration
	    A numeric value is seconds indicating how long a user-initiated
	    scheduled vacation can last.  If either d_max_vacation_future or
	    d_max_vacation_duration is zero, no	user-initiated use of the
	    vacationing	feature	is possible.  This field (in the system
	    defaults database) are zero	(implicitly) as	shipped.

  d_accept_alternate_vouching
	    A boolean expression that SIA vouching is accepted from other
	    authentication mechanisms.	If this	field is set (in the system
	    defaults database),	then other C2 mechanisms will not demand a
	    password of	their own, if another preceding	SIA mechanism has
	    already validated the user.	 (This is in support of	mixing
	    DCE+C2.)  This does	mean that the C2 password controls do not
	    mean much (if anything) when DCE is	up and in use, but is under
	    admin control, and defaults	off.  It can also be desirable to set
	    this if using S/Key	or smartcard support.

EXAMPLES

  The following	example	is a typical system default database:

       default:\
	       :d_name=default:\
	       :d_secclass=c2:\
	       :d_boot_authenticate@:\
	       :d_audit_enable@:\
	       :d_pw_expire_warning#3456000:\
	       :u_pwd=*:\
	       :u_minchg#0:u_maxlen#10:u_exp#15724800:u_life#31449600:\
	       :u_pickpw:u_genpwd:u_restrict@:u_nullpw@:\
	       :u_genchars:u_genletters:\
	       :u_maxtries#5:u_lock:\
	       :t_logdelay#2:t_maxtries#10:\
	       :chkent:

FILES

  /etc/auth/system/default
	    Specifies the pathname of the file.

RELATED	INFORMATION

  Functions: getprdfent(3)

  Files: authcap(4), devassign(4), prpasswd(4),	ttys(4)