Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Apropos / Subsearch:
optional field

 passwd(4)							   passwd(4)

      passwd - password file, pwd.h

      /etc/passwd contains the following information for each user:

	   +  login name
	   +  encrypted password
	   +  numerical user ID
	   +  numerical group ID
	   +  reserved gecos ID
	   +  initial working directory
	   +  program to use as shell

      This is an ASCII file.  Each field within each user's entry is
      separated from the next by a colon.  Each user is separated from the
      next by a newline.  This file resides in the /etc directory.  It can
      and does have general read permission and can be used, for example, to
      map numerical user IDs to names.

      getpwent(3C) returns a pointer to a user's entry passwd structure
      declared in <&lt&lt&lt;pwd.h>&gt&gt&gt;

      The login name must begin with an alpha character and may only contain
      alphanumeric and underscore characters.  If the login directory is
      null the user will be placed in / by default.  If the login shell is
      null, /usr/bin/sh is used.

      It is suggested that the range 0-99 not be used for user and group IDs
      so that IDs that might be assigned for system software do not

      The gecos field may contain the following identification: user's full
      name, office location, extension, and home phone.	 The gecos field can
      be set by use of the chfn command and is displayed by the finger
      command (see chfn(1) and finger(1)).  These two commands assume the
      information in this field is in the order listed above.  A portion of
      the user's real name can be represented in the gecos field by an &&amp&amp&amp;
      character, which some utilities (including finger) expand by
      substituting the login name for it and shifting the first letter of
      the login name to uppercase.

      The following description of the password field applies only to a
      standard system.	For a trusted system see the SECURITY FEATURES
      section instead.

      If the password field is null there is no password and no password is
      demanded on login.  Otherwise this field consists of an encrypted
      password with an optional password aging subfield.

 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000

 passwd(4)							   passwd(4)

      The encrypted password consists of 13 characters chosen from a 64-
      character set of "digits" described below, Login can be prevented by
      entering in the password field a character that is not part of the set
      of digits (such as *).

      The characters used to represent "digits" are . for 0, / for 1, 0
      through 9 for 2 through 11, A through Z for 12 through 37, and a
      through z for 38 through 63.

      Password aging is put in effect for a particular user if his encrypted
      password in the password file is followed by a comma and a non-null
      string of characters from the above alphabet.  (Such a string must be
      introduced in the first instance by a superuser.) This string defines
      the "age" needed to implement password aging.

      UNIX keeps internal time stamps in a format with a base date of
      Thursday January 1, 1970.	 Because of this, passwd considers the
      beginning of a week to be 00:00 GMT Thursday.

      The first character of the age, M, denotes the maximum number of weeks
      for which a password is valid.  A user who attempts to login after his
      password has expired is forced to supply a new one.  The next
      character, m, denotes the minimum period in weeks that must expire
      before the password can be changed.  The remaining two characters
      define the week when the password was last changed (a null string is
      equivalent to zero).  M and m have numerical values in the range 0
      through 63 that correspond to the 64-character set of "digits" shown

      If m = M = 0 (derived from the string . or ..), the user is forced to
      change his password next time he logs in (and the "age" disappears
      from his entry in the password file).  If m > M (signified, for
      example, by the string ./), then only a superuser (not the user) can
      change the password.  Not allowing the user to ever change the
      password is discouraged.

      This section applies only to trusted systems.  On a trusted system the
      password field always contains * by default.  Password and aging
      information are instead part of the Protected Password Database.

      On trusted systems, the encrypted password for each user is stored in
      the file /tcb/files/auth/c/user_name (where c is the first letter in
      user_name).  Password information files are not accessible to the
      public.  The encrypted password can be longer than 13 characters.	 For
      example, the password file for user david is stored in
      /tcb/files/auth/d/david.	In addition to the password, the user
      profile in /tcb/files/auth/c/user_name also has many other fields,

 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000

 passwd(4)							   passwd(4)

	   +  numerical audit ID
	   +  numerical audit flag

      Like /etc/passwd, this file is an ASCII file.  Fields within each
      user's entry are separated by colons.  Refer to authcap(4) and
      prpwd(4) for details.  The passwords contained in /tcb/files/auth/c/*
      take precedence over those contained in the encrypted password field
      of /etc/passwd.  User authentication is done using the encrypted
      passwords in this file.  The password aging mechanism described in
      passwd(1), under the section called SECURITY FEATURES, applies to this

      For more information on converting to trusted system and on password,
      see Managing Systems and Workgroups and sam(1M).

      The passwd file can have entries that begin with a plus (+) or minus
      (-) sign in the first column.  Such lines are used to access the
      Network Information System network database.  A line beginning with a
      plus (+) is used to incorporate entries from the Network Information
      System.  There are three styles of + entries:

	   +	       Insert the entire contents of the Network Information
		       System password file at that point;

	   +name       Insert the entry (if any) for name from the Network
		       Information System at that point

	   +@name      Insert the entries for all members of the network
		       group name at that point.

      If a + entry has a non-null password, directory, gecos, or shell
      field, they override what is contained in the Network Information
      System.  The numerical user ID and group ID fields cannot be

      The passwd file can also have lines beginning with a minus (-), which
      disallow entries from the Network Information System.  There are two
      styles of - entries:

	   -name       Disallow any subsequent entries (if any) for name.

	   -@name      Disallow any subsequent entries for all members of
		       the network group name.

    NIS Warnings
      The plus (+) and minus (-) features are NIS functionality; therefore,
      if NIS is not installed, they do not work.  Also, these features work
      only with /etc/passwd, but not with a system that has been converted
      to a trusted system.  When the system has been converted to a trusted

 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000

 passwd(4)							   passwd(4)

      system, the encrypted passwords can be accessed only from the
      protected password database, /tcb/files/auth/*/*.	 Any user entry in
      the Network Information System database also must have an entry in the
      protected password database.

      The uid of -2 is reserved for remote root access by means of NFS.	 The
      user name usually given to this uid is nobody.  Since uids are stored
      as signed values, the following define is included in <&lt&lt&lt;pwd.h>&gt&gt&gt; to match
      the user nobody.

	   UID_NOBODY  (-2)

      The login shell for the root user (uid 0) must be /sbin/sh to
      guarantee it can always boot.  Other shells such as sh, ksh, and csh
      are all located under the /usr directory which may not be mounted
      during earlier stages of the bootup process. Changing the login shell
      of the root user to a value other than /sbin/sh is allowed but may
      result in a non-functional system.

      The information kept in the gecos field may conflict with unsupported
      or future uses of this field.  Use of the gecos field for keeping user
      identification information has not been formalized within any of the
      industry standards.  The current use of this field is derived from its
      use within the Berkeley Software Distribution.  Future standards may
      define this field for other purposes.

      The following fields have size limitations as noted:

	   +  Login name field can be no longer than 8 characters;

	   +  Initial working directory field can be no longer than 63

	   +  Program field can be no longer than 44 characters.

	   +  Results are unpredictable if these fields are longer than the
	      limits specified above.

      The following fields have numerical limitations as noted:

	   +  The user ID is an integer value between 0 and UID_MAX-1
	      inclusive. As a special case -2 maybe present.

	   +  The group ID is an integer value between 0 and UID_MAX-1
	      inclusive. As a special case -2 maybe present.

	   +  If either of these values are out of range, the getpwent(3C)
	      functions reset the ID value to (UID_MAX).

 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000

 passwd(4)							   passwd(4)

    NIS Example
      Here is a sample /etc/passwd file:

	   root:3Km/o4Cyq84Xc:0:10:System Administrator:/:/sbin/sh
	   joe:r4hRJr4GJ4CqE:100:50:Joe User,Post 4A,12345:/home/joe:/usr/bin/ksh

      In this example, there are specific entries for users root and joe, in
      case the Network Information System are out of order.

	   +	User john's password entry in the Network Information System
		is incorporated without change.

	   +	Any subsequent entries for user bob are ignored.

	   +	The password field for anyone in the netgroup documentation
		is disabled.

	   +	Users in netgroup marketing are not returned by getpwent(3C)
		and thus are not allowed to log in.

	   +	Anyone else can log in with their usual password, shell, and
		home directory, but with a gecos field of Guest.

      /tcb/files/auth/*/*	    Protected password database used when
				    system is converted to trusted system.
      /etc/passwd		    Standard password file used by HP-UX.

      chfn(1), chsh(1), finger(1), login(1), passwd(1), pwck(1),
      useradd(1M), a64l(3C), crypt(3C), getpass(3C), getpwent(3C),
      getprpwent(3), authcap(4), limits(5).

      passwd: SVID2, SVID3, XPG2

 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000