unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 prpwd(4)							    prpwd(4)




 NAME
      prpwd - protected password authentication database files used for
      trusted systems

 SYNOPSIS
      /tcb/files/auth/...

 DESCRIPTION
      An authentication profile is maintained for each user on the system. A
      user profile is kept in a protected password database file that is
      accessible only to the System Administrator.  The protected password
      database files contain among other things the encrypted password for
      the user account. On a trusted system, the passwords are hidden from
      normal users.

      The protected password database files do not obviate the need for the
      /etc/passwd and the /etc/group files. Users must be defined in the
      /etc/passwd file in order to use the system.  The protected password
      database file for a user contains the user name and user id to provide
      a correlation to the user's /etc/passwd entry. These must match or the
      user account will be treated as invalid.

      Protected password database files are maintained in the
      /tcb/files/auth hierarchy. This directory contains other directories
      each named with a single letter from the alphabet. User authentication
      profiles are stored in these directories based on the first letter of
      the user account name. This enables an efficient search operation to
      locate the file for a specific user name. For instance, the
      authentication profile for the root account is located in the
      /tcb/files/auth/r directory and can be accessed by opening the file
      /tcb/files/auth/r/root.

      Fields defined in a file are user specific values.  These values
      override the system default values.  Trusted programs check first for
      the existence of user specific parameters before using a system
      default value.

      A protected password database file contains keyword field identifiers
      and, depending on the field type, a value for that field (certain
      field types do not require an explicit value). The exact syntax for
      field specifications is described in authcap(4). Field specification
      is consistent for all system authentication databases. The keyword
      field identifiers supported by the protected password database file
      and their associated function are given in the following descriptions:

      u_name	     This is the user name for the account which must match
		     the name of the file and the user name from the
		     corresponding /etc/passwd entry.

      u_id	     This is the user id for the account which must match
		     the user id field of the corresponding /etc/passwd



 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 prpwd(4)							    prpwd(4)




		     entry.

      u_pwd	     This field contains the encrypted password for the
		     account if the account has a password.

      u_owner	     This field contains the owner of the account.

      u_booauth	     If this field exists and contains a value greater than
		     zero (typically 1), and the boot authenticate flag is
		     set in the system default file, then this user has
		     authority to boot the system.  If the boot authenticate
		     flag is not set in the system default file then this
		     field is not used.

      u_audid	     This field contains the audit ID for the user.

      u_auditflag    This field contains the audit flag for the user.

      u_minchg	     This field specifies the minimum password change time
		     in seconds. If non-zero, the password cannot be changed
		     until the specified number of seconds since the last
		     successful password change have passed unless the
		     person changing the password is authorized to override
		     this constraint.

      u_maxlen	     This field specifies the maximum length of the user
		     account password and should be less than the system-
		     wide maximum value defined by the <prot.h> constant
		     AUTH_MAX_PASSWD_LENGTH.

      u_exp	     This field is a time_t value that specifies when the
		     account password will expire. When a password expires,
		     system authentication programs will request that the
		     password be changed when the user logs into the system.
		     If the password lifetime expires before the password is
		     changed, the account will be locked.

      u_life	     This field is a time_t value that specifies the
		     lifetime of a password.  If this time is reached, the
		     account will be locked and can only be unlocked by an
		     authorized system administrator.

      u_succhg	     This field is a time_t value that indicates the time of
		     the last successful password change. This field should
		     only be set by programs that can be used to change the
		     account password.

      u_unsucchg     This field is a time_t value that indicates the time of
		     the last unsuccessful password change. This field
		     should only be set by programs that can be used to
		     change the account password.



 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 prpwd(4)							    prpwd(4)




      u_acct_expire  This field is the time_t time is seconds that the
		     account will be usable. After this time interval the
		     user will no longer be allowed to login.  This field is
		     different from the u_life field in that the u_life
		     field is the time from the last password change.
		     u_acct_expire is not affected by the changing of the
		     password.

      u_max_llogin   This value, in secconds,  is the maximum time allowed
		     between logins. If the time between the last login and
		     the current time exceeds this value, the account is
		     locked and the user can no longer logon.

      u_pw_expire_warning
		     This value, in seconds,  is the time at which a warning
		     will appear prior to the expiration of the users
		     password.

      u_pickpw	     This value is a flag that controls the ability of the
		     user to pick a password for the account. This permits
		     an account to be configured so that a user can not pick
		     a password but instead has a password generated by the
		     system for the account.

      u_genpwd	     This flag field controls the ability of a user to
		     generate a password for the account. The system is
		     capable of generating passwords containing random
		     letters, characters, or words.

      u_restrict     This flag field controls whether password triviality
		     checks are performed on any user chosen passwords.
		     Triviality checks performed include verifying that the
		     password does not represent a login or group name, a
		     palindrome, or a word recognized by the spell(1)
		     program. See acceptable_password(3) for more
		     information on triviality checks for passwords.

      u_nullpw	     This flag controls the ability of the user to choose a
		     null password for the account.

      u_pwchanger    This field records the user id of the last person to
		     change the account password if that user was not the
		     same the account's user. This is used to warn the user
		     at login time if the account password has been changed
		     possibly without the knowledge of the user.

      u_pw_admin_num This field holds the random number the user must supply
		     to login after the account is reset by the system
		     administrator. This field is removed after a successful
		     login.




 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000






 prpwd(4)							    prpwd(4)




      u_genchars     This flag field controls the ability of the user to
		     generate random characters for a password.

      u_genletters   This flag field controls the ability of the user to
		     generate random letters for a password.

      u_tod	     This field contains a comma separated list of time-of-
		     day specification entries that controls when the user
		     account can be used for login. For more information on
		     the format of a list entry, see tod(3).

      u_suclog	     This field is a time_t value that contains the system
		     time of the last successful login to the account.

      u_unsuclog     This field is a time_t value that contains the system
		     time of the last unsuccessful login to the account.

      u_suctty	     This field is a character string that identifies the
		     name of the terminal or remote host associated with the
		     last successful login to the account.

		     A remote host specification consists of the ASCII
		     representation of the Internet address of the host.
		     This field is converted into an Internet address and is
		     converted to a hostname using gethostbyaddr(3).

      u_numunsuclog  This field contains a count of the number of
		     unsuccessful login attempts to the account. This field
		     is reset when a successful login to the account occurs.

      u_unsuctty     This field is a character string that identifies the
		     name of the terminal or remote host associated with the
		     last unsuccessful login attempt to the account.

      u_maxtries     This field specifies the maximum number of consecutive
		     unsuccessful login attempts to the account that are
		     permitted until the account is locked.

      u_lock	     This flag field is used to administratively lock an
		     account. A user cannot login to a locked account.

 EXAMPLES
      The following is an example of a typical protected password database
      file:

	   perry:u_name=perry:u_id#101:\
		   :u_pwd=aZXtu1kmSpEzm:\
		   :u_minchg#0:u_succhg#653793862:u_unsucchg#622581606:u_nullpw:\
		   :u_suclog#671996425:u_suctty=tty1:\
		   :u_unsuclog#660768767:u_unsuctty=tty1:\
		   :u_maxtries#3:chkent:



 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000






 prpwd(4)							    prpwd(4)




      This protected password database file is for the user perry. The user
      id for perry is 101. This value must match the /etc/passwd entry for
      this user. The account has a password and its encrypted form is
      specified by the u_pwd field.

      The database file specifies a minimum password change time of 0,
      indicating the password can be changed at any time. Furthermore, the
      account is permitted to have a null password (u_nullpw).	The account
      has a maximum consecutive unsuccessful login threshold of 3 attempts
      indicating that the account will be locked after three failed attempts
      (u_maxtries). The remaining fields provide account information such as
      the last successful and unsuccessful password change times as well as
      the last successful and unsuccessful login times and terminal names.

 AUTHOR
      prpwd was developed by HP.

 SEE ALSO
      login(1), acceptable_password(3), getprpwent(3), tod(3), authcap(4),
      default(4), users(4)

 NOTES
      The getprpwent(3) routines are used to parse the protected password
      database files into a structure that can used by programs. A flag in
      the structure indicates whether a particular field in the structure
      and hence the field is defined. System default values are also
      provided in the structure.  These values are derived from the
      /tcb/files/auth/system/default field and can be used by programs in
      the absence of a user specific value.

























 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000