Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ passwd(C) — OpenDesktop 1.1.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

accept_pw(S)

authcap(F)

authsh(ADM)

default(F)

goodpw(ADM)

group(F)

login(M)

mnt(C)

newgrp(C)

passlen(S)

passwd(F)


     PASSWD(C)                            UNIX System V



     Name
          passwd - change login, modem (dialup shell), filesystem,  or
          group password


     Syntax
          passwd [ -mgF ] [ -dluf ] [ -n minimum ] [ -x expiration ] [
          -r retries ] [ name ]
          passwd -s [ -a ] [ name ]


     Description
          The passwd command is used by ordinary users to:

          ⊕    Change or delete their own login password.

          ⊕    List  some  of  the  attributes  that  apply  to  their
               account.

          In  addition,  system  administrators  can  use  the  passwd
          command to:

          ⊕    Change or delete any user's login password.

          ⊕    Change  or  delete  modem  (dialup  shell),  filesystem
               mount, and group passwords.

          ⊕    Lock or unlock any user's account.

          ⊕    Invalidate (lock) dialup shell, filesystem,  and  group
               passwords.

          ⊕    List some of the attributes of all users, or any single
               user.

          ⊕    Change some of the attributes of any user.

          However, it is recommended that  system  administrators  use
          the   sysadmsh(ADM)   Accounts   selection  to  administrate
          passwords.   A  user  is   considered   to   be   a   system
          administrator  if  they are logged in as someone who has the
          auth subsystem authorization.


             Choosing a good password.

          Your login password is one of the  most  important  defenses
          against security breaches.  If a malicious person cannot log
          into a system, it is much harder for that person to steal or
          tamper  with  your data.  Hence, by choosing a hard-to-guess
          password (either of your own invention or one  suggested  by
          the  system),  regularly changing it, and keeping it secret,
          you can foil many attacks on your system.

          In general, a password should:

          ⊕    Consist of a mixture of upper- and lower-case  letters,
               digits (0 - 9), and other non-letters (such as @, *, -,
               /, space, tab, and control characters).

          ⊕    Be changed frequently (at least once every  six  months
               to a year, and more often as necessary).

          ⊕    Be different on different machines.

          ⊕    Be easy to remember, so you  don't  have  to  write  it
               down.

          ⊕    Be kept secret and known only by you.

          Passwords should not:

          ⊕    Be the name of a person, place, or thing; nor should  a
               password  be  the  same  as  any user's login name, any
               machine's name, or the name of any group.

          ⊕    Be a correctly spelt word, street or telephone  number,
               ZIP or postal code; nor should a password be a birthday
               or anniversary of you or anyone you know.

          ⊕    Be written down (anywhere! -  not  on  paper  or  in  a
               file);  nor  should passwords be stored in the function
               keys of a terminal or memory of an intelligent modem.

          ⊕    Be told to any other person (not even  for  use  in  an
               ``emergency'');  nor  should  a password be kept if you
               suspect someone else knows it.

          Spelling a word backwards or appending a digit to a word  do
          not  turn  a  poor password choice into a ``good'' password.
          However, taking two or three unrelated words  and  combining
          them  with  some non-letters is a reasonable way of choosing
          an easy-to-remember  but  hard-to-crack  password.   On  SCO
          System  V,  passwords  can  be  up to 80 characters long, so
          nonsensical  rhymes  (for  example)  can  also  be  used  as
          passwords.

             User login passwords.

          When passwd is used to change or  delete  the  password  for
          user  name, the old password (if any) is prompted for.  (The
          password is not displayed as it is being  entered.)   System
          administrators  are not prompted for the old password unless
          they are  attempting  to  change  their  own  password;  the
          superuser  is  never  prompted  for  the  old password.  The
          passwd command can only be used  to  change  or  delete  the
          password for user name by system administrators and the user
          authorized to change user name's password.  Normally,  users
          are authorized to change their own password.

          Depending on how the system administrator has configured the
          account, the user may or may not be able to choose their own
          password, or may have a password chosen for them.   If  they
          can  neither  choose  their  own password nor have passwords
          generated for them, the password cannot be changed.  If  the
          user is able to do both, passwd asks which should be done.

          A  password  is  considered  valid  until  it  has  expired.
          Passwords  expire  if they are not changed or deleted before
          the expiration time has passed.  Once expired, the  user  is
          required to change (not delete) their password the next time
          they log in.  If a user fails to do so before the password's
          lifetime has passed, the password is considered dead and the
          user's account is locked.

          Once locked, the user may not log in, may  not  be  su(C)'ed
          to,  and  no  at(C), batch(C), or cron(C) jobs for that user
          may run.  Only a system administrator can unlock a user with
          a dead password; a new password must be assigned.

          To discourage  re-use  of  the  same  password,  the  system
          administrator may set a minimum change time.  After changing
          or deleting a password, the  password  may  not  be  changed
          again  (even  by a system administrator) until at least that
          much time has elapsed.

          Passwords may be deleted (or changed to be  empty)  only  if
          the  user  is  authorized  to  not  have  a password.  Users
          without passwords are not recommended.  (An  empty  password
          is  prompted  for when logging in, but a deleted password is
          not prompted for at login.)

          If a password is being changed and the user has elected  (or
          is  forced)  to  choose  a  system-generated  password, each
          suggested  password  is  printed  along  with  a  hyphenated
          spelling that suggests how the password could be pronounced.
          To accept a  suggested  password,  enter  the  password;  if
          entered  correctly,  passwd  will  prompt  for the suggested
          password to be entered again as confirmation.  To  reject  a
          suggestion,   just  enter  RETURN  ;  to  abort  the  change
          altogether, either enter ``quit'' or interrupt passwd.

          If a password is being changed and the user has elected  (or
          is  forced)  to assign a password of their own choosing, the
          new password is prompted for twice.  It is checked for being
          ``obvious''  after  the  first  prompt,  and if deemed to be
          acceptable is prompted for again.  If the proposed  password
          is  successfully  entered  a second time, it becomes the new
          password for user name.

          Both system-generated and self-chosen passwords are  checked
          for  being easy-to-guess.  See the section on ``Checking for
          obvious passwords'' (below) for a description of the checks.

          When dealing with a user's  login  password,  the  following
          options are recognized:

          -d   Delete the password.  A password may be deleted only if
               the  user is authorized to not have a password.  System
               administrators must always specify name; otherwise, the
               name of the user who logged in is used.

          -f   Force user name to change their password the next  time
               they  log  in.   This  option  may be specified only by
               system  administrators,  and  only  when   the   user's
               password  is not being changed or deleted; name must be
               explicitly given.

          -l   Lock user  name  out  of  the  system  by  applying  an
               administrative  lock; only system administrators may do
               this and they must specify name.

          -u   Remove any administrative lock applied  to  user  name;
               only  system  administrators  may do this and they must
               specify name.

          -n minimum
               Set the  amount  of  time  which  must  elapse  between
               password  changes  for user name to minimum days.  Only
               system administrators may do this and they must specify
               name.

          -x expiration
               Set the amount of time  which  may  elapse  before  the
               password of user name expires to expiration days.  Only
               system administrators may do this and they must specify
               name.   Once  a  password  has  expired,  the user must
               change it the next time they log in.

          -r retries
               Up to retries attempts may be  made  to  choose  a  new
               password for user name.

          -s   Report the password attributes of user name (or, if the
               -a  option  is given, of all users).  The format of the
               report is:
                    name status mm/dd/yy minimum expiration
               where status is PS if the user has a  password,  LK  is
               the  user  is  administratively  locked, or NP when the
               user does not have a password.  The date  of  the  last
               successful  password  change  (or deletion) is shown as
               mm/dd/yy.  If neither name nor  -a  is  specified,  the
               name of the user who logged in is assumed.  Only system
               administrators can  examine  the  attributes  of  users
               other than themselves.

          If no -d, -f,  -l,  -u,  or  -s  option  is  specified,  the
          password for user name is changed as described above.  If no
          name is given and no option which requires  name  is  given,
          then  the  name of the user who logged in is used.  Only the
          -a option may be specified with the -s option.


             Modem (dialup shell) passwords.

          When a user whose login shell  is  listed  in  /etc/d_passwd
          with  a  (encrypted)  password  logs  in  on a terminal line
          listed in /etc/dialups, the password in  /etc/d_passwd  must
          be  supplied  before  the  login succeeds.  The -m option to
          password allows system administrators to change, delete,  or
          invalidate (lock) the passwords for login shell name:

          -d   Delete the password.

          -l   Invalidate (``lock'') the password by arranging so that
               no  matter what the user enters, it will not be a valid
               password.  Doing so causes the old password to be lost.

          -r retries
               Up to retries attempts may be  made  to  choose  a  new
               password.

          The name must always be specified.  If name  begins  with  a
          slash   (``/'')   the  entire  shell  pathname  must  match.
          Otherwise the password for every  shell  whose  basename  is
          name is changed.

          If neither the -d nor -l option is specified,  the  password
          is  changed.   The  new  password is prompted for twice, and
          must pass checks similar to those for login  passwords  (see
          below).


             Filesystem mount passwords.

          A password may be required when mounting a  filesystem;  see
          mnt(C).    The   -F   option   to   passwd   allows   system
          administrators to change, delete, or invalidate  (lock)  the
          password  for  filesystem name.  The options are the same as
          for modem passwords (see above).


             Group passwords.

          A password may be required when a user changes their current
          working  group;  see  newgrp(C).   The  -g  option to passwd
          allows  system  administrators   to   change,   delete,   or
          invalidate  (lock) the password for group name.  The options
          are the same as for modem passwords (see above).


             Checking for obvious passwords.

          To discourage poor  password  choices,  various  checks  are
          applied  to reject unacceptable passwords.  The checks which
          are applied depend on the type of password being checked and
          the  system's  configuration.   Most of the checks for being
          easy-to-guess are configurable; see goodpw(ADM).

          The check procedure is as follows (a password is  restricted
          if,  according  to  sysadmsh Accounts, it is to be ``checked
          for obviousness''):

          1a.  User login passwords only:  The new password  must  not
               be the same as the old password.  The password must not
               be empty  (or  be  deleted)  unless  the  user  is  not
               required to have a password.

          1b.  All other passwords:  The new and old password  may  be
               the  same.   Empty  passwords  are  treated  as deleted
               passwords and are always acceptable.

          2.   All (non-empty) passwords:   If  the  password  is  not
               empty,  it  must be at least PASSLENGTH characters long
               (see below).

          3.   All (non-empty) passwords:  If the goodpw  utility  can
               be  run,  it is used to perform all further checks.  If
               the file CHECKDIR/type/strength exists (and can be read
               by  goodpw)  that  file  is  used to modify the default
               settings  in  /etc/default/goodpw.   The  CHECKDIR   is
               specified  by  CHECKDIR in /etc/default/passwd and type
               is the kind of password  being  checked  (user,  modem,
               group,  or  filsys).   The  strength  is  the degree of
               checking to be done:  secure if the user is  restricted
               (or,  for  all  other  password  types,  if  the system
               default is restricted); otherwise weak.

          4.   When goodpw cannot be  run  (all  passwords):   If  the
               password  is  not  empty,  it must contain at least one
               character which is not a lower case  letter  (but  must
               not consist solely of digits).

          5.   When goodpw cannot be run (user login passwords  only):
               Finally, for user login passwords which are restricted,
               the password must not be a palindrome, any user's login
               name,  the  name  of  any  group,  or a correctly spelt
               English word (American spelling); see accept_pw(S).

          System-generated passwords are not checked unless  the  user
          is  restricted  (see  above),  in  which  case the generated
          password must pass  the  checks  in  step  5  before  it  is
          suggested  to  the  user.   Generated  passwords  are  never
          checked by goodpw.  The minimum value  for  PASSLENGTH,  and
          the  minimum  length  of  a generated password, are computed
          based  on  the  password's  lifetime,  delay  between  login
          attempts, and other factors; see passlen(S).


             Defaults.

          Several parameters may be specified in  /etc/default/passwd.
          The various settings, and their default values are:

          PASSLENGTH=5
               The minimum length of a password.  If outside the range
               3  to  80 (inclusive), then it is set to 5.  The actual
               minimum length used by passwd is the  maximum  of  this
               value and a value computed by taking into consideration
               the lifetime of the password (and other factors).

          RETRIES=4
               The maximum number of repeated  attempts  to  change  a
               password  that has been rejected.  If less than 2, then
               2 is assumed.

          ONETRY=YES
               If set to YES, a rejected  password  is  added  to  the
               stop-list  passed  to goodpw.  This prevents simplistic
               modifications  of  a  rejected  password   from   being
               accepted on a later attempt.

          DESCRIBE=/usr/lib/goodpw/describe
               The contents of this file are shown  once  (before  the
               new  password  is prompted for) and should describe the
               the  difference  between  acceptable  and  unacceptable
               passwords.

          SUMMARY=/usr/lib/goodpw/summary
               The contents  of  this  file  are  shown  each  time  a
               password  is rejected, and should be a (short) reminder
               of what are and are not acceptable passwords.

          CHECKDIR=/usr/lib/goodpw/checks
               A hierarchy of additional checks goodpw should perform,
               based on password type and restrictions (see above).

          GOODPW=/usr/bin/goodpw
               An independent program that applies various  checks  in
               an  attempt  to  determine whether or not a password is
               easily guessed.

          The values for  the  default  settings  may  be  changed  to
          reflect the system's security concerns.

          If /etc/default/passwd does not exist or  is  not  readable,
          the above default values are used.

          If   the   DESCRIBE   or    SUMMARY    file    defined    in
          /etc/default/passwd  does not exist or cannot be read, short
          (and vague) descriptions or summaries  are  issued  instead.
          In  addition,  if  the  user  who  logged  in  is  a  system
          administrator, an error message describing  the  problem  is
          printed.

          If the GOODPW program does not exist or is  not  executable,
          simpler  checks  are  done (see above).  In addition, if the
          user who logged in  is  a  system  administrator,  an  error
          message describing the problem is printed.


     Files
          /etc/passwd
               List of user accounts.

          /tcb/files/auth/initial/name
               Protected Password database entry for user name  (where
               the first character in name is initial).

          /etc/group
               List of groups.

          /etc/d_passwd
               List of dialup shells and passwords (one per line):
                    shell:encrypted-password:reserved
               where shell is the pathname of a login shell as used in
               /etc/passwd.

          /etc/auth/system/files
               File Control database.

          /etc/auth/system/default
               System Defaults database; contains default parameters.

          /etc/default/passwd
               Configurable settings (see above).


     See Also
          accept_pw(S),    authcap(F),    authsh(ADM),     default(F),
          goodpw(ADM),    group(F),   login(M),   mnt(C),   newgrp(C),
          passlen(S), passwd(F)


     Notes
          Group passwords should be avoided; see newgrp(C).   Not  all
          systems support group passwords.

          Not all systems support filesystem mount passwords.

          Not all systems support modem (dialup shell) passwords.

          The -r option is mostly useful during installation to  force
          the newly-installed superuser to have a password.


     (printed 4/27/90)                                  PASSWD(C)





























































































































































Typewritten Software • bear@typewritten.org • Edmonds, WA 98026