Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ passwd(C) — OpenDesktop 3.0.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

authcap(F)

authsh(ADM)

default(F)

goodpw(ADM)

group(F)

login(M)

mnt(C)

newgrp(C)

passlen(S)

passwd(F)


 passwd(C)                     06 January 1993                      passwd(C)


 Name

    passwd - change login, or modem (dialup shell) password

 Syntax

    passwd [-m] [-dluf] [-n minimum] [-x expiration] [-r retries] [name]
    passwd -s [-a] [name]

 Description

    The passwd command is used by ordinary users to:

    + Change or delete their own login password.

    + List some of the attributes that apply to their account.

    In addition, system administrators can use the passwd command to:

    + Change or delete any user's login password.

    + Change or delete modem (dialup shell) passwords.

    + Lock or unlock any user's account.

    + Invalidate (lock) dialup shell passwords.

    + List some of the attributes of all users, or any single user.

    + Change some of the attributes of any user.

    However, it is recommended that system administrators use the
    sysadmsh(ADM) Accounts selection to administrate passwords.  A user is
    considered to be a system administrator if they have auth subsystem
    authorization.  A user must have the passwd subsystem authorization to be
    able to change the password of any account.

    Choosing a good password

    Your login password is one of the most important defenses against secu-
    rity breaches.  If a malicious person cannot log into a system, it is
    much harder for that person to steal or tamper with your data.  Hence, by
    choosing a hard-to-guess password (either of your own invention or one
    suggested by the system), regularly changing it, and keeping it secret,
    you can protect your system.

    In general, a password should:

    + Consist of a mixture of upper- and lower-case letters, digits (0-9),
      and other non-letters (such as @, *, -, /, space, tab, and control
      characters).

    + Be changed frequently (at least once every six months to a year, and
      more often as necessary).

    + Be different on different machines.

    + Be easy to remember, so you do not have to write it down.

    + Be kept secret and known only by you.

    Passwords should not:

    + Be the name of a person, place, or thing; nor should a password be the
      same as any user's login name, any machine's name, or the name of any
      group.

    + Be a correctly spelt word, street or telephone number, ZIP or postal
      code; nor should a password be a birthday or anniversary of you or any-
      one you know.

    + Be written down (anywhere! -- not on paper or in a file); nor should
      passwords be stored in the function keys of a terminal or memory of an
      intelligent modem.

    + Be told to any other person (not even for use in an ``emergency''); nor
      should a password be kept if you suspect someone else knows it.

    Spelling a word backwards or appending a digit to a word do not turn a
    poor password choice into a ``good'' password.  However, taking two or
    three unrelated words and combining them with some non-letters is a rea-
    sonable way of choosing an easy-to-remember but hard-to-crack password.
    On SCO UNIX System V, passwords can be up to 80 characters long, so non-
    sensical rhymes (for example) can also be used as passwords.

    User login passwords

    When passwd is used to change or delete the password for user name, the
    old password (if any) is prompted for.  (The password is not displayed as
    it is being entered.)  System administrators are not prompted for the old
    password unless they are attempting to change their own password; the
    super user is never prompted for the old password.  The passwd command
    can only be used to change or delete the password for user name by system
    administrators and the user authorized to change user name's password.
    Normally, users are authorized to change their own password.

    Depending on how the system administrator has configured the account, the
    user may or may not be able to choose their own password, or may have a
    password chosen for them.  If they can neither choose their own password
    nor have passwords generated for them, the password cannot be changed.
    If the user is able to do both, passwd asks which should be done.

    A password is considered valid until it has expired.  Passwords expire if
    they are not changed or deleted before the expiration time has passed.
    Once expired, the user is required to change (not delete) their password
    the next time they log in.  If a user fails to do so before the
    password's lifetime has passed, the password is considered dead and the
    user's account is locked.

    Once locked, the user may not log in, may not be su(C)'ed to, and no
    at(C), batch(C), or cron(C) jobs for that user may run.  Only a system
    administrator can unlock a user with a dead password; a new password must
    be assigned.

    To discourage re-use of the same password, the system administrator may
    set a minimum change time.  After changing or deleting a password, the
    password may not be changed again (even by a system administrator) until
    at least that much time has elapsed.

    Passwords may be deleted (or changed to be empty) only if the user is
    authorized to not have a password.  Users without passwords are not
    recommended.  (An empty password is prompted for when logging in, but a
    deleted password is not prompted for at login.)

    If a password is being changed and the user has elected (or is forced) to
    choose a system-generated password, each suggested password is printed
    along with a hyphenated spelling that suggests how the password could be
    pronounced.  To accept a suggested password, enter the password; if
    entered correctly, passwd will prompt for the suggested password to be
    entered again as confirmation.  To reject a suggestion, just enter
    <Return>; to abort the change altogether, either enter ``quit'' or inter-
    rupt passwd.

    If a password is being changed and the user has elected (or is forced) to
    assign a password of their own choosing, the new password is prompted for
    twice.  It is checked for being ``obvious'' after the first prompt, and
    if deemed to be acceptable is prompted for again.  If the proposed pass-
    word is successfully entered a second time, it becomes the new password
    for user name.

    Both system-generated and self-chosen passwords are checked for being
    easy to guess.  See the section on ``Checking for obvious passwords''
    (below) for a description of the checks.

    When dealing with a user's login password, the following options are
    recognized:

    -d        Delete the password.  A password may be deleted only if the
              user is authorized to not have a password.  System administra-
              tors must always specify name; otherwise, the name of the user
              who logged in is used.

    -f        Force user name to change their password the next time they log
              in.  This option may be specified only by system administra-
              tors, and only when the user's password is not being changed or
              deleted; name must be explicitly given.

    -l        Lock user name out of the system by applying an administrative
              lock; only system administrators may do this and they must
              specify name.

    -u        Remove any administrative lock applied to user name; only sys-
              tem administrators may do this and they must specify name.

    -n minimum
              Set the amount of time which must elapse between password
              changes for user name to minimum days.  Only system administra-
              tors may do this and they must specify name.

    -x expiration
              Set the amount of time which may elapse before the password of
              user name expires to expiration days.  Only system administra-
              tors may do this and they must specify name.  Once a password
              has expired, the user must change it the next time they log in.
    -r retries
              Up to retries attempts may be made to choose a new password for
              user name.

    -s        Report the password attributes of user name (or, if the -a
              option is given, of all users).  The format of the report is:

              name status mm/dd/yy minimum expiration

              where status is ``PS'' if the user has a password, ``LK'' if
              the user is administratively locked, or ``NP'' when the user
              does not have a password.  The date of the last successful
              password change (or deletion) is shown as mm/dd/yy.  If neither
              name nor -a is specified, the name of the user who logged in is
              assumed.  Only system administrators can examine the attributes
              of users other than themselves.

    If no -d, -f, -l, -u, or -s option is specified, the password for user
    name is changed as described above.  If no name is given and no option
    which requires name is given, then the name of the user who logged in is
    used.  Only the -a option may be specified with the -s option.

    Modem (dialup shell) passwords

    When a user whose login shell is listed in /etc/d_passwd with a
    (encrypted) password logs in on a terminal line listed in /etc/dialups,
    the password in /etc/d_passwd must be supplied before the login succeeds.
    The -m option to password allows system administrators to change, delete,
    or invalidate (lock) the passwords for login shell name:

    -d        Delete the password.

    -l        Invalidate (``lock'') the password by arranging so that no
              matter what the user enters, it will not be a valid password.
              Doing so causes the old password to be lost.

    -r retries
              Up to retries attempts may be made to choose a new password.

    The name must always be specified.  If name begins with a slash (/) then
    only the password for the login shell which completely matches name is
    changed.  Otherwise, the password for every shell listed in /etc/d_passwd
    whose basename is name is changed.

    This does not mean that only one line is needed per shell in
    /etc/d_passwd.  For example, to have the option of using either /bin/csh
    or /usr/local/csh, each must be specified on a separate line in
    /etc/d_passwd.  However, the dialup passwd for both shells can be changed
    at once with the command:

       passwd -m csh

    If neither the -d nor -l option is specified, the password is changed.
    The new password is prompted for twice, and must pass checks similar to
    those for login passwords (see below).

    Checking for obvious passwords

    To discourage poor password choices, various checks are applied to reject
    unacceptable passwords.  The checks which are applied depend on the type
    of password being checked and the system's configuration.  Most of the
    checks for being easy to guess are configurable; see goodpw(ADM).

    The check procedure is as follows (a password is restricted if, according
    to the sysadmsh Accounts selection, it is to be ``checked for obvious-
    ness''):

    1a. User login passwords only:  the new password must not be the same as
        the old password.  The password must not be empty (or be deleted)
        unless the user is not required to have a password.

    1b. All other passwords:  the new and old password can be the same.
        Empty passwords are treated as deleted passwords and are always
        acceptable.

    2.  All (non-empty) passwords: if the password is not empty, it must be
        at least PASSLENGTH characters long (see below).

    3.  All (non-empty) passwords: if the goodpw utility can be run, it is
        used to perform all further checks.  If the file CHECKDIR exists (and
        can be read by goodpw) that file is used to modify the default set-
        tings in /etc/default/goodpw.  The CHECKDIR is specified by CHECKDIR
        in /etc/default/passwd and type is the kind of password being checked
        (user, or modem).  The strength is the degree of checking to be done:
        secure if the user is restricted (or, for all other password types,
        if the system default is restricted); otherwise weak.

    4.  When goodpw cannot be run (all passwords):  if the password is not
        empty, it must contain at least one character which is not a lower-
        case letter (but must not consist solely of digits).

    5.  When goodpw cannot be run (user login passwords only): finally, for
        user login passwords which are restricted, the password must not be a
        palindrome, any user's login name, the name of any group, or a
        correctly spelled English word (American spelling); see acceptpw(S).

    System-generated passwords are not checked unless the user is restricted
    (see above), in which case the generated password must pass the checks in
    step 5 before it is suggested to the user.  Generated passwords are never
    checked by goodpw.

    Defaults

    Several parameters may be specified in /etc/default/passwd.  The various
    settings, and their default values are:

    PASSLENGTH=*
        The minimum length of a password.  The maximum length of a password
        is 80.  Specifying PASSLENGTH overrides the computed value based on
        the lifetime of the password, delay between login attempts (and other
        variables -- see passlen(S)).  To use the computed value set
        PASSLENGTH to an asterisk (*).

    RETRIES=3
        The maximum number of repeated attempts to change a password that has
        been rejected.  If RETRIES is less than 1, then 1 is assumed.

    ONETRY=YES
        If set to YES, a rejected password is added to the stop-list passed
        to goodpw.  This prevents simplistic modifications of a rejected
        password from being accepted on a later attempt.

    DESCRIBE=/usr/lib/goodpw/describe
        The contents of this file are shown once (before the new password is
        prompted for) and should describe the the difference between accept-
        able and unacceptable passwords.

    SUMMARY=/usr/lib/goodpw/summary
        The contents of this file are shown each time a password is rejected,
        and should be a (short) reminder of what are and are not acceptable
        passwords.

    CHECKDIR=/usr/lib/goodpw/checks
        A hierarchy of additional checks goodpw should perform, based on
        password type and restrictions (see above).

    GOODPW=NO
        Defines the location of the goodpw program. If set to NO then goodpw
        is not used and the simpler internal checks are applied instead.
        Under these circumstances the super user is not forced to comply with
        the password construction requirements; the only checks enabled are
        for minimum password length, and null passwords are allowed. If
        GOODPW is set to YES then /usr/bin/goodpw is used to perform password
        checks.  Alternatively GOODPW can be set to the path of some other
        goodpw-style program.

    The values for the default settings may be changed to reflect the
    system's security concerns.

    If /etc/default/passwd does not exist or is not readable, the above
    default values are used.

    If the DESCRIBE or SUMMARY file defined in /etc/default/passwd does not
    exist or cannot be read, short (and vague) descriptions or summaries are
    issued instead.  In addition, if the user who logged in is a system
    administrator, an error message describing the problem is printed.

    If the selected GOODPW program does not exist or is not executable, the
    simpler internal checks are performed (see above).  In addition, if the
    user who logged in is a system administrator, an error message describing
    the problem is printed.

 Notes

    Terminal lines specified in /etc/dialups must specify the complete path;
    for example, /dev/ttyxx, not just ttyxx.

    The -r option is mostly useful during installation to force the newly-
    installed super user to have a password.

 Files


 /etc/auth/system/files         file Control database
 /etc/auth/system/default       system Defaults database; contains default
                                parameters


 /etc/d_passwd                  list of dialup shells and passwords (one per
                                line):
                                shell : encrypted-password : reserved
                                where shell is the pathname of a login shell
                                as used in /etc/passwd
 /etc/default/passwd            configurable settings (see ``Defaults'' above)
 /etc/dialups                   list of terminal lines on which remote logging
                                in is permitted
 /etc/group                     list of groups
 /etc/passwd                    list of user accounts
 /tcb/files/auth/initial/name   protected Password database entry for user
                                name (where the first character in name is
                                initial)


 See also

    acceptpw(S), authcap(F), authsh(ADM), default(F), goodpw(ADM), group(F),
    login(M), mnt(C), newgrp(C), passlen(S), passwd(F)

 Standards conformance

    passwd  is not part of any currently supported standard; it is an exten-
    sion of AT&T System V provided by The Santa Cruz Operation, Inc.


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026