Chapter 16

Administering Passwords

This chapter describes how to use the passwd command from the point of view of an ordinary user (NIS+ principal) and how an NIS+ administrator manages the password system.

Note - Some NIS+ security tasks can be performed more easily with Solstice AdminSuite™ tools if you have them available.

Note - NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see Part V). For more information, visit http://www.sun.com/directory/nisplus/transition.html.

Using Passwords

When logging in to a machine, users must enter both a user name (also known as a login ID) and a password. Although login IDs are publicly known, passwords must be kept secret by their owners.

Logging In

Logging in to a system is a two-step process:

Type your login ID at the Login: prompt.

Type your password at the Password: prompt.
(To maintain password secrecy, your password is not displayed on your screen when you type it.)

If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.

The `Login incorrect` Message

The Login incorrect message indicates that:

You have entered the wrong login ID or the wrong password. This is the most common cause of the Login incorrect message. Check your spelling and repeat the process. Note that most systems limit to five the number of unsuccessful login tries you can make:
- If you exceed a number of tries limit, you will get a Too many failures - try later message and not be allowed to try again until a designated time span has passed.
- If you fail to successfully log in within a specified amount of time you will receive a Too many tries; try again later message, and not be allowed to try again until a designated time span has passed.
Another possible cause of the Login incorrect message is that an administrator has locked your password and you cannot use it until it is unlocked. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.
Another possible cause of the Login incorrect message is that an administrator has expired your password privileges and you cannot use your password until your privileges are restored. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.

The `will expire` Message

If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).

In essence, this message is telling you to change your password now. (See "Changing Your Password".)

The `Permission denied` Message

After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations you cannot log in until an administrator unlocks your password or reactivates your account or privileges. Consult your system administrator.

Changing Your Password

To maintain security, you should change your password regularly. (See "Choosing a Password" for password requirements and criteria.)

Note - The passwd command now performs all functions previously performed by nispasswd. For operations specific to an NIS+ name space, use passwd -r nisplus.

Changing your password is a four-step process:

Run the passwd command at a system prompt.

Type your old password at the Enter login password (or similar) prompt.
Your keystrokes are not shown on your screen.
- If you receive a Sorry: less than N days since the last change message, it means that your old password has not been in use long enough and you will not be allowed to change it at this time. You are returned to your system prompt. Consult your system administrator to find out the minimum number of days a password must be in use before it can be changed.
- If you receive a You may not change this password message, it means that your network administrator has blocked any change.

Type your new password at the Enter new password prompt.
Your keystrokes are not shown on your screen.

At this point the system checks to make sure that your new password meets the requirements:
- If it does meet the requirements, you are asked to enter it again.
- If your new password does not meet the system requirements, a message is displayed informing you of the problem. You must then enter a new password that does meet the requirements.
See "Password Requirements" for the requirements a password must meet.

Type your new password again at the Re-enter new password prompt.
Your keystrokes are not shown on your screen.

If your second entry of the new password is not identical to your first entry, you are prompted to repeat the process.

Note - When changing root's password, you must always run chkey -p immediately after changing the password. (See "Changing Root Keys From Root" and "Changing Root Keys From Another Machine" for information on using chkey -p to change root's keys.) Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See "Choosing a Password", for criteria that a new password must meet.)

In this case, choosing a new password is a three-step process:

Type your old password at the Enter login password (or similar) prompt.
Your keystrokes are not shown on your screen.

Type your new password at the Enter new password prompt.
Your keystrokes are not shown on your screen.

Type your new password again at the Re-enter new password prompt.
Your keystrokes are not shown on your screen.


	Chapter 16 Administering Passwords This chapter describes how to use the `passwd` command from the point of view of an ordinary user (NIS+ principal) and how an NIS+ administrator manages the password system. Note - Some NIS+ security tasks can be performed more easily with Solstice AdminSuite™ tools if you have them available. Note - NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see Part V). For more information, visit `http://www.sun.com/directory/nisplus/transition.html`. Using Passwords When logging in to a machine, users must enter both a user name (also known as a login ID) and a password. Although login IDs are publicly known, passwords must be kept secret by their owners. Logging In Logging in to a system is a two-step process: Type your login ID at the `Login:` prompt. Type your password at the `Password:` prompt. (To maintain password secrecy, your password is not displayed on your screen when you type it.) If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application. The `Login incorrect` Message The `Login incorrect` message indicates that: You have entered the wrong login ID or the wrong password. This is the most common cause of the `Login incorrect` message. Check your spelling and repeat the process. Note that most systems limit to five the number of unsuccessful login tries you can make: If you exceed a number of tries limit, you will get a `Too many failures - try later` message and not be allowed to try again until a designated time span has passed. If you fail to successfully log in within a specified amount of time you will receive a `Too many tries; try again later` message, and not be allowed to try again until a designated time span has passed. Another possible cause of the `Login incorrect` message is that an administrator has locked your password and you cannot use it until it is unlocked. If you are sure that you are entering your login ID and password correctly, and you still get a `Login incorrect` message, contact your system administrator. Another possible cause of the `Login incorrect` message is that an administrator has expired your password privileges and you cannot use your password until your privileges are restored. If you are sure that you are entering your login ID and password correctly, and you still get a `Login incorrect` message, contact your system administrator. The `will expire` Message If you receive a `Your password will expire in` N `days` message (where N is a number of days), or a `Your password will expire within 24 hours` message, it means that your password will reach its age limit and expire in that number of days (or hours). In essence, this message is telling you to change your password now. (See "Changing Your Password".) The `Permission denied` Message After entering your login ID and password, you may get a `Permission denied` message and be returned to the `login:` prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations you cannot log in until an administrator unlocks your password or reactivates your account or privileges. Consult your system administrator. Changing Your Password To maintain security, you should change your password regularly. (See "Choosing a Password" for password requirements and criteria.) Note - The `passwd` command now performs all functions previously performed by `nispasswd`. For operations specific to an NIS+ name space, use `passwd` `-r` `nisplus`. Changing your password is a four-step process: Run the `passwd` command at a system prompt. Type your old password at the `Enter login password` (or similar) prompt. Your keystrokes are not shown on your screen. If you receive a `Sorry: less than` N `days since the last change` message, it means that your old password has not been in use long enough and you will not be allowed to change it at this time. You are returned to your system prompt. Consult your system administrator to find out the minimum number of days a password must be in use before it can be changed. If you receive a `You may not change this password` message, it means that your network administrator has blocked any change. Type your new password at the `Enter new password` prompt. Your keystrokes are not shown on your screen. At this point the system checks to make sure that your new password meets the requirements: If it does meet the requirements, you are asked to enter it again. If your new password does not meet the system requirements, a message is displayed informing you of the problem. You must then enter a new password that does meet the requirements. See "Password Requirements" for the requirements a password must meet. Type your new password again at the `Re-enter new password` prompt. Your keystrokes are not shown on your screen. If your second entry of the new password is not identical to your first entry, you are prompted to repeat the process. Note - When changing root's password, you must always run `chkey` `-p` immediately after changing the password. (See "Changing Root Keys From Root" and "Changing Root Keys From Another Machine" for information on using `chkey` `-p` to change root's keys.) Failure to run `chkey` `-p` after changing root's password will result in root being unable to properly log in. If you receive a `Your password has expired` message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See "Choosing a Password", for criteria that a new password must meet.) In this case, choosing a new password is a three-step process: Type your old password at the `Enter login password` (or similar) prompt. Your keystrokes are not shown on your screen. Type your new password at the `Enter new password` prompt. Your keystrokes are not shown on your screen. Type your new password again at the `Re-enter new password` prompt. Your keystrokes are not shown on your screen.