The passwd Command
The passwd command performs various operations regarding passwords. The passwd command replaces the nispasswd command. You should use the passwd command for all activities which used to be performed with the nispasswd command. (See the passwd command man page for a complete description of all passwd flags, options, and arguments.)
The passwd command allows users to perform the following operations:
Change their passwords
List their password information
Administrators can use the passwd command to perform the following operations:
Force users to change their passwords the next time the log in
Lock a user's password (prevent it from being used)
Set a minimum number of days before a user can change passwords
Specified when a user is warned to change passwords
Set a maximum number of days a password can be used without being changed
passwd and the nsswitch.conf File
The name service switch determines where the passwd command (and other commands) obtains and stores password information. If the passwd entry of the applicable nsswitch.conf file points to:
nisplus. Password information will be obtained, modified, and stored in the passwd and cred tables of the appropriate domain.
nis. Password information will be obtained, modified, and stored in passwd maps.
files. Password information will be obtained, modified, and stored in the /etc/passwd and /etc/shadow files.
The passwd -r Option
When you run the passwd command with the -r nisplus, -r nis, or -r files arguments, those options override the nsswitch.conf file setting. You will be warned that this is the case. If you continue, the -r option will cause the passwd command to ignore the nsswitch.conf file sequence and update the information in the password information storage location pointed to by the -r flag.
For example, if the passwd entry in the applicable nsswitch.conf file reads:
passwd: files nisplus |
files is the first (primary) source, and passwd run without the -r option will get its password information from the /etc/passwd file. If you run the command with the -r nisplus option, passwd will get its information from the appropriate NIS+ passwd table and make its changes to that table, not to the /etc/passwd file.
The -r option should only be used when you cannot use the nsswitch.conf file because the search sequence is wrong. For example, when you need to update password information that is stored in two places, you can use the order specified in the nsswitch.conf file for the first one, but for the second one you have to force the use of the secondary or tertiary source.
The message:
Your specified repository is not defined in the nsswitch file! |
indicates that your change will be made to the password information in the repository specified by the -r option, but that change will not affect anyone until the nsswitch.conf file is changed to point to that repository. For example, suppose the nsswitch.conf file reads passwd: files nis and you use the -r nisplus option to establish password-aging limits in an NIS+ passwd table. Those password-aging rules will sit in that table unused because the nsswitch.conf file is directing everyone to other places for their password information.
The passwd Command and "NIS+ Environment"
In this chapter, the phrase NIS+ environment refers to situations where the passwd entry of the applicable nsswitch.conf file is set to nisplus, or the passwd command is run with the -r nisplus argument.
The passwd Command and Credentials
When run in an NIS+ environment (see above), the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).
The passwd Command and Permissions
In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.
By default, in a normal NIS+ environment the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:
Assign table ownership to someone else with the nischown command.
Grant some or all of read, modify, create, and destroy rights to the table's group, or even to the world or nobody class. (Of course, granting such rights to world or nobody seriously weakens NIS+ security.)
Change the permissions granted to any class with the nisdefaults, nischmod, or nistbladm commands.
Note - Regardless of what permissions they have, everyone in the world, and nobody classes are forced to comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password has aged past its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.
To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:
Table 16-1 Access Rights for passwd Command
This Operation | Requires These Rights | To This Object |
|---|---|---|
Displaying information | read | passwd table entry |
Changing Information | modify | passwd table entry |
Adding New Information | modify | passwd table |
The passwd Command and Keys
If you use passwd in an NIS+ environment to change a principal's password, it tries to update the principal's private (secret) key in the cred table.
If you have modify rights to the DES entry in the cred table and if the principal's login and Secure RPC passwords are the same, passwd will update the private key in the cred table.
If you do not have modify rights to the DES entry in the cred table or if the principal's login and Secure RPC passwords are not the same, the passwd command will change the password, but not change the private key.
If you do not have modify rights to the DES entry, it means that the private key in the cred table will have been formed with a password that is now different from the one stored in the passwd table. In this case, the user will have to change keys with the chkey command or run keylogin after each login.
The passwd Command and Other Domains
To operate on the passwd table of another domain, use:
passwd [options] -D domainname |
The nistbladm Command
The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.
Caution - To perform password operations using the nistbladm command you must apply nistbladm to the shadow
column of the passwd table. Applying nistbladm to the shadow
column is complex and tricky. Therefore, you should not use the nistbladm command for any operation that can more easily be performed
by the passwd command or by using the AdminTool or Solstice AdminSuite
tools.
You should use the passwd command or Solstice AdminSuite tools to perform the following operations:
Changing a password
Setting the maximum period that a password can be used (password aging).
Setting the minimum period that a password must be used.
Setting the password warning period.
Turning off password aging