[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide


Administering Passwords

This section describes how to use the passwd command from the point of view of an ordinary user and of a system administrator. You can also use Web-based System Manager or SMIT to do these tasks, both of which can be more convenient than running the passwd command as described in this section. This section assumes you have a basic understanding of the NIS+ security system, especially of the role that login passwords play in that system (see the Chapter 7, Security chapter). This section covers:

Logging In

Logging in to a system is a two-step process:

  1. Type your login ID at the Login: prompt.
  2. Type your password at the Password: prompt. To maintain password secrecy, your password is not displayed on your screen when you type it.

If your login is successful, your system's message of the day (if any) displays and then your command-line prompt, windowing system, or normal application.

The Login incorrect Message

The Login incorrect message indicates that:

The password expired Message

If you receive a Your password has expired message, your password has reached its age limit and expired. You must choose a new password at this time. (See Choosing a Password , for criteria that a new password must meet.)

In this case, choosing a new password is a three-step process:

  1. Type your old password at the Enter login password (or similar) prompt.
  2. Type your new password at the Enter new password prompt.
  3. Type your new password again at the Re-enter new password prompt.

The will expire Message

If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours). It is recommended that you change your password immediately if you receive either message. (See Changing Your Password .)

The Permission denied Message

After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations a user cannot log in until an administrator unlocks the user password or reactivates the account or privileges.

Changing Your Password

To maintain security, you should change your password regularly. (See Choosing a Password for password requirements and criteria.) Note that you can also use Web-based System Manager or SMIT to change your password. You may find that more convenient than running the passwd command as described here.

To change your password, use the following steps:

  1. Run the passwd command at a system prompt.
  2. Type your old password at the Enter login password (or similar) prompt.
  3. Type your new password at the Enter new password prompt.

At this point the system checks to make sure that your new password meets system requirements:

Password Change Failures

Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)

If you fail to successfully log in, someone failes while trying to log in as you, or you fail to change your password within the specified number of tries or time limit, a Too many failures - try later or Too many tries: try again later message displays. You are not allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by the administrator.)

Choosing a Password

Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, someone may be able to guess a password correctly just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or one that could be guessed by someone who knows about you.

Password Requirements

A password should meet the following suggested requirements:

For further information, see the /etc/security/user file description.

Bad Choices for Passwords

Bad choices for passwords include:

Good Choices for Passwords

Good choices for passwords include:

The passwd Command

The passwd command performs various operations regarding passwords. The yppasswd command retains all of its functionality for backward compatibility.

The passwd Command and Credentials

When run in an NIS+ environment, the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).

The passwd Command and Permissions

In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.

By default, in a normal NIS+ environment, the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:

Note: Regardless of what permissions they have, everyone in the world and nobody classes must comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password exceeded its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.

To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:

Access Rights for passwd Command
This Operation Requires These Rights To This Object
Displaying information read passwd table entry
Changing information modify passwd table entry
Adding new information modify passwd table

The passwd Command and Keys

If you use passwd in an NIS+ environment to change a principal's password, the principal's private (secret) key is updated in the cred table.

If you do not have modify rights to the DES entry, the private key in the cred table will have been formed with a password that is now different from the one stored in the passwd table. In this case, the user must change keys with the chkey command or run keylogin after each login.

The nistbladm Command

The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.

It is possible to use the nistbladm command to:

Changing Passwords

New passwords must meet the criteria described in Password Requirements .

Changing Your Own Password

To change your password, type

passwd

You are prompted for your old password. Then, you are prompted for the new password, and then for the new password a second time to confirm it.

Changing Someone Else's Password

To change another user's password in the same domain, use:

passwd username

When using the passwd command in an NIS+ environment to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.

Changing Root's Password

When changing the root password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing the root password will result in root being unable to properly log in.

To change a root password, follow these steps:

  1. Log in as root.
  2. Change root's password using the passwd command.
  3. Run chkey -p.

    You must use the -p option.

Managing Password Aging

Password aging is a mechanism you can use to force users to periodically change their passwords.

Password aging encompasses the following tasks:

Users who are already logged in when the various maximums or dates are reached are not affected by the above tasks. They can continue to work as normal.

Password-aging limitations and activities are only activated when a user logs in or performs one of the following operations:

These password-aging parameters are applied on a user-by-user basis. Password-aging requirements can differ for different users. (You can also set general default password aging parameters as described in the /etc/security/user file description.)

Password Privilege Expiration

You can set a specific date on which a user's password privileges expire. When a user's password privilege expires, that user can no longer have a valid password. In effect, the user is locked out of the system after the given date because after that date, the user can no longer log in.

For example, if you specify an expire date of December 31, 1999, for a user named petew, on January 1, 2000 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt, he will receive a Login incorrect message.

Password Aging versus Expiration

Expiration of a user's password privilege is not the same as password aging.

Setting an Expiration Date

Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no ffect until the user logs out or tries to use rlogin or telnet to connect to another machine, at which time the user will not be able to log in again. Thus, to implement password privilege expiration dates, you should require users to log out at the end of each day's work session.

Note: Whenever possible, use Web-based System Manager or SMIT instead of nistbladm to set an expiration date. Both Web-based System Manager and SMIT are easier to use and provides less chance for error.

To set an expiration date with the nistbladm command:

nistbladm -m 'shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir

Where:

Turning Off Password Privilege Expiration

To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:

nistbladm -m 'shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir

Or you can use the nistbladm command to reset the expiration date to a date in the future by entering a new number of days in the n6 field.

Specifying Maximum Number of Inactive Days

You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.

This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network. However, the date on which a user last logged in to a given machine is maintained on a machine-by-machine basis in the machine's /var/adm/utmp and/or /var/adm/wtmp (if it exists) file.

For example, suppose you specify a maximum inactivity period of 10 days for the user samh. On January 1, samh logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, samh logs in on machine-B and then logs out. Nine days after that on January 13, samh can still log in to machine-B because only nine days have elapsed since the last time he logged in on that machine. However, he can no longer login to machine-A because thirteen days have passed since his last log in on that machine.

Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to previously.

Notes:

To set a login inactivity maximum, you must use the nistbladm command in the format:

nistbladm -m 'shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir

Where:

Setting Password Aging Criteria for Multiple Users

You can use the nistbladm command to globally specify password maximum, minimum, warning, inactivity, and expiration values for all principals listed in a given passwd table.

To globally change password aging values for all users listed in a given password table, you use the nistbladm command without an indexed entry between the square brackets. For example, to globally set a minimum of 7 days, a maximum of 30 days, a warning period of 5 days, and no inactivity limit or expiration date, you type:

nistbladm -m 'shadow=n:7:30:5:-1:-1:0' [],passwd.org_dir

You can also use the nistbladm command to turn off password aging for all users in a given password table by globally setting their max value to -1 or 0.

Note: The value you enter in the lastchange field (the first field) will be applied to all the users. In effect, you will be resetting everyone's last change date to that value.

Specifying Password Criteria and Defaults

Read the /etc/security/user file description for information on password-related defaults and general criteria that you can specify.

Password Failure Limits

You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.

Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.

Maximum Number of Tries

To set the maximum number of times that a user can try to change a password without succeeding, use rpc.nispasswdd with the -a n option, where n is the number of allowed tries. (You must have root user privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to limit users to no more than four attempts (the default is 3), type:

rpc.nispasswdd -a 4

In this case, if a user's fourth attempt at logging in is unsuccessful, the message Too many failures - try later displays. No further attempts are permitted for that user ID until a specified period of time has passed.

Maximum Login Time Period

To set the maximum amount a time that a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to specify that users must successfully log in within 2 minutes, type:

rpc.nispasswdd -c 2

In this case, if a user is unable to successfully change a password within 2 minutes, the message is displayed at the end of the two-minute period. No further attempts are permitted for that user ID until a specified period of time has passed.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]