[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 4


pwdadm Command

Purpose

Administers users' passwords.

Syntax

pwdadm-f Flags-q | -c ] User

Description

The pwdadm command administers users' passwords. The root user or a member of the security group can supply or change the password of the user specified by the User parameter. The invoker of the command must provide a password when queried before being allowed to change the other user's password. When the command executes, it sets the ADMCHG attribute. This forces the user to change the password the next time a login command or an su command is given for the user.

Root users and members of the security group should not change their personal password with this command. The ADMCHG attribute would require them to change their password again the next time a login command or an su command is given for the user. Only the root user or a user with PasswdAdmin authorization can change password information for administrative users, who have the admin attribute set to true in the /etc/security/user file.

Only the root user, a member of the security group, or a user with PasswdManage authorization can supply or change the password of the user specified by the User parameter.

When this command is executed, the password field for the user in the /etc/passwd file is set to ! (exclamation point), indicating that an encrypted version of the password is in the /etc/security/passwd file. The ADMCHG attribute is set when the root user or a member of the security group changes a user's password with the pwdadm command.

A new password must be defined according to the rules in the /etc/security/user file, unless the -f NOCHECK flag is included. Only 7-bit characters are supported in passwords. By including the -f flag with the pwdadm command, the root user or a member of the security group can set attributes that change the password rules. If there is no password entry in the /etc/security/passwd file when the -f flag is used, the password field in the /etc/passwd file is set to ! (exclamation point) and an * (asterisk) appears in the password= field to indicate that no password has been set.

The -q flag permits the root user or members of the security group to query password information. Only the status of the lastupdate attribute and the flags attribute appear. The encrypted password remains hidden.

The -c flag clears all flags set in the /etc/security/passwd file.

Flags


-f Flags Specifies the flags attribute of a password. The Flags variable must be from the following list of comma-separated attributes:

NOCHECK
Signifies that new passwords need not follow the guidelines established in the /etc/security/user file for password composition.

ADMIN
Specifies that password information may be changed only by the root user. Only the root user can enable or disable this attribute.

ADMCHG
Resets the ADMCHG attribute without changing the user's password. This forces the user to change passwords the next time a login command or an su command is given for the user. The attribute is cleared when the user specified by the User parameter resets the password.
-q Queries the status of the password. The values of the lastupdate attribute and the flags attribute appear.
-c Clears all flags set in the /etc/security/passwd file.

Security

Access Control: Only the root user and members of the security group should have execute (x) access to this command. The command should have the trusted computing base attribute and be setuid to the root user to have write (w) access to the /etc/passwd file, the /etc/security/passwd file, and other user database files.

Files Accessed:

Mode File
rw /etc/passwd
rw /etc/security/passwd
r /etc/security/user

Auditing Events:

Event Information
PASSWORD_Change user
PASSWORD_Flags user, flags

Examples

  1. To set a password for user susan, a member of the security group enters:

    pwdadm susan
    

    When prompted, the user who invoked the command is prompted for a password before Susan's password can be changed.

  2. To query the password status for user susan, a member of the security group enters:

    pwdadm -q susan
    

    This command displays values for the lastupdate attribute and the flags attribute. The following example shows what appears when the NOCHECK and ADMCHG flags attributes are in effect:

    susan:
            lastupdate=
            flags= NOCHECK,ADMCHG
    

Files


/usr/bin/pwdadm Contains the pwdadm command.
/etc/passwd
                          Contains the basic user attributes.
/etc/security/passwd
                          Contains password information.
/etc/security/login.cfg
                          Contains configuration information.

Related Information

The passwd command.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]