 |
» |
|
|
|
NAMEmodprpw — modify protected password database SYNOPSISmodprpw
[-E|-V]
[-l] modprpw
[-x]
[-l]
username modprpw
[-A|-e|-v|-k]
[-m
field=
value,... ]
[-l]
username DESCRIPTIONmodprpw
updates the user's protected password database settings.
This command is available only to the superuser in a trusted system. Usage other than via SAM, and/or modifications out of sync with
/etc/passwd
may result in serious database corruption
and the inability to access the system. All updated values may be verified using
the
getprpw
command. See
getprpw(1M). modprpw
uses the
/etc/nsswitch.conf
configuration file
default if
-l
is not specified.
See
nsswitch.conf(4). Optionsmodprpw
sets user's parameters as defined by the options specified.
At least one option is required.
If a field is not specified in the option then its value
remains unchanged in the database. modprpw
recognizes the following options:
- -A
To add a new user entry and to return a random password
which the new user must use to login the first time.
This entry has to be created with the given
username
and the
-m uid=value. Error is returned if the user already exists. May be combined with the
-l
option. Unlike
the
useradd
command,
it does not create nor populate the home
directory, and it does not update
/etc/passwd. - -E
This option is specified WITHOUT a user name to expire
all user's passwords.
It goes through the protected password database and
zeroes the successful change time of all users.
The result is all users will need to enter a new
password at their next login. May be combined with the
-l
option. - -e
This option is specified with a user name to expire
the specified user's password. It zeroes the successful
change time. May be combined with the
-l
and/or
-m
options. - -k
To unlock/enable a user's account that has become disabled,
except when the lock is due to a missing password or * password. May be combined with the
-l
and/or
-m
options. - -l
This option modifies data for a local user,
username.
This option must be specified with other options. - -m field=value,...
Modify the database field to the specified value
and/or resets locks.
Valid with one of the following options:
-A,
-e,
-v,
-k,
or
-l. A list of database fields may be used with comma as a delimiter.
An "invalid-opt" is printed, and processing terminates,
if a list of database fields passed to
-m
contains an invalid database field. Boolean values are specified as YES, NO, or DFT for
system default values
(/tcb/files/auth/system/default).
Numeric values are specified as positive numbers, 0, or -1.
If the
value
-1 is specified,
the numeric value in the database is
removed, allowing the system default value to be used.
Time values are specified in days, although the database
keeps them in seconds. No aging is present if the following 4 database parameters
are all zero:
u_minchg,
u_exp,
u_life,
u_pw_expire_warning. Unless specified by
n/a,
all database fields can be set.
They are listed below in the order shown in
prot.h.
The database fields are fully explained in
prpwd(4).
- FIELD=VALUE
DATABASE FIELD - n/a
database
u_name. - uid=value
database
u_id. Set the
uid
of the user. No sanity checking
is done on this value. - n/a
database
u_pwd. - n/a
database
u_owner. - bootpw=value
database
u_bootauth. Set boot authorization privilege,
YES/NO/DFT.
NO
removes it from the user file. - audid=value
database
u_auditid. Set audit id. Automatically limited
not to exceed the next available id. - audflg=value
database
u_auditflag. Set audit flag. - mintm=value
database
u_minchg=(value*86400). Set the minimum time interval between
password changes (days). 0 = none.
Same as non-trusted mode minimum time. - maxpwln=value
database
u_maxlen. Set the maximum password length for system
generated passwords. - exptm=value
database
u_exp=(value*86400). Set password expiration time interval (days).
0 = not expired. Same as non-trusted mode maximum time. - lftm=value
database
u_life. Set password life time interval (days).
0 = infinite. - n/a
database
u_succhg. Modified by options
e,
E,
v,
V,
maybe
k. - n/a
database
u_unsucchg. - acctexp=value
database
u_acct_expire=(value*86400+now). Set account expiration time interval (days).
This interval is added to "now" to form the
value in the database (database 0 = no
expiration). - llog=value
database
u_llogin. Set the last login time interval (days).
Used with
u_succlog. - expwarn=value
database
u_pw_expire_warning=(value*86400). Set password expiration warning time interval
(days). 0 = none. - n/a
database
u_pswduser.
Obsoleted field. - usrpick=value
database
u_pickpw. Set whether User Picks Password,
YES/NO/DFT. - syspnpw=value
database
u_genpwd. Set whether system generates pronounceable
passwords,
YES/NO/DFT. - rstrpw=value
database
u_restrict. Set if generated password is restricted,
YES/NO/DFT.
If
YES,
password will be checked for triviality. - nullpw=value
database
u_nullpw. Set whether null passwords are allowed,
YES/NO/DFT.
YES
is not recommended! - n/a
database
u_pwchanger.
Obsolescent field. - admnum=value
database
u_pw_admin_num.
Obsoleted field. - syschpw=value
database
u_genchars. Set whether system generates passwords having characters only,
YES/NO/DFT. - sysltpw=value
database
u_genletters. Set whether system generates passwords having letters only,
YES/NO/DFT. - timeod=value
database
u_tod. Set the time-of-day allowed for login. The format is: key0Starttime-Endtime,
key1Starttime-Endtime,... keynStarttime-Endtime Where
key
has the following values:
and
Starttime
and
Endtime
are in military format:
HHMM,
where: 00 <= HH <= 23,
and
00 <= MM <= 59.
- n/a
database
u_suclog. - n/a
database
u_unsuclog. - n/a
database
u_suctty. - n/a
database
u_numunsuclog. - n/a
database
u_unsuctty. - umaxlntr=value
database
u_maxtries. Set Maximum Unsuccessful Login tries allowed.
0 = infinite. - alock=value
database
u_lock. Set the administrator lock,
YES/NO/DFT.
- -V
This option is specified WITHOUT a user name to
"validate/refresh" all user's passwords.
It goes through the protected password database and
sets the successful change time to the current time for
all users. The result is that all user's password
aging restarts at the current time. May be combined with the
-l
option. - -v
This option is specified with a user name to
"validate/refresh" the specified user's password.
It sets the successful change time to the current time. May be combined with the
-l
and/or
-m
options. - -x
Delete the user's password and return a random password that
the user must later supply to the login process to login
and pick a new password. Not valid for root.
Also resets locks. May be combined with the
-l
option.
RETURN VALUE- 0
Success. - 1
User not privileged. - 2
Incorrect usage. - 3
Can not find the entry or file. - 4
Can not change the entry. - 5
Not a Trusted System.
EXAMPLESSet the Minimum time between password changes to 12 (days),
set the System generates pronounceable password
flag to NO, and set the System generates password having characters
only flag to YES. modprpw -m mintm=12,syspnpw=NO,syschpw=YES someusr The following example is to restrict the times that user
joeblow can get on the system on Mondays and Fridays to 5PM-9PM,
and Sundays from 5AM-9AM. Other days are not restricted. modprpw -m timeod=Mo1700-2100,Fr1700-2100,Su0500-0900 joeblow WARNINGSThis command is intended for SAM use only.
It may change with each release and can not be guaranteed
to be backward compatible. Several database fields interact with others.
Side effects may not be apparent until much later. Special meanings may apply in the following cases: a field with a zero value.
Very little, if any checking is done to see if values are valid.
It is the user's responsibility to range check values.
HP-UX 11i Version 3 is the last release to support
trusted systems functionality.
FILES- /etc/passwd
System Password file - /tcb/files/auth/*/*
Protected Password Database - /tcb/files/auth/system/default
System Defaults Database
AUTHORmodprpw
was developed by HP. |
Printable version
