 |
Index for
Section 4 |
|
 |
Alphabetical
listing for P |
|
 |
Bottom of
page |
|
prpasswd(4)
NAME
prpasswd, prpwd - Protected password authentication database (Enhanced
Security)
DESCRIPTION
An authentication profile is maintained for each user on the system. This
user profile is kept in the protected password database, accessible only to
trusted programs acting on behalf of the trusted computing base (TCB). The
protected password database contains among other things the encrypted
password for the user account, which must be hidden from untrusted users.
Note
User profile information was formerly maintained in separate files.
Such files are no longer supported. If found during an update
installation, the convuser program automatically converts the files
into database format.
The protected password database does not eliminate the need for the
/etc/passwd and the /etc/group files. Users must be defined in the passwd
file in order to use the system. The protected password database entry for
a user contains the user name and user ID to provide a correlation to the
user's /etc/passwd entry. There must be a match or the user account is
treated as invalid. (Template accounts, however, are defined only in the
protected password database.)
User profiles reside in /tcb/files/auth.db, for accounts such as root that
must be accessible in single-user mode, and in //var/tcb/files/auth.db, for
the majority of accounts. Each user's authentication profile contains
values that are interpreted by trusted programs acting as part of the TCB.
These fields define user-specific values, and are used before template
account or system default template values for the same field are used.
Values are obtained as follows:
· If the user profile contains a user-specific value, that value is
used.
· If the user profile contains a reference to a template account, and no
user-specific value is defined, the value in the template account is
used.
· If neither the user profile nor the template account defines a value
for a field and the system default template defines a value for that
field, the system default template value is used.
· If the value is defined nowhere else, a static system default is used
for the field.
The system default template values are located in /etc/auth/system/default,
and can be modified through the dxaccount utility using the View Local
Template option, or through the edauth utility.
The protected password database contains keyword field identifiers and
depending on the field type, a value for that field (certain field types do
not require an explicit value). The exact syntax for field specifications
is consistent for all authentication databases and is described in the
authcap(4) reference page. The keyword field identifiers supported by the
protected password database and their associated functions are as follows:
u_name
This is the user name for the account. The string must match the name
of the file and a user name in a corresponding /etc/passwd entry. The
maximum length for Tru64 UNIX user names is currently 8 characters.
This field is ignored if it is set in a template or in the default
database.
u_id
This is the user ID for the account. The number must match the user ID
field of the corresponding /etc/passwd entry. This field is ignored if
it is set in a template or in the default database.
u_pwd
This field contains the encrypted password string for the account if
the account has a password. This field is ignored if it is set in a
template or in the default database.
u_priority
This is a priority number used by authentication programs to modify the
nice value of a login process for the user (see the setpriority(2)
reference page).
u_auditcntl
This field is the numeric value corresponding to SET_PROC_ACNTL. This
number is used in conjunction with the u_auditmask mask.
u_auditmask
This field consists of a comma-separated list of audit event names. The
events are the same as those specified in the auditmask(8) reference
page. An entry of u_auditmask=all specifies all system calls and
trusted events.
u_minchg
This field specifies the minimum password change time in seconds. If
the number is nonzero, the password cannot be changed until the
specified number of seconds since the last successful password change
have passed unless the person changing the password is authorized to
override this constraint.
u_minlen
The number in this field specifies the minimum length of the user
account password. If the field is zero, a dynamic value is calculated
as defined in the Green Book.
u_maxlen
The number in this field specifies the maximum length of the user
account password for generated passwords only. It should be less than
the system-wide maximum value defined by the <prot.h> constant
AUTH_MAX_PASSWD_LENGTH.
u_minchosen
The number in this field specifies the minimum length of the user
account password for user-chosen passwords only. If the field is zero,
a dynamic value is calculated as defined in the Green Book.
u_maxchosen
The number in this field specifies the maximum length of the user
account password for user-chosen passwords only. To encourage longer,
more secure user passwords, set it to allow the system-wide maximum
value defined by the <prot.h> constant AUTH_MAX_PASSWD_LENGTH.
u_exp
The number in this field is a time_t value that specifies how long from
a successful change until the account password expires. When a password
expires, system authentication programs request that the password be
changed when the user logs in to the system. If the password lifetime
expires before the password is changed, the account is disabled.
u_life
The number in this field is a time_t value that specifies the lifetime
of a password. If this time interval is reached, the account is
disabled and can only be unlocked by an authorized system
administrator.
u_succhg
The time in this field is a time_t value that indicates the time of the
last successful password change. This field should only be set by
programs that can be used to change the account password. This field is
ignored if it is set in a template or in the default database.
u_unsucchg
The time in this field is a time_t value that indicates the time of the
last unsuccessful password change. This field should only be set by
programs that can be used to change the account password. This field is
ignored if it is set in a template or in the default database.
u_pickpw
This field controls the ability of the user to pick a password for the
account. A :u_pickpw: entry indicates that the user can pick his own
password; a :u_pickpw@: entry indicates that he cannot. This permits an
account to be configured so that a user cannot pick a password but
instead has a password generated by the system.
u_genpwd
This field controls the ability of a user to generate a password for
the account. A :u_genpwd: entry indicates that the system will
generate the password for the user; a :u_genpwd@: entry indicates that
the user can pick his own password. The system is capable of generating
passwords containing random words.
u_restrict
This field controls whether password triviality checks are performed on
any user-selected passwords. A :u_restrict: entry indicates that
triviality checks are performed; a :u_restrict@: entry indicates they
are not performed. Triviality checks include verifying that the
password is not a login or group name, a palindrome, or a word
recognized by the spell program. See the acceptable_password(3)
reference page for more information on triviality checks for passwords.
u_nullpw
This field controls the ability of the user to choose a null password
for the account. A :u_nullpw: entry indicates a null password can be
chosen; a :u_nullpw@: entry indicates that it cannot.
u_pwchanger
This field is a string representing the user name of the last person to
change the account password if that user was not the account's owner.
This is used to warn the user at login time if the account password has
been changed, possibly without the knowledge of the user. This field is
ignored if it is set in a template or in the default database.
u_genchars
This field controls the ability of the user to generate random
characters for a password. A :u_genchars: entry indicates that the
user can generate passwords made up of random characters; a
:u_genchars@: entry indicates that he cannot.
u_genletters
This field controls the ability of the user to generate random letters
for a password. A :u_genletters: entry indicates that the user can
generate passwords made up of random letters; a :u_genletters@: entry
indicates that he cannot.
u_pwdepth
This field is a number (0 to 9) representing the number of old
encrypted passwords to keep to prevent reuse of previously used
passwords.
u_pwdict
This field is a comma-separated list strings representing the old
encrypted passwords. The length of the list is determined by u_pwdepth.
This field is ignored if it is set in a template or in the default
database.
u_oldcrypt
This field is the algorithm number used to encrypt the current
password. This field is ignored if it is set in a template or in the
default database.
u_newcrypt
This field is the algorithm number used to encrypt future passwords.
u_suclog
The time in this field is a time_t value that contains the system time
of the last successful login to the account. The system-wide default
d_skip_success_login_log controls whether or not this field is updated
at each login. This field is ignored if it is set in a template or in
the default database.
u_unsuclog
The time in this field is a time_t value that contains the system time
of the last unsuccessful login attempt to the account. Updates to this
field control breakin detection and evasion. The system-wide default
d_skip_fail_login_log controls whether or not this field is updated at
each login failure. This field is ignored if it is set in a template
or in the default database.
u_suctty
This field is a character string that identifies the name of the
terminal associated with the last successful login to the account. The
systemwide default d_skip_ttys_update controls whether or not this
field is updated at each login. This field is ignored if it is set in a
template or in the default database.
u_numunsuclog
This field contains a number indicating the number of unsuccessful
login attempts to the account and is reset when a successful login to
the account occurs. If a login is attempted during the time period from
u_unsuclog to u_unsuclog plus u_unlock, andu_numunsuclog is not less
than u_maxtries, the login is refused. (This check is suppressed if
the u_maxtries field is set to zero.) The system-wide default
d_skip_fail_login_log controls whether or not this field is updated at
each login failure. This field is ignored if it is set in a template or
in the default database.
u_unsuctty
This field is a character string that identifies the name of the
terminal associated with the last unsuccessful login attempt to the
account. This field is ignored if it is set in a template or in the
default database.
u_tod
This field is a string that contains a comma-separated list of time-
of-day specification entries that control when the user account can be
used for login.
u_maxtries
The number in this field specifies the maximum number of consecutive
unsuccessful login attempts to the account that are permitted until the
account is disabled. Setting this field to 0 prevents the account from
being disabled because of retry failures. In this case, u_numunsuclog
is incremented, but not checked.
u_retired
This field indicates whether the account is retired or not. An account
that has been retired cannot be used for any purpose. A :u_retired:
entry indicates that the account is retired; a :u_retired@: entry
indicates that it is not. This field is ignored if it is set in a
template or in the default database.
u_lock
This field is used to administratively lock an account. A :u_lock:
entry indicates that the account is locked; a :u_lock@: entry indicates
that it is not. A user cannot log in to a locked account. An account
can also be disabled by other means. See getprpwent(3) for more
information.
u_unlock
This field is a number indicating the time in seconds to wait before
re-enabling the account after an unsuccessful login attempt
(u_unsuclog).
u_flogins
This field is the displayable count of the number of unsuccessful login
attempts. The system-wide default d_skip_fail_login_log controls
whether or not this field is updated at each login failure. This field
is ignored if it is set in a template or in the default database.
u_policy
This field is used to control whether the /tcb/bin/pwpolicy file is
consulted for validating password changes. A :u_policy: entry
indicates that the /tcb/bin/pwpolicy file is consulted; a :u_policy@:
entry indicates that it is not.
u_expdate
The actual time of type time_t that an account is set to expire.
u_vacation_start
This field is a numeric value of type time_t that indicates the start
of user's scheduled vacation. This field is ignored if it is set in a
template or in the default database.
u_vacation_end
This field is a numeric value of type time_t that indicates the end of
user's scheduled vacation. This field is ignored if it is set in a
template or in the default database.
u_rlimit_cpu
The RLIMIT_CPU rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_fsize
The RLIMIT_FSIZE rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_data
The RLIMIT_DATA rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_stack
The RLIMIT_STACK rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_core
The RLIMIT_CORE rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_rss
The RLIMIT_RSS rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_nofile
The RLIMIT_NOFILE rlim_max numeric value set by the setrlimit() system
call at login time.
u_rlimit_vmem
The RLIMIT_VMEM rlim_max numeric value set by the setrlimit() system
call at login time.
u_max_login_intvl
A numeric value representing the maximum time, in seconds, since last
successful login before account is disabled. If set for an account (or
system-wide), the user is automatically considered "locked out" if the
last successful login was more than the specified interval before the
current time. As with other is_locked_out() checks, the grace-period
feature allows an override.
u_grace_limit
This filed is a numeric value of type time_t. In a user profile, it is
the timestamp until which automatic lockouts are bypassed (so
locked_out_es() says no). In the system defaults database, it is the
interval to be added to the current time when clicking on Unlock
Account in the dxaccounts GUI. This field allows a time-limited bypass
to the is_locked_out() checks so an administrator can allow a user to
log in until a specified time of day (for example, until 5pm). This
bypasses anything except the u_lock administration lock on an account.
This field is ignored if it is set in a template or in the default
database.
u_psw_change_reqd
A boolean expression indicating that the administrator requires a
password change now. Unlike zeroing the u_suclog field, this still
obeys the password lifetime requirements before refusing further
logins. Note: While the old method of zeroing fd_schange still works,
this method conforms to the Green Book. This field is ignored if it is
set in a template or in the default database.
u_template
This field is the name of the template which provides default values
for those fields for which no user-specific value is defined. This
field is ignored if it is set in a template or in the default database.
u_istemplate
This field indicates that the account is a template only. This field is
ignored if it is set in a template or in the default database.
The u_vacation_* fields allow the user to specify a start and end date/time
for vacation. This causes the login/password controls to ignore that
period of time for things like password lifetime and "you must log in every
so often". In order to retain Green Book conformance, it also disallows
logins during that timespan.
The setrlimit() system call controls or restricts system resources some (or
all) users. These resources include how much CPU time they can have, how
much virtual address space they can have (how much swap space), how many
file descriptors they can have open, and each of the other things (total of
8) controlled through setrlimit(). This sets hard limits, and restricts
soft limits to match if they would otherwise be over the new hard limits.
The getprpwent routines are used to parse the protected password database
files into a prpasswd structure that can be used by programs. A flag in the
structure indicates whether a particular field in the structure and hence
the field is defined. System default values are also provided in the
structure. These values are derived from the /etc/auth/system/default file
and can be used by programs in the absence of a user-specific value.
EXAMPLES
The following example shows a typical protected password database entry:
perry:u_name=perry:u_id#101:\
:u_pwd=aZXtu1kmSpEzm:\
:u_minchg#0:u_succhg#653793862:u_unsucchg#622581606:u_nullpw:\
:u_suclog#671996425:u_suctty=tty1:\
:u_unsuclog#660768767:u_unsuctty=tty1:\
:u_maxtries#3:chkent:
This protected password database entry is for the user perry. The user ID
for perry is 101. This value must match the /etc/passwd entry for this
user. The account has a password and its encrypted form is specified by the
u_pwd field.
The database entry specifies a minimum password change time of 0,
indicating that the password can be changed at any time. Furthermore, the
account is permitted to have a null password. The account has a maximum
consecutive unsuccessful login threshold of 3, indicating that the account
is locked after three failed attempts. The remaining fields provide account
information such as the last successful and unsuccessful password change
times as well as the last successful and unsuccessful login times and
terminal names.
FILES
/tcb/files/auth.db
Specifies the pathname of the protected password database for accounts
with UIDs less than AUTH_MIN_GEN_UID, which is set to 100 by default.
/var/tcb/files/auth.db
The pathname of the protected password database for accounts with UIDs
greater than or equal to AUTH_MIN_GEN_UID, which is set to 100 by
default.
/etc/auth/system/default
The system default database that defines system-wide global parameters.
SEE ALSO
Commands: login(1), passwd(1), auditmask(8), authck(8)
System Calls: setrlimit(2)
Functions: locked_out_es(3), nice(3), acceptable_password(3),
getprpwent(3), time_lock(3)
Files: authcap(4), default(4), group(4), passwd(4)
|
Index for
Section 4 |
|
|
Alphabetical
listing for P |
|
 |
Top of
page |
|