passwd - format of the password file
The master.passwd file, readable only by root, consists of
newline-separated
records, one per user, containing ten colon (`:') separated fields.
These fields are as follows:
name User's login name.
password User's encrypted password.
uid User's login user ID.
gid User's login group ID.
class User's general classification (see login.conf(5)).
change Password change time.
expire Account expiration time.
gecos General information about the user.
home_dir User's home directory.
shell User's login shell.
The publicly-readable passwd file is generated from the
master.passwd
file by pwd_mkdb(8) and has the class, change, and expire
fields removed.
Also, the encrypted password field is replaced by an asterisk (`*').
The name field is the login used to access the computer account, and the
uid field is the number associated with it. They should
both be unique
across the system (and often across a group of systems)
since they control
file access.
While it is possible to have multiple entries with identical
login names
and/or identical user IDs, it is usually a mistake to do so.
Routines
that manipulate these files will often return only one of
the multiple
entries, and that one by random selection.
The login name may be up to 31 characters long. For compatibility with
legacy software, a login name should start with a letter and
consist
solely of letters, numbers, dashes and underscores. The login name must
never begin with a hyphen (`-'); also, it is strongly suggested that neither
uppercase characters nor dots (`.') be part of the
name, as this
tends to confuse mailers. No field may contain a colon as
this has been
used historically to separate the fields in the user
database.
The password field is the encrypted form of the password.
If the
password field is empty, no password will be required to
gain access to
the machine. This is almost invariably a mistake. Because
master.passwd
contains the encrypted user passwords, it should not be
readable by anyone
without appropriate privileges.
Which type of cipher is used to encrypt the password information depends
on the configuration in login.conf(5). It can be different
for local and
YP passwords.
The group field is the group that the user will be placed in
upon login.
Since this system supports multiple groups (see groups(1))
this field
currently has little special meaning.
The class field is used by login(1) and other programs to
determine which
entry in the login.conf(5) database should be used.
The change field is the number in seconds, GMT, from the
epoch, until the
password for the account must be changed. This field may be
left empty
to turn off the password aging feature.
The expire field is the number in seconds, GMT, from the
epoch, until the
account expires. This field may be left empty to turn off
the account
aging feature.
The gecos field normally contains comma (`,') separated subfields as follows:
name User's full name.
office User's office location.
wphone User's work phone number.
hphone User's home phone number.
The full name may contain an ampersand (`&'), which will be
replaced by
the capitalized login name when the gecos field is displayed
or used by
various programs such as finger(1), sendmail(8), etc.
The office and phone number subfields, if they exist, are
used by the
finger(1) program and possibly by other applications.
The user's home directory is the full UNIX path name where
the user will
be placed on login.
The shell field is the command interpreter the user prefers.
If there is
nothing in the shell field, the Bourne shell (/bin/sh) is
assumed.
If YP is active, the passwd file also supports standard YP
exclusions and
inclusions, based on user names and netgroups.
Lines beginning with a `-' (minus sign) are entries marked
as being excluded
from any following inclusions, which are marked with
a `+' (plus
sign).
If the second character of the line is a `@' (at sign), the
operation involves
the user fields of all entries in the netgroup specified by the
remaining characters of the name field. Otherwise, the remainder of the
name field is assumed to be a specific user name.
The `+' token may also be alone in the name field, which
causes all users
from the passwd.byname and passwd.byuid YP maps to be included.
If the entry contains non-empty uid or gid fields, the specified numbers
will override the information retrieved from the YP maps.
Additionally,
if the gecos, dir, or shell entries contain text, it will
override the
information included via YP. On some systems, the passwd
field may also
be overridden. It is recommended that the standard way to
enable YP
passwd support in /etc/master.passwd is:
+:*::::::::
which after pwd_mkdb(8) will result in /etc/passwd containing:
+:*:0:0:::
chpass(1), login(1), passwd(1), getpwent(3), login.conf(5),
netgroup(5),
adduser(8), pwd_mkdb(8), vipw(8), yp(8)
Managing NFS and NIS (O'Reilly & Associates)
The password file format has changed since 4.3BSD. The following awk(1)
script can be used to convert your old-style password file
into a new
style password file. The additional fields ``class'',
``change'', and
``expire'' are added, but are turned off by default. To set
change and
expire use the current day in seconds from the epoch plus
the number of
seconds of offset desired.
BEGIN { FS = ":"}
{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":"
$7 }
A passwd file format appeared in Version 3 AT&T UNIX.
The YP file format first appeared in SunOS.
User information should (and eventually will) be stored
elsewhere.
Placing YP exclusions in the file after any inclusions will
have unexpected
results.
OpenBSD 3.6 July 18, 1995
[ Back ] |
