prpasswd, prpwd - Protected password authentication
database (Enhanced Security)
An authentication profile is maintained for each user on
the system. This user profile is kept in the protected
password database, accessible only to trusted programs
acting on behalf of the trusted computing base (TCB). The
protected password database contains among other things
the encrypted password for the user account, which must be
hidden from untrusted users.
Note
User profile information was formerly maintained in separate
files. Such files are no longer supported. If found
during an update installation, the convuser program automatically
converts the files into database format.
The protected password database does not eliminate the
need for the /etc/passwd and the /etc/group files. Users
must be defined in the passwd file in order to use the
system. The protected password database entry for a user
contains the user name and user ID to provide a correlation
to the user's /etc/passwd entry. There must be a
match or the user account is treated as invalid. (Template
accounts, however, are defined only in the protected password
database.)
User profiles reside in /tcb/files/auth.db, for accounts
such as root that must be accessible in single-user mode,
and in //var/tcb/files/auth.db, for the majority of
accounts. Each user's authentication profile contains values
that are interpreted by trusted programs acting as
part of the TCB. These fields define user-specific values,
and are used before template account or system default
template values for the same field are used. Values are
obtained as follows: If the user profile contains a userspecific
value, that value is used. If the user profile
contains a reference to a template account, and no userspecific
value is defined, the value in the template
account is used. If neither the user profile nor the template
account defines a value for a field and the system
default template defines a value for that field, the system
default template value is used. If the value is
defined nowhere else, a static system default is used for
the field.
The system default template values are located in
/etc/auth/system/default, and can be modified through the
dxaccount utility using the View Local Template option, or
through the edauth utility.
The protected password database contains keyword field
identifiers and depending on the field type, a value for
that field (certain field types do not require an explicit
value). The exact syntax for field specifications is consistent
for all authentication databases and is described
in the authcap(4) reference page. The keyword field identifiers
supported by the protected password database and
their associated functions are as follows: This is the
user name for the account. The string must match the name
of the file and a user name in a corresponding /etc/passwd
entry. The maximum length for Tru64 UNIX user names is
currently 8 characters. This field is ignored if it is set
in a template or in the default database. This is the
user ID for the account. The number must match the user ID
field of the corresponding /etc/passwd entry. This field
is ignored if it is set in a template or in the default
database. This field contains the encrypted password
string for the account if the account has a password. This
field is ignored if it is set in a template or in the
default database. This is a priority number used by
authentication programs to modify the nice value of a
login process for the user (see the setpriority(2) reference
page). This field is the numeric value corresponding
to SET_PROC_ACNTL. This number is used in conjunction with
the u_auditmask mask. This field consists of a comma-separated
list of audit event names. The events are the same
as those specified in the auditmask(8) reference page. An
entry of u_auditmask=all specifies all system calls and
trusted events. This field specifies the minimum password
change time in seconds. If the number is nonzero, the
password cannot be changed until the specified number of
seconds since the last successful password change have
passed unless the person changing the password is authorized
to override this constraint. The number in this
field specifies the minimum length of the user account
password. If the field is zero, a dynamic value is calculated
as defined in the Green Book. The number in this
field specifies the maximum length of the user account
password for generated passwords only. It should be less
than the system-wide maximum value defined by the <prot.h>
constant AUTH_MAX_PASSWD_LENGTH. The number in this field
specifies the minimum length of the user account password
for user-chosen passwords only. If the field is zero, a
dynamic value is calculated as defined in the Green Book.
The number in this field specifies the maximum length of
the user account password for user-chosen passwords only.
To encourage longer, more secure user passwords, set it to
allow the system-wide maximum value defined by the
<prot.h> constant AUTH_MAX_PASSWD_LENGTH. The number in
this field is a time_t value that specifies how long from
a successful change until the account password expires.
When a password expires, system authentication programs
request that the password be changed when the user logs in
to the system. If the password lifetime expires before the
password is changed, the account is disabled. The number
in this field is a time_t value that specifies the lifetime
of a password. If this time interval is reached, the
account is disabled and can only be unlocked by an authorized
system administrator. The time in this field is a
time_t value that indicates the time of the last successful
password change. This field should only be set by programs
that can be used to change the account password.
This field is ignored if it is set in a template or in the
default database. The time in this field is a time_t
value that indicates the time of the last unsuccessful
password change. This field should only be set by programs
that can be used to change the account password. This
field is ignored if it is set in a template or in the
default database. This field controls the ability of the
user to pick a password for the account. A :u_pickpw:
entry indicates that the user can pick his own password; a
:u_pickpw@: entry indicates that he cannot. This permits
an account to be configured so that a user cannot pick a
password but instead has a password generated by the
system. This field controls the ability of a user to generate
a password for the account. A :u_genpwd: entry
indicates that the system will generate the password for
the user; a :u_genpwd@: entry indicates that the user can
pick his own password. The system is capable of generating
passwords containing random words. This field controls
whether password triviality checks are performed on any
user-selected passwords. A :u_restrict: entry indicates
that triviality checks are performed; a :u_restrict@:
entry indicates they are not performed. Triviality checks
include verifying that the password is not a login or
group name, a palindrome, or a word recognized by the
spell program. See the acceptable_password(3) reference
page for more information on triviality checks for passwords.
This field controls the ability of the user to
choose a null password for the account. A :u_nullpw:
entry indicates a null password can be chosen; a
:u_nullpw@: entry indicates that it cannot. This field is
a string representing the user name of the last person to
change the account password if that user was not the
account's owner. This is used to warn the user at login
time if the account password has been changed, possibly
without the knowledge of the user. This field is ignored
if it is set in a template or in the default database.
This field controls the ability of the user to generate
random characters for a password. A :u_genchars: entry
indicates that the user can generate passwords made up of
random characters; a :u_genchars@: entry indicates that
he cannot. This field controls the ability of the user to
generate random letters for a password. A :u_genletters:
entry indicates that the user can generate passwords made
up of random letters; a :u_genletters@: entry indicates
that he cannot. This field is a number (0 to 9) representing
the number of old encrypted passwords to keep to
prevent reuse of previously used passwords. This field is
a comma-separated list strings representing the old
encrypted passwords. The length of the list is determined
by u_pwdepth. This field is ignored if it is set in a template
or in the default database. This field is the algorithm
number used to encrypt the current password. This
field is ignored if it is set in a template or in the
default database. This field is the algorithm number used
to encrypt future passwords. The time in this field is a
time_t value that contains the system time of the last
successful login to the account. The system-wide default
d_skip_success_login_log controls whether or not this
field is updated at each login. This field is ignored if
it is set in a template or in the default database. The
time in this field is a time_t value that contains the
system time of the last unsuccessful login attempt to the
account. Updates to this field control breakin detection
and evasion. The system-wide default d_skip_fail_login_log
controls whether or not this field is updated at each
login failure. This field is ignored if it is set in a
template or in the default database. This field is a
character string that identifies the name of the terminal
associated with the last successful login to the account.
The systemwide default d_skip_ttys_update controls
whether or not this field is updated at each login. This
field is ignored if it is set in a template or in the
default database. This field contains a number indicating
the number of unsuccessful login attempts to the account
and is reset when a successful login to the account
occurs. If a login is attempted during the time period
from u_unsuclog to u_unsuclog plus u_unlock, andu_numunsuclog
is not less than u_maxtries, the login is refused.
(This check is suppressed if the u_maxtries field is set
to zero.) The system-wide default d_skip_fail_login_log
controls whether or not this field is updated at each
login failure. This field is ignored if it is set in a
template or in the default database. This field is a
character string that identifies the name of the terminal
associated with the last unsuccessful login attempt to the
account. This field is ignored if it is set in a template
or in the default database. This field is a string that
contains a comma-separated list of time-of-day specification
entries that control when the user account can be
used for login. The number in this field specifies the
maximum number of consecutive unsuccessful login attempts
to the account that are permitted until the account is
disabled. Setting this field to 0 prevents the account
from being disabled because of retry failures. In this
case, u_numunsuclog is incremented, but not checked. This
field indicates whether the account is retired or not. An
account that has been retired cannot be used for any purpose.
A :u_retired: entry indicates that the account is
retired; a :u_retired@: entry indicates that it is not.
This field is ignored if it is set in a template or in the
default database. This field is used to administratively
lock an account. A :u_lock: entry indicates that the
account is locked; a :u_lock@: entry indicates that it is
not. A user cannot log in to a locked account. An account
can also be disabled by other means. See getprpwent(3) for
more information. This field is a number indicating the
time in seconds to wait before re-enabling the account
after an unsuccessful login attempt (u_unsuclog). This
field is the displayable count of the number of unsuccessful
login attempts. The system-wide default
d_skip_fail_login_log controls whether or not this field
is updated at each login failure. This field is ignored if
it is set in a template or in the default database. This
field is used to control whether the /tcb/bin/pwpolicy
file is consulted for validating password changes. A
:u_policy: entry indicates that the /tcb/bin/pwpolicy file
is consulted; a :u_policy@: entry indicates that it is
not. The actual time of type time_t that an account is
set to expire. This field is a numeric value of type
time_t that indicates the start of user's scheduled vacation.
This field is ignored if it is set in a template or
in the default database. This field is a numeric value of
type time_t that indicates the end of user's scheduled
vacation. This field is ignored if it is set in a template
or in the default database. The RLIMIT_CPU rlim_max
numeric value set by the setrlimit() system call at login
time. The RLIMIT_FSIZE rlim_max numeric value set by the
setrlimit() system call at login time. The RLIMIT_DATA
rlim_max numeric value set by the setrlimit() system call
at login time. The RLIMIT_STACK rlim_max numeric value
set by the setrlimit() system call at login time. The
RLIMIT_CORE rlim_max numeric value set by the setrlimit()
system call at login time. The RLIMIT_RSS rlim_max
numeric value set by the setrlimit() system call at login
time. The RLIMIT_NOFILE rlim_max numeric value set by the
setrlimit() system call at login time. The RLIMIT_VMEM
rlim_max numeric value set by the setrlimit() system call
at login time. A numeric value representing the maximum
time, in seconds, since last successful login before
account is disabled. If set for an account (or systemwide),
the user is automatically considered "locked out"
if the last successful login was more than the specified
interval before the current time. As with other
is_locked_out() checks, the grace-period feature allows an
override. This filed is a numeric value of type time_t.
In a user profile, it is the timestamp until which automatic
lockouts are bypassed (so locked_out_es() says no).
In the system defaults database, it is the interval to be
added to the current time when clicking on Unlock Account
in the dxaccounts GUI. This field allows a time-limited
bypass to the is_locked_out() checks so an administrator
can allow a user to log in until a specified time of day
(for example, until 5pm). This bypasses anything except
the u_lock administration lock on an account. This field
is ignored if it is set in a template or in the default
database. A boolean expression indicating that the administrator
requires a password change now. Unlike zeroing
the u_suclog field, this still obeys the password lifetime
requirements before refusing further logins. Note: While
the old method of zeroing fd_schange still works, this
method conforms to the Green Book. This field is ignored
if it is set in a template or in the default database.
This field is the name of the template which provides
default values for those fields for which no user-specific
value is defined. This field is ignored if it is set in a
template or in the default database. This field indicates
that the account is a template only. This field is ignored
if it is set in a template or in the default database.
The u_vacation_* fields allow the user to specify a start
and end date/time for vacation. This causes the
login/password controls to ignore that period of time for
things like password lifetime and "you must log in every
so often". In order to retain Green Book conformance, it
also disallows logins during that timespan.
The setrlimit() system call controls or restricts system
resources some (or all) users. These resources include how
much CPU time they can have, how much virtual address
space they can have (how much swap space), how many file
descriptors they can have open, and each of the other
things (total of 8) controlled through setrlimit(). This
sets hard limits, and restricts soft limits to match if
they would otherwise be over the new hard limits.
The getprpwent routines are used to parse the protected
password database files into a prpasswd structure that can
be used by programs. A flag in the structure indicates
whether a particular field in the structure and hence the
field is defined. System default values are also provided
in the structure. These values are derived from the
/etc/auth/system/default file and can be used by programs
in the absence of a user-specific value.
The following example shows a typical protected password
database entry:
perry:u_name=perry:u_id#101:\
:u_pwd=aZXtu1kmSpEzm:\
:u_minchg#0:u_succhg#653793862:u_unsucchg#622581606:u_nullpw:\
:u_suclog#671996425:u_suctty=tty1:\
:u_unsuclog#660768767:u_unsuctty=tty1:\
:u_maxtries#3:chkent:
This protected password database entry is for the user
perry. The user ID for perry is 101. This value must match
the /etc/passwd entry for this user. The account has a
password and its encrypted form is specified by the u_pwd
field.
The database entry specifies a minimum password change
time of 0, indicating that the password can be changed at
any time. Furthermore, the account is permitted to have a
null password. The account has a maximum consecutive
unsuccessful login threshold of 3, indicating that the
account is locked after three failed attempts. The remaining
fields provide account information such as the last
successful and unsuccessful password change times as well
as the last successful and unsuccessful login times and
terminal names.
Specifies the pathname of the protected password database
for accounts with UIDs less than AUTH_MIN_GEN_UID, which
is set to 100 by default. The pathname of the protected
password database for accounts with UIDs greater than or
equal to AUTH_MIN_GEN_UID, which is set to 100 by default.
The system default database that defines system-wide
global parameters.
Commands: login(1), passwd(1), auditmask(8), authck(8)
System Calls: setrlimit(2)
Functions: locked_out_es(3), nice(3), acceptable_password(3), getprpwent(3), time_lock(3)
Files: authcap(4), default(4), group(4), passwd(4)
prpasswd(4)
[ Back ] |
