prpasswd(4)prpasswd(4)NAME
prpasswd, prpwd - Protected password authentication database (Enhanced
Security)
DESCRIPTION
An authentication profile is maintained for each user on the system.
This user profile is kept in the protected password database, accessi‐
ble only to trusted programs acting on behalf of the trusted computing
base (TCB). The protected password database contains among other things
the encrypted password for the user account, which must be hidden from
untrusted users.
Note
User profile information was formerly maintained in separate files.
Such files are no longer supported. If found during an update installa‐
tion, the convuser program automatically converts the files into data‐
base format.
The protected password database does not eliminate the need for the
/etc/passwd and the /etc/group files. Users must be defined in the
passwd file in order to use the system. The protected password database
entry for a user contains the user name and user ID to provide a corre‐
lation to the user's /etc/passwd entry. There must be a match or the
user account is treated as invalid. (Template accounts, however, are
defined only in the protected password database.)
User profiles reside in /tcb/files/auth.db, for accounts such as root
that must be accessible in single-user mode, and in
/var/tcb/files/auth.db, for the majority of accounts. Each user's
authentication profile contains values that are interpreted by trusted
programs acting as part of the TCB. These fields define user-specific
values, and are used before template account or system default template
values for the same field are used. Values are obtained as follows: If
the user profile contains a user-specific value, that value is used.
If the user profile contains a reference to a template account, and no
user-specific value is defined, the value in the template account is
used. If neither the user profile nor the template account defines a
value for a field and the system default template defines a value for
that field, the system default template value is used. If the value is
defined nowhere else, a static system default is used for the field.
The system default template values are located in /etc/auth/sys‐
tem/default, and can be modified through the dxaccount utility using
the View Local Template option, or through the edauth utility.
The protected password database contains keyword field identifiers and
depending on the field type, a value for that field (certain field
types do not require an explicit value). The exact syntax for field
specifications is consistent for all authentication databases and is
described in the authcap(4) reference page. The keyword field identi‐
fiers supported by the protected password database and their associated
functions are as follows: This is the user name for the account. The
string must match the name of the file and a user name in a correspond‐
ing /etc/passwd entry. The maximum length for Tru64 UNIX user names is
currently 8 characters. This field is ignored if it is set in a tem‐
plate or in the default database. This is the user ID for the account.
The number must match the user ID field of the corresponding
/etc/passwd entry. This field is ignored if it is set in a template or
in the default database. This field contains the encrypted password
string for the account if the account has a password. This field is
ignored if it is set in a template or in the default database. This is
a priority number used by authentication programs to modify the nice
value of a login process for the user (see the setpriority(2) reference
page). This field is the numeric value corresponding to
SET_PROC_ACNTL. This number is used in conjunction with the u_auditmask
mask. This field consists of a comma-separated list of audit event
names. The events are the same as those specified in the auditmask(8)
reference page. An entry of u_auditmask=all specifies all system calls
and trusted events. This field specifies the minimum password change
time in seconds. If the number is nonzero, the password cannot be
changed until the specified number of seconds since the last successful
password change have passed unless the person changing the password is
authorized to override this constraint. To override this constraint,
the authorized person must set u_psw_chg_reqd before attempting to
change the password. The number in this field specifies the minimum
length of the user account password. If the field is zero, a dynamic
value is calculated as defined in the Green Book. The number in this
field specifies the maximum length of the user account password for
generated passwords only. It should be less than the system-wide maxi‐
mum value defined by the <prot.h> constant AUTH_MAX_PASSWD_LENGTH. The
number in this field specifies the minimum length of the user account
password for user-chosen passwords only. If the field is zero, a
dynamic value is calculated as defined in the Green Book. The number
in this field specifies the maximum length of the user account password
for user-chosen passwords only. To encourage longer, more secure user
passwords, set it to allow the system-wide maximum value defined by the
<prot.h> constant AUTH_MAX_PASSWD_LENGTH. The number in this field is
a time_t value that specifies how long from a successful change until
the account password expires. When a password expires, system authenti‐
cation programs request that the password be changed when the user logs
in to the system. If the password lifetime expires before the password
is changed, the account is disabled. The number in this field is a
time_t value that specifies the lifetime of a password. If this time
interval is reached, the account is disabled and can only be unlocked
by an authorized system administrator. The time in this field is a
time_t value that indicates the time of the last successful password
change. This field should only be set by programs that can be used to
change the account password. This field is ignored if it is set in a
template or in the default database. The time in this field is a
time_t value that indicates the time of the last unsuccessful password
change. This field should only be set by programs that can be used to
change the account password. This field is ignored if it is set in a
template or in the default database. This field controls the ability
of the user to pick a password for the account. A :u_pickpw: entry
indicates that the user can pick his own password; a :u_pickpw@: entry
indicates that he cannot. This permits an account to be configured so
that a user cannot pick a password but instead has a password generated
by the system. This field controls the ability of a user to generate a
password for the account. A :u_genpwd: entry indicates that the system
will generate the password for the user; a :u_genpwd@: entry indicates
that the user can pick his own password. The system is capable of gen‐
erating passwords containing random words. This field controls whether
password triviality checks are performed on any user-selected pass‐
words. A :u_restrict: entry indicates that triviality checks are per‐
formed; a :u_restrict@: entry indicates they are not performed. Trivi‐
ality checks include verifying that the password is not a login or
group name, a palindrome, or a word recognized by the spell program.
See the acceptable_password(3) reference page for more information on
triviality checks for passwords. This field controls the ability of
the user to choose a null password for the account. A :u_nullpw: entry
indicates a null password can be chosen; a :u_nullpw@: entry indicates
that it cannot. This field is a string representing the user name of
the last person to change the account password if that user was not the
account's owner. This is used to warn the user at login time if the
account password has been changed, possibly without the knowledge of
the user. This field is ignored if it is set in a template or in the
default database. This field controls the ability of the user to gen‐
erate random characters for a password. A :u_genchars: entry indicates
that the user can generate passwords made up of random characters; a
:u_genchars@: entry indicates that he cannot. This field controls the
ability of the user to generate random letters for a password. A
:u_genletters: entry indicates that the user can generate passwords
made up of random letters; a :u_genletters@: entry indicates that he
cannot. This field is a number (0 to 9) representing the number of old
encrypted passwords to keep to prevent reuse of previously used pass‐
words. This field is a comma-separated list strings representing the
old encrypted passwords. The length of the list is determined by
u_pwdepth. This field is ignored if it is set in a template or in the
default database. This field is the algorithm number used to encrypt
the current password. This field is ignored if it is set in a template
or in the default database. This field is the algorithm number used to
encrypt future passwords. The time in this field is a time_t value
that contains the system time of the last successful login to the
account. The system-wide default d_skip_success_login_log controls
whether or not this field is updated at each login. This field is
ignored if it is set in a template or in the default database. The
time in this field is a time_t value that contains the system time of
the last unsuccessful login attempt to the account. Updates to this
field control breakin detection and evasion. The system-wide default
d_skip_fail_login_log controls whether or not this field is updated at
each login failure. This field is ignored if it is set in a template
or in the default database. This field is a character string that
identifies the name of the terminal associated with the last successful
login to the account. The system-wide default d_skip_ttys_update con‐
trols whether or not this field is updated at each login. This field
is ignored if it is set in a template or in the default database. This
field contains a number indicating the number of unsuccessful login
attempts to the account and is reset when a successful login to the
account occurs. If a login is attempted during the time period from
u_unsuclog to u_unsuclog plus u_unlock, andu_numunsuclog is not less
than u_maxtries, the login is refused. (This check is suppressed if
the u_maxtries field is set to zero.) The system-wide default
d_skip_fail_login_log controls whether or not this field is updated at
each login failure. This field is ignored if it is set in a template or
in the default database. This field is a character string that identi‐
fies the name of the terminal associated with the last unsuccessful
login attempt to the account. This field is ignored if it is set in a
template or in the default database. This field is a string that con‐
tains a comma-separated list of time-of-day specification entries that
control when the user account can be used for login. The number in
this field specifies the maximum number of consecutive unsuccessful
login attempts to the account that are permitted until the account is
disabled. Setting this field to 0 prevents the account from being dis‐
abled because of retry failures. In this case, u_numunsuclog is incre‐
mented, but not checked. This field indicates whether the account is
retired or not. An account that has been retired cannot be used for any
purpose. A :u_retired: entry indicates that the account is retired; a
:u_retired@: entry indicates that it is not. This field is ignored if
it is set in a template or in the default database. This field is used
to administratively lock an account. A :u_lock: entry indicates that
the account is locked; a :u_lock@: entry indicates that it is not. A
user cannot log in to a locked account. An account can also be disabled
by other means. See getprpwent(3) for more information. This field is
a number indicating the time in seconds to wait before re-enabling the
account after an unsuccessful login attempt (u_unsuclog). This field
is the displayable count of the number of unsuccessful login attempts.
The system-wide default d_skip_fail_login_log controls whether or not
this field is updated at each login failure. This field is ignored if
it is set in a template or in the default database. This field is used
to control whether the /tcb/bin/pwpolicy file is consulted for validat‐
ing password changes. A :u_policy: entry indicates that the
/tcb/bin/pwpolicy file is consulted; a :u_policy@: entry indicates
that it is not. The actual time of type time_t that an account is set
to expire. This field is a numeric value of type time_t that indicates
the start of user's scheduled vacation. This field is ignored if it is
set in a template or in the default database. This field is a numeric
value of type time_t that indicates the end of user's scheduled vaca‐
tion. This field is ignored if it is set in a template or in the
default database. The RLIMIT_CPU rlim_max numeric value set by the
setrlimit() system call at login time. The RLIMIT_FSIZE rlim_max
numeric value set by the setrlimit() system call at login time. The
RLIMIT_DATA rlim_max numeric value set by the setrlimit() system call
at login time. The RLIMIT_STACK rlim_max numeric value set by the
setrlimit() system call at login time. The RLIMIT_CORE rlim_max
numeric value set by the setrlimit() system call at login time. The
RLIMIT_RSS rlim_max numeric value set by the setrlimit() system call at
login time. The RLIMIT_NOFILE rlim_max numeric value set by the setr‐
limit() system call at login time. The RLIMIT_VMEM rlim_max numeric
value set by the setrlimit() system call at login time. A numeric
value representing the maximum time, in seconds, since last successful
login before account is disabled. If set for an account (or system-
wide), the user is automatically considered "locked out" if the last
successful login was more than the specified interval before the cur‐
rent time. As with other is_locked_out() checks, the grace-period fea‐
ture allows an override. This filed is a numeric value of type time_t.
In a user profile, it is the timestamp until which automatic lockouts
are bypassed (so locked_out_es() says no). In the system defaults
database, it is the interval to be added to the current time when
clicking on Unlock Account in the dxaccounts GUI. This field allows a
time-limited bypass to the is_locked_out() checks so an administrator
can allow a user to log in until a specified time of day (for example,
until 5pm). This bypasses anything except the u_lock administration
lock on an account. This field is ignored if it is set in a template or
in the default database. A boolean expression indicating that the
administrator requires a password change now. Unlike zeroing the
u_suclog field, this still obeys the password lifetime requirements
before refusing further logins. Note: While the old method of zeroing
fd_schange still works, this method conforms to the Green Book. This
field is ignored if it is set in a template or in the default database.
This field is the name of the template which provides default values
for those fields for which no user-specific value is defined. This
field is ignored if it is set in a template or in the default database.
This field indicates that the account is a template only. This field is
ignored if it is set in a template or in the default database.
The u_vacation_* fields allow the user to specify a start and end
date/time for vacation. This causes the login/password controls to
ignore that period of time for things like password lifetime and "you
must log in every so often". In order to retain Green Book confor‐
mance, it also disallows logins during that timespan.
The setrlimit() system call controls or restricts system resources some
(or all) users. These resources include how much CPU time they can
have, how much virtual address space they can have (how much swap
space), how many file descriptors they can have open, and each of the
other things (total of 8) controlled through setrlimit(). This sets
hard limits, and restricts soft limits to match if they would otherwise
be over the new hard limits.
The getprpwent routines are used to parse the protected password data‐
base files into a prpasswd structure that can be used by programs. A
flag in the structure indicates whether a particular field in the
structure and hence the field is defined. System default values are
also provided in the structure. These values are derived from the
/etc/auth/system/default file and can be used by programs in the
absence of a user-specific value.
EXAMPLES
The following example shows a typical protected password database
entry:
perry:u_name=perry:u_id#101:\
:u_pwd=aZXtu1kmSpEzm:\
:u_minchg#0:u_succhg#653793862:u_unsucchg#622581606:u_nullpw:\
:u_suclog#671996425:u_suctty=tty1:\
:u_unsuclog#660768767:u_unsuctty=tty1:\
:u_maxtries#3:chkent:
This protected password database entry is for the user perry. The user
ID for perry is 101. This value must match the /etc/passwd entry for
this user. The account has a password and its encrypted form is speci‐
fied by the u_pwd field.
The database entry specifies a minimum password change time of 0, indi‐
cating that the password can be changed at any time. Furthermore, the
account is permitted to have a null password. The account has a maximum
consecutive unsuccessful login threshold of 3, indicating that the
account is locked after three failed attempts. The remaining fields
provide account information such as the last successful and unsuccess‐
ful password change times as well as the last successful and unsuccess‐
ful login times and terminal names.
FILES
Specifies the pathname of the protected password database for accounts
with UIDs less than AUTH_MIN_GEN_UID, which is set to 100 by default.
The pathname of the protected password database for accounts with UIDs
greater than or equal to AUTH_MIN_GEN_UID, which is set to 100 by
default. The system default database that defines system-wide global
parameters.
SEE ALSO
Commands: login(1), passwd(1), auditmask(8), authck(8)
System Calls: setrlimit(2)
Functions: locked_out_es(3), nice(3), acceptable_password(3), getprp‐
went(3), time_lock(3)
Files: authcap(4), default(4), group(4), passwd(4)prpasswd(4)