System Administration Guide: Naming and Directory Services (FNS and NIS+)

It is possible to use the nistbladm command to:

Create new passwd table entries
Delete an existing entry
Change the UID and GID fields in the passwd table
Change access rights and other security-related attributes of the passwd table

Set expiration and inactivity periods for a user's account (see "Password Privilege Expiration" and "Specifying Maximum Number of Inactive Days".)

`nistbladm` and Shadow Column Fields

You use the nistbladm command to set password parameters by specifying the values of the different fields in the shadow column. These fields are entered in the format:

Where:

N1 Lastchange. The date of the last password change expressed as a number of days since January 1, 1970. The value in this field is automatically updated each time the user changes passwords. (See "nistbladm And the Number of Days" for important information regarding the number of days.) If the field is blank, or contains a zero, it indicates that there has not been any change in the past.

Note that the number of days in the lastchange field is the base from which other fields and operations are calculated. Thus, an incorrect change in this field could have unintended consequence in regards to minimum, maximum, warning, and inactive time periods.
N2 Min. The minimum number of days that must pass since the last time the password was changed before the user can change passwords again. For example, if the value in the lastchange field is 9201 (that is, 9201 days since 1/1/70) and the value in the min field is 8, the user is unable to change passwords until after day 9209. See "Setting Minimum Password Life" for additional information on password minimums.

Where min is one of the following values:
- Zero (0). A value of zero in this field (or a blank space) means that there is no minimum period
- Greater than zero. Any number greater than zero sets that number of days as the minimum password life.
- Greater than max. A value in this field that is greater than the value in the max field prevents the user from ever changing passwords. The message: You may not change this password is displayed when the user attempts to change passwords.
N3 Max. The maximum number of days that can pass since the last time the password was changed. Once this maximum number of days is exceeded, the user is forced to choose a new password the next time the user logs in. For example, if the value in the lastchange field is 9201 and the value in the max field is 30, after day 9231 (figured 9201+30=9231), the user is forced to choose a new password at the next login. See "Setting a Password Age Limit" for additional information on password maximums.

Where max is one of the following values:
- Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.
- Greater than zero. Any number greater than zero sets that number of days before the password must be changed.
- Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user. A blank space in the field is treated as if it were a minus one.
N4 Warn. The number of days before a password reaches its maximum that the user is warned to change passwords. For example, suppose the value in the lastchange field is 9201, the value in the max field is 30, and the value in the warn field is 5. Then after day 9226 (figured 9201+30-5=9226) the user starts receiving "change your password" type warnings at each longing time. See "Establishing a Warning Period" for additional information on password warning times.

Where warn is one of the following values:
- Zero (0). No warning period.
- Greater than zero. A value of zero (0) sets the warning period to that number of days.
N5 Inactive. The maximum number of days between logins. If this maximum is exceeded, the user is not allowed to log in. For example, if the value of this field is 6, and the user does not log in for six days, on the seventh day the user is no longer allowed to log in. See "Specifying Maximum Number of Inactive Days" for additional information on account inactivity.

Where inactive is one of the following values:
- Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default.
- Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.
N6 Expire. The date on which a password expires, expressed as a number of days since January 1, 1970. After this date, the user can no longer log in. For example, if this field is set to 9739 (September 1, 1995) on September 2, 1995 GMT, the user will not be able to login and will receive a Login incorrect message after each try. See "Password Privilege Expiration" for additional information on password expiration.

Where expire is one of the following values:
- Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores it. If you do not want to set any expiration date, type a -1 in this field.
- Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately deactivate the users password.
N7 Unused. This field is not currently used. Values entered in this field will be ignored.
Login is the user's login ID

Caution - When using nistbladm on the shadow column of the password table, all of the numeric fields must contain appropriate values. You cannot leave a field blank, or enter a zero, as a no change placeholder.

For example, to specify that the user amy last changed her password on day 9246 (May 1, 1995), cannot change her password until it has been in use for 7 days, must change her password after 30 days, will be warned to change her password after the 25th day, must not remain inactive more than 15 days, and has an account that will expire on day number 9255, you would type:


16. Administering Passwords Administering Passwords The `nistbladm` Command


	It is possible to use the `nistbladm` command to: Create new passwd table entries Delete an existing entry Change the UID and GID fields in the passwd table Change access rights and other security-related attributes of the passwd table Set expiration and inactivity periods for a user's account (see "Password Privilege Expiration" and "Specifying Maximum Number of Inactive Days".) `nistbladm` and Shadow Column Fields You use the `nistbladm` command to set password parameters by specifying the values of the different fields in the shadow column. These fields are entered in the format: Where: N1 Lastchange. The date of the last password change expressed as a number of days since January 1, 1970. The value in this field is automatically updated each time the user changes passwords. (See "`nistbladm` And the Number of Days" for important information regarding the number of days.) If the field is blank, or contains a zero, it indicates that there has not been any change in the past. Note that the number of days in the lastchange field is the base from which other fields and operations are calculated. Thus, an incorrect change in this field could have unintended consequence in regards to minimum, maximum, warning, and inactive time periods. N2 Min. The minimum number of days that must pass since the last time the password was changed before the user can change passwords again. For example, if the value in the lastchange field is 9201 (that is, 9201 days since 1/1/70) and the value in the min field is 8, the user is unable to change passwords until after day 9209. See "Setting Minimum Password Life" for additional information on password minimums. Where min is one of the following values: Zero (0). A value of zero in this field (or a blank space) means that there is no minimum period Greater than zero. Any number greater than zero sets that number of days as the minimum password life. Greater than max. A value in this field that is greater than the value in the max field prevents the user from ever changing passwords. The message: `You may not change this password` is displayed when the user attempts to change passwords. N3 Max. The maximum number of days that can pass since the last time the password was changed. Once this maximum number of days is exceeded, the user is forced to choose a new password the next time the user logs in. For example, if the value in the lastchange field is 9201 and the value in the max field is 30, after day 9231 (figured 9201+30=9231), the user is forced to choose a new password at the next login. See "Setting a Password Age Limit" for additional information on password maximums. Where max is one of the following values: Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging. Greater than zero. Any number greater than zero sets that number of days before the password must be changed. Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering `passwd -x -1` username cancels any previous password aging applied to that user. A blank space in the field is treated as if it were a minus one. N4 Warn. The number of days before a password reaches its maximum that the user is warned to change passwords. For example, suppose the value in the lastchange field is 9201, the value in the max field is 30, and the value in the warn field is 5. Then after day 9226 (figured 9201+30-5=9226) the user starts receiving "change your password" type warnings at each longing time. See "Establishing a Warning Period" for additional information on password warning times. Where warn is one of the following values: Zero (0). No warning period. Greater than zero. A value of zero (0) sets the warning period to that number of days. N5 Inactive. The maximum number of days between logins. If this maximum is exceeded, the user is not allowed to log in. For example, if the value of this field is 6, and the user does not log in for six days, on the seventh day the user is no longer allowed to log in. See "Specifying Maximum Number of Inactive Days" for additional information on account inactivity. Where inactive is one of the following values: Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default. Greater than zero. A value greater than zero sets the maximum inactive period to that number of days. N6 Expire. The date on which a password expires, expressed as a number of days since January 1, 1970. After this date, the user can no longer log in. For example, if this field is set to 9739 (September 1, 1995) on September 2, 1995 GMT, the user will not be able to login and will receive a `Login incorrect` message after each try. See "Password Privilege Expiration" for additional information on password expiration. Where expire is one of the following values: Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores it. If you do not want to set any expiration date, type a `-1` in this field. Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately deactivate the users password. N7 Unused. This field is not currently used. Values entered in this field will be ignored. Login is the user's login ID Caution - When using `nistbladm` on the shadow column of the password table, all of the numeric fields must contain appropriate values. You cannot leave a field blank, or enter a zero, as a no change placeholder. For example, to specify that the user amy last changed her password on day 9246 (May 1, 1995), cannot change her password until it has been in use for 7 days, must change her password after 30 days, will be warned to change her password after the 25th day, must not remain inactive more than 15 days, and has an account that will expire on day number 9255, you would type:

nistbladm and Shadow Column Fields

`nistbladm` and Shadow Column Fields