nistbladm And the Number of Days
Most password aging parameters are expressed in number of days. The following principles and rules apply:
Days are counted from January 1, 1970. That is day zero. January 2, 1970, is day 1.
NIS+ uses Greenwich mean time (GMT) in figuring and counting days. In other words, the day count changes at midnight GMT.
When you specify a number of days, you must use a whole number. You cannot use fractions of days.
When the number of days is used to specify some action, such as locking a password, the change takes effect on the day. For example, if you specify that a user's password privilege expires on day 9125 (January 2, 1995), that is the last day that the user can use the password. On the next day, the user can no longer use the password.
Values are entered in both the Lastchange snd the Expire fields as a number of days since January 1, 1970. For example:
Table 16-2 Number of Days Since 1/1/70
Date | Day Number |
---|---|
January 1, 1970 | 0 |
January 2, 1970 | 1 |
January 2, 1971 | 365 |
January 1, 1997 | 9863 |
Related Commands
The passwd and nistbladm commands provide capabilities that are similar to those offered by other commands. Table 16-3 summarizes their differences.
Table 16-3 Related Commands
Command | Description |
---|---|
yppasswd | Is now linked to the passwd command. Using yppasswd simply invokes the passwd command. |
nispasswd | Is now linked to the passwd command. Using nispasswd simply invokes the passwd command. |
niscat | Can be used to display the contents of the passwd table. |
Displaying Password Information
You can use the passwd command to display password information about all users in a domain or about one particular user:
For your password information
passwd -s |
For all users in current domain
passwd -s -a |
For a particular user
passwd -s username |
Only the entries and columns for which you have read permission will be displayed. Entries are displayed with the following format:
Without password aging: username status
With password aging: username status mm/dd/yy min max warn expire inactive
Table 16-4 NIS+ Password Display Format
Field | Description | For Further Information |
---|---|---|
username | The user's login name. |
|
status | The user's password status. PS indicates the account has a password. LK indicates the password is locked. NP indicates the account has no password. | See "Locking a Password". |
mm/dd/yy | The date, based on Greenwich mean time, that the user's password was last changed. |
|
min | The minimum number of days since the last change that must pass before the password can be changed again. | |
max | The maximum number of days the password can be used without having to change it. | |
warn | The number of days' notice that users are given before their passwords have to be changed. | |
expire | A date on which users loose the ability to log in to their accounts. | |
inactive | A limit on the number of days that an account can go without being logged in to. Once that limit is passed without a log in users can no longer access their accounts. |
To display entries from a passwd table in another domain, use the -D option:
For all users in another domain
passwd -s -a -D domainname |
For a particular user
passwd -s -D domainname username |
Changing Passwords
New passwords must meet the criteria described in "Password Requirements".
Changing Your Own Password
To change your password, type
station1% passwd |
You will be prompted for your old password and then the new password and then the new password a second time to confirm it.
Changing Someone Else's Password
To change someone else' password, use:
To change another user's password in the same domain
passwd username |
To change another user's password in a different domain
passwd -D domainname username |
When using the passwd command in an NIS+ environment (see "The passwd Command and "NIS+ Environment"") to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.
Changing Root's Password
When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.
To change a root password, follow these steps:
Log in as root.
Change root's password using passwd.
Do not use nispasswd.
Run chkey -p.
You must use the -p option.
Locking a Password
When operating in an NIS+ environment (see "The passwd Command and "NIS+ Environment""), an administrator (a group member) with modify rights to a user's entry in the passwd table can use the passwd command to lock a password. An account with a locked password cannot be used. When a password is locked, the user will receive a Login incorrect message after each login attempt.
Keep in mind that locked passwords have no effect on users who are already logged in. A locked password only prevents users from performing those operations that require giving a password such as login, rlogin, ftp, or telnet.
Note also that if a user with a locked password is already logged in, and that user uses the passwd command to change passwords, the lock is broken.
You can use this feature to:
Temporarily lock a user's password while that user is on vacation or leave. This prevents anyone from logging in as the absent user.
Immediately lock one or more user passwords in the case of suspected security problem.
Quickly lock a dismissed employee out of the system. This is quicker and easier than eliminating that user's account and is an easy way of preserving any data stored in that account.
If you have assigned passwords to UNIX processes, you can lock those passwords. This allows the process to run, but prevents anyone from logging in as those processes even if they know the process password. (In most cases, processes would not be set up as NIS+ principals, but would maintain their password information in /etc files. In such a case you would have to run the passwd command in files mode to lock /etc stored passwords.)