Top
The configuration file is /passwd.conf. This location can changed only by running Configure and rebuilding.
Npasswd will abort if the configuration file has syntax errors, or or fails any of the following security requirements:
The syntax of a configuration file can be checked with the -XC option, which disables the security checks.
Blank lines and lines starting with "#" are ignored.
Npasswd performs the functions of three standard UNIX utilities: passwd, chfn and chsh. Each of these sub-programs have their configuration directives.
| Configuration directive syntax | |||
|---|---|---|---|
| sub-program | option | value | |
| One of passwd, chfn, chsh, or empty. A non-empty sub-program must be followed by a period (".") | Sub-program option (see below) | One or more whitespace characters | Value for option (see below) |
| Value types | |||
| number | May be decimal (with an optional leading minus sign), octal (format 0NNN) or hex (format 0xNNNN) | ||
| path | UNIX pathname | ||
| boolean | One of the strings "1", "true" "yes" or "on". Any other value is interpreted as false | ||
| string |
Strings can optionally be enclosed in single (') or double (") quotes
Non-printable ASCII characters can be specified thusly:
|
||
| Npasswd configuration directives Directive and options are case-insensitive |
||
|---|---|---|
| Directive | Value Type |
Description |
| Directives applicable to all sub-programs | ||
| MatchTries | number | Chances to give user to correctly enter a password. |
| MatchWait | number | Delay after the user enters an incorrect password. |
| PasswdTolerance | number | Tolerance between old and new passwd files. |
| ShadowTolerance | number | Tolerance between old and new shadow files. |
| Directives for sub-program "passwd" | ||
| passwd.AlphaOnly | boolean | Allow alpha-only passwords |
| passwd.CharClasses | number | Set number of required character classes. |
| passwd.Dictionaries | path | Add to dictionary lookup path. |
| passwd.DisallowedChars | string | Set which characters are not allowed in passwords. |
| passwd.Help | path | Help file for passwd. |
| passwd.History | See below | Configure history mechanism. |
| passwd.LengthWarn | boolean | Warn about passwords over maximum length. |
| passwd.MaxPassword | number | Maximum effective password length. |
| passwd.MaxRepeat | number | How many adjacent repeat characters allowed. |
| passwd.Message | path | Message of the day. |
| passwd.MinPassword | number | Minimum password length. |
| passwd.PasswordChecks | string | Select password checks. |
| passwd.PrintOnly | boolean | Deny non-printable characters. |
| passwd.SingleCase | boolean | Allow single-case passwords. |
| Directives for sub-program "chfn" | ||
| chfn.Help | path | Help file for chfn. |
| chfn.Message | path | Message of the day. |
| Directives for sub-program "chsh" | ||
| chsh.Help | path | Help file for chsh. |
| chsh.Message | path | Message of the day. |
| chsh.Shells | path | List of blessed shells. |
Directives applicable to all sub-programs
| Directive | Type | Default value |
|---|---|---|
| MatchTries | number | 3 |
How many chances to give the user to correctly enter a password (old or new).
| Directive | Type | Default value |
|---|---|---|
| MatchWait | number | 2 |
How many seconds to wait after the user enters an incorrect password.
| Usage | Type | Default value |
|---|---|---|
| PasswdTolerance | number | 128 |
After the passwd file changes are done, the size of the new file is compared to the size of the old file, to guard against data loss due to disk or file system error. PasswdTolerance sets how many bytes the new password file can be shorter than the original. In order to accommodate changes to the finger information, the default for this tolerance is generous.
| Usage | Type | Default value |
|---|---|---|
| ShadowTolerance | number | 32 |
After shadow changes are made, the size of the new shadow file is compared to the size of the old shadow file, to guard against data loss due to disk or file system error. ShadowTolerance sets how many bytes the new shadow file can be shorter than the original. This setting is much smaller than PasswdTolerance.
Directives for sub-program "passwd"
| Directive | Type | Default value |
|---|---|---|
| passwd.AlphaOnly | boolean | false |
Controls whether alpha-only passwords will be accepted. If this option is set, the requirement for non-alpha characters in a passwords is dismissed. Other character diversity requirements remain in effect.
| Directive | Type | Default value |
|---|---|---|
| passwd.CharClasses | number | 2 |
Sets how many classes of characters are required.
The character classes are:
The higher the class setting, the more diverse mixture of characters required.
| Usage | Type | Default value |
|---|---|---|
| passwd.Dictionaries | path ... path |
Passwd.Dictionaries specifies directories containing password check dictionaries. Each directory is scanned for hashed dictionary files. Multiple directories can be specified either in one directive, or by multiple directives.
It is a fatal error if any of the following are encountered:
| Directive | Type | Default value |
|---|---|---|
| passwd.DisallowedChars | string | ctrl-s ctrl-q ctrl-d ctrl-h ctrl-j ctrl-m ctrl-o ctrl-r ctrl-y ctrl-z ESC ctrl-\ DEL |
Sets the list of characters (usually non-printable) not allowed in passwords. The default list includes the typical terminal special characters. To supplement the list, put a plus sign as the first character of the string.
If you allow non-printable characters in passwords (the default), it would be wise to check your system and add any terminal special characters not in the standard list.
| Directive | Type | Default value |
|---|---|---|
| passwd.Help | path | /passwd.help |
This file is presented if the user enters "?" in response to the new password prompt.
See the history section of Npasswd Administration Guide.
| Directive | Type | Default value | Description |
|---|---|---|---|
| Age | number | 180 (days) | Passwords in the history older than this ignored. |
| Depth | number | 5 | Use only the most recent N passwords. |
| Database | See below | dbm | Select password history database method and location |
| none | Password history is disabled | ||
| file /path/to/file | Store history in file /path/to/file. | ||
| dbm /path/to/file | Store history in DBM database in /path/to/file. | ||
| Directive | Type | Default value |
|---|---|---|
| passwd.LengthWarn | boolean | false |
Controls whether a warning message is issued for new passwords longer than MaxPassword. This warning is to inform the user that the excess characters are not effective. The default is to suppress this message.
| Usage | Type | Default value |
|---|---|---|
| passwd.MaxPassword | number | 8* |
Sets the maximum effective length for passwords. This reflects a limitation of the standard crypt(3), which encrypts only the initial 8 characters of the plaintext. On Ultrix and Digital UNIX (aka OSF/1) with enhanced security, this limit is 16.
It is not an error for a password to be longer than the maximum, but the password checker can be configured to issue a warning. See passwd.LengthWarn.
| Directive | Type | Default value |
|---|---|---|
| passwd.MaxRepeat | number | 3 |
Controls how many adjacent repeated characters are allowed in passwords.
| Directive | Type | Default value |
|---|---|---|
| passwd.Message | path | /passwd.motd |
This file contains the "message of the day" for passwd.
| Usage | Type | Default value |
|---|---|---|
| passwd.MinPassword | number | 6 |
Sets the minimum acceptable password length. Passwords shorter than six characters (the default) are very vulnerable to guessing attacks.
| Directive | Type | Default value |
|---|---|---|
| passwd.PasswordChecks | string | lexical passwd local history dictionary |
Specifies the order of password checks. See Npasswd Administration Guide.
| Directive | Type | Default value |
|---|---|---|
| passwd.PrintOnly | boolean | false |
Controls whether non-printable ASCII characters are allowed in passwords. Character printability is determined by using isprint(3). If this is set, passwords which contain non-printable characters will be rejected. Other character diversity requirements remain in effect.
| Directive | Type | Default value |
|---|---|---|
| passwd.SingleCase | boolean | false |
Controls whether single-case passwords are accepted. Character case is determined by using isupper(3) and islower(3). If this option is set the mixed-case requirement is dismissed. Other character diversity requirements remain in effect.
Directives for sub-program "chfn"
| Directive | Type | Default value |
|---|---|---|
| chfn.Help | path | /chfn.help |
The help file is presented to the user in response to "?" input.
| Directive | Type | Default value |
|---|---|---|
| chfn.Message | path | /chfn.motd |
The message of the day file for chfn.
Directives for sub-program "chsh"
| Directive | Type | Default value |
|---|---|---|
| chsh.Help | path | /chsh.help |
Help file for chsh. The help file is presented to the user in response to "?" input.
| Directive | Type | Default value |
|---|---|---|
| chsh.Message | path | /chsh.motd |
The message of the day file for chsh.
| Directive | Type | Default value |
|---|---|---|
| chsh.Shells | path | /etc/shells |
The list of blessed shells that users can select. If getusershell(3) is available, this directive is ignored.
The main command line options of npasswd control the platform-independent features.
Some operating-system specific options may also be supported (e.g. SunOS 4, SunOS 5 and HP-UX). Others may be deferred to the vendor passwd program (usually preserved during the initial installation).
Refer to the manual page for the full list of supported options.
| Command line options Multiple -X options may be given |
||
|---|---|---|
| -Xc | Read the configuration file, output settings and exit with 0 status. | |
| -XCconfig-file | Check syntax of config-file and terminate.
Exit status is 0 if file was ok, 1 if not. This option disables configuration file security checks. |
|
| -XDdebug-level | Set debug output level. | |
| Debug levels | ||
| none | None. | |
| verbose | Mild verbosity. | |
| lookup | Trace user lookup. | |
| update | Trace user updating. | |
| config | Trace configuration processing. | |
| pwcheck | Trace password checking. | |
| detail | More detailed tracing. | |
| all | All debugging. | |
| -XF | Suppress new password checking.
This option is restricted to root and should be used very sparingly. |
|
| -XI | Read passwords from standard input instead of /dev/tty
This option is restricted to root. |
|
| -XV | Print version and patch level identification. | |
| -Xf | Perform the "chfn" (change finger name) function. | |
| -Xs | Perform the "chsh" (change login shell) function. | |
Document id @(#) Reference.html 1.9
Version 1.9
Last modified 07/20/98
Clyde Hoover
Home