1nispasswd(1) User Commands nispasswd(1)
2
3
4
6 nispasswd - change NIS+ password information
7
9 nispasswd [-ghs] [-D domainname] [username]
10
11
12 nispasswd -a
13
14
15 nispasswd [-D domainname] [-d [username]]
16
17
18 nispasswd [-l] [-f] [-n min] [-x max] [-w warn]
19 [-D domainname] username
20
21
23 The nispasswd utility changes a password, gecos (finger) field (-g
24 option), home directory (-h option), or login shell (-s option) asso‐
25 ciated with the username (invoker by default) in the NIS+ passwd table.
26
27
28 Additionally, the command can be used to view or modify aging informa‐
29 tion associated with the user specified if the invoker has the right
30 NIS+ privileges.
31
32
33 nispasswd uses secure RPC to communicate with the NIS+ server, and
34 therefore, never sends unencrypted passwords over the communication
35 medium.
36
37
38 nispasswd does not read or modify the local password information stored
39 in the /etc/passwd and /etc/shadow files.
40
41
42 When used to change a password, nispasswd prompts non-privileged users
43 for their old password. It then prompts for the new password twice to
44 forestall typing mistakes. When the old password is entered, nispasswd
45 checks to see if it has "aged" sufficiently. If "aging" is insuffi‐
46 cient, nispasswd terminates; see getspnam(3C).
47
48
49 The old password is used to decrypt the username's secret key. If the
50 password does not decrypt the secret key, nispasswd prompts for the
51 old secure-RPC password. It uses this password to decrypt the secret
52 key. If this fails, it gives the user one more chance. The old password
53 is also used to ensure that the new password differs from the old by at
54 least three characters. Assuming aging is sufficient, a check is made
55 to ensure that the new password meets construction requirements
56 described below. When the new password is entered a second time, the
57 two copies of the new password are compared. If the two copies are not
58 identical, the cycle of prompting for the new password is repeated
59 twice. The new password is used to re-encrypt the user's secret key.
60 Hence, it also becomes their secure-RPC password. Therefore, the
61 secure-RPC password is no longer a different password from the user's
62 password.
63
64
65 Passwords must be constructed to meet the following requirements:
66
67 o Each password must have at least six characters. Only the
68 first eight characters are significant.
69
70 o Each password must contain at least two alphabetic charac‐
71 ters and at least one numeric or special character. In this
72 case, "alphabetic" refers to all upper or lower case let‐
73 ters.
74
75 o Each password must differ from the user's login username
76 and any reverse or circular shift of that login username.
77 For comparison purposes, an upper case letter and its cor‐
78 responding lower case letter are equivalent.
79
80 o New passwords must differ from the old by at least three
81 characters. For comparison purposes, an upper case letter
82 and its corresponding lower case letter are equivalent.
83
84
85 Network administrators, who own the NIS+ password table, may change any
86 password attributes if they establish their credentials (see keylo‐
87 gin(1)) before invoking nispasswd. Hence, nispasswd does not prompt
88 these privileged-users for the old password and they are not forced to
89 comply with password aging and password construction requirements.
90
91
92 Any user may use the -d option to display password attributes for his
93 or her own login name. The format of the display will be:
94
95 username status mm/dd/yy min max warn
96
97
98
99
100 or, if password aging information is not present,
101
102 username status
103
104
105
106
107 where
108
109 username The login ID of the user.
110
111
112 status The password status of username: "PS" stands for password
113 exists or locked, "LK" stands for locked, and "NP" stands
114 for no password.
115
116
117 mm/dd/yy The date password was last changed for username. (Note that
118 all password aging dates are determined using Greenwich
119 Mean Time (Universal Time) and, therefore, may differ by as
120 much as a day in other time zones.)
121
122
123 min The minimum number of days required between password
124 changes for username.
125
126
127 max The maximum number of days the password is valid for user‐
128 name.
129
130
131 warn The number of days relative to max before the password
132 expires that the username will be warned.
133
134
135
136 The use of nispasswd is strongly discouraged. It is a wrapper around
137 the passwd(1) command.
138
139
140 Using passwd(1) with the -r nisplus option will achieve the same result
141 and will be consistent across all the different name services avail‐
142 able. This is the recommended way to change the password in NIS+.
143
144
145 The login program, file access display programs (for example, ls -l),
146 and network programs that require user passwords, for example,
147 rlogin(1), ftp(1), and so on, use the standard getpwnam(3C) and getsp‐
148 nam(3C) interfaces to get password information. These programs will get
149 the NIS+ password information, which is modified by nispasswd, only if
150 the passwd: entry in the /etc/nsswitch.conf file includes nisplus.
151 See nsswitch.conf(4) for more details.
152
154 The following options are supported:
155
156 -a Shows the password attributes for all entries. This
157 will show only the entries in the NIS+ passwd table in
158 the local domain that the invoker is authorized to
159 "read".
160
161
162 -d [username] Displays password attributes for the caller or the
163 user specified if the invoker has the right privi‐
164 leges.
165
166
167 -D domainname Consults the passwd.org_dir table in domainname. If
168 this option is not specified, the default domainname
169 returned by nis_local_directory() will be used. This
170 domainname is the same as that returned by domain‐
171 name(1M).
172
173
174 -f Forces the user to change password at the next login
175 by expiring the password for username.
176
177
178 -g Changes the gecos (finger) information.
179
180
181 -h Changes the home directory.
182
183
184 -l Locks the password entry for username. Subsequently,
185 login(1) would disallow logins with this NIS+ password
186 entry.
187
188
189 -n min Sets minimum field for username. The min field con‐
190 tains the minimum number of days between password
191 changes for username. If min is greater than max, the
192 user may not change the password. Always use this
193 option with the -x option, unless max is set to -1
194 (aging turned off). In that case, min need not be
195 set.
196
197
198 -s Changes the login shell. By default, only the NIS+
199 administrator can change the login shell. The user
200 will be prompted for the new login shell.
201
202
203 -w warn Sets warn field for username. The warn field contains
204 the number of days before the password expires that
205 the user will be warned whenever he or she attempts to
206 login.
207
208
209 -x max Sets maximum field for username. The max field con‐
210 tains the number of days that the password is valid
211 for username. The aging for username will be turned
212 off immediately if max is set to -1. If it is set to
213 0, then the user is forced to change the password at
214 the next login session and aging is turned off.
215
216
218 The following exit values are returned:
219
220 0 Success.
221
222
223 1 Permission denied.
224
225
226 2 Invalid combination of options.
227
228
229 3 Unexpected failure. NIS+ passwd table unchanged.
230
231
232 4 NIS+ passwd table missing.
233
234
235 5 NIS+ is busy. Try again later.
236
237
238 6 Invalid argument to option.
239
240
241 7 Aging is disabled.
242
243
244 8 No memory.
245
246
247 9 System error.
248
249
250 10 Account expired.
251
252
254 See attributes(5) for descriptions of the following attributes:
255
256
257
258
259 ┌─────────────────────────────┬─────────────────────────────┐
260 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
261 ├─────────────────────────────┼─────────────────────────────┤
262 │Availability │SUNWnisu │
263 └─────────────────────────────┴─────────────────────────────┘
264
266 keylogin(1), login(1), NIS+[22m(1), nistbladm(1), passwd(1), rlogin(1),
267 domainname(1M), nisserver(1M), getpwnam(3C), getspnam(3C),
268 nis_local_directory(3NSL), nsswitch.conf(4), passwd(4), shadow(4),
269 attributes(5)
270
272 NIS+ might not be supported in future releases of the Solaris operating
273 system. Tools to aid the migration from NIS+ to LDAP are available in
274 the current Solaris release. For more information, visit
275 http://www.sun.com/directory/nisplus/transition.html.
276
277
278
279SunOS 5.11 2 Dec 2005 nispasswd(1)