1nispasswd(1)                     User Commands                    nispasswd(1)
2
3
4

NAME

6       nispasswd - change NIS+ password information
7

SYNOPSIS

9       nispasswd [-ghs] [-D domainname] [username]
10
11
12       nispasswd -a
13
14
15       nispasswd [-D domainname] [-d [username]]
16
17
18       nispasswd [-l] [-f] [-n min] [-x max] [-w warn]
19            [-D domainname] username
20
21

DESCRIPTION

23       The  nispasswd  utility  changes  a password,  gecos (finger) field (-g
24       option),  home directory (-h option),  or login shell (-s option) asso‐
25       ciated with the username (invoker by default) in the NIS+ passwd table.
26
27
28       Additionally,  the command can be used to view or modify aging informa‐
29       tion associated with the user specified  if the invoker has  the  right
30       NIS+ privileges.
31
32
33       nispasswd  uses  secure  RPC  to communicate with the NIS+ server,  and
34       therefore, never sends unencrypted passwords  over   the  communication
35       medium.
36
37
38       nispasswd does not read or modify the local password information stored
39       in the /etc/passwd and  /etc/shadow files.
40
41
42       When used to change a password, nispasswd prompts non-privileged  users
43       for  their old password.  It then prompts for the new password twice to
44       forestall typing mistakes. When the old password is entered,  nispasswd
45       checks  to  see  if  it has "aged" sufficiently. If "aging" is insuffi‐
46       cient, nispasswd terminates; see getspnam(3C).
47
48
49       The old password is used to decrypt the username's secret key.  If  the
50       password  does  not  decrypt the secret key,  nispasswd prompts for the
51       old secure-RPC password.  It uses this password to decrypt  the  secret
52       key. If this fails, it gives the user one more chance. The old password
53       is also used to ensure that the new password differs from the old by at
54       least  three  characters. Assuming aging is sufficient, a check is made
55       to ensure  that   the  new  password  meets  construction  requirements
56       described  below.  When the new password is entered a second time,  the
57       two copies of the new password are compared.  If the two copies are not
58       identical,  the  cycle  of  prompting for  the new password is repeated
59       twice. The new password is used to  re-encrypt the user's  secret  key.
60       Hence,  it  also  becomes  their  secure-RPC  password.  Therefore, the
61       secure-RPC password is no longer a different password from  the  user's
62       password.
63
64
65       Passwords must be constructed to meet the following requirements:
66
67           o      Each  password  must have at least six characters.  Only the
68                  first eight characters are significant.
69
70           o      Each password must contain at least two  alphabetic  charac‐
71                  ters  and at least one numeric or special character. In this
72                  case, "alphabetic" refers to all upper or  lower  case  let‐
73                  ters.
74
75           o      Each  password  must differ from the  user's login  username
76                  and any  reverse or circular shift of that  login  username.
77                  For  comparison purposes, an upper case letter  and its cor‐
78                  responding lower case letter are equivalent.
79
80           o      New passwords must differ from the  old by  at  least  three
81                  characters.  For  comparison purposes, an upper  case letter
82                  and its corresponding lower case letter are equivalent.
83
84
85       Network administrators, who own the NIS+ password table, may change any
86       password  attributes   if  they establish their credentials (see keylo‐
87       gin(1)) before invoking  nispasswd. Hence, nispasswd  does  not  prompt
88       these privileged-users  for the old password and they are not forced to
89       comply with password aging and password construction requirements.
90
91
92       Any user may use the -d option to display password attributes  for  his
93       or her own login name. The format of the display will be:
94
95         username status mm/dd/yy min max warn
96
97
98
99
100       or, if password aging information is not present,
101
102         username status
103
104
105
106
107       where
108
109       username    The login ID of the user.
110
111
112       status      The  password  status of username: "PS" stands for password
113                   exists or locked, "LK" stands for locked, and  "NP"  stands
114                   for no password.
115
116
117       mm/dd/yy    The date password was last changed for username. (Note that
118                   all password aging dates  are  determined  using  Greenwich
119                   Mean Time (Universal Time) and, therefore, may differ by as
120                   much as a day in other time zones.)
121
122
123       min         The  minimum  number  of  days  required  between  password
124                   changes for username.
125
126
127       max         The  maximum number of days the password is valid for user‐
128                   name.
129
130
131       warn        The number of days relative  to  max  before  the  password
132                   expires that the username will be warned.
133
134
135
136       The  use  of  nispasswd is strongly discouraged. It is a wrapper around
137       the passwd(1) command.
138
139
140       Using passwd(1) with the -r nisplus option will achieve the same result
141       and  will  be  consistent across all the different name services avail‐
142       able. This is the recommended way to change the password in NIS+.
143
144
145       The login program, file access display programs (for example,  ls  -l),
146       and   network  programs  that  require  user  passwords,  for  example,
147       rlogin(1), ftp(1), and so on, use the standard  getpwnam(3C) and getsp‐
148       nam(3C) interfaces to get password information. These programs will get
149       the NIS+ password information, which is modified by nispasswd, only  if
150       the   passwd:  entry  in the  /etc/nsswitch.conf file includes nisplus.
151       See nsswitch.conf(4) for more details.
152

OPTIONS

154       The following options are supported:
155
156       -a               Shows the password attributes for  all  entries.  This
157                        will show only the entries in the NIS+ passwd table in
158                        the local domain that the  invoker  is  authorized  to
159                        "read".
160
161
162       -d [username]    Displays  password  attributes  for  the caller or the
163                        user specified if the invoker  has  the  right  privi‐
164                        leges.
165
166
167       -D domainname    Consults  the  passwd.org_dir  table in domainname. If
168                        this option is not specified, the  default  domainname
169                        returned  by  nis_local_directory() will be used. This
170                        domainname is the same as that  returned  by   domain‐
171                        name(1M).
172
173
174       -f               Forces  the  user to change password at the next login
175                        by expiring the password for username.
176
177
178       -g               Changes the gecos (finger) information.
179
180
181       -h               Changes the home directory.
182
183
184       -l               Locks the password entry for  username.  Subsequently,
185                        login(1) would disallow logins with this NIS+ password
186                        entry.
187
188
189       -n min           Sets minimum field for username. The  min  field  con‐
190                        tains  the  minimum  number  of days  between password
191                        changes for username.  If min is greater than max, the
192                        user  may  not  change  the  password. Always use this
193                        option with the -x option, unless max is  set   to  -1
194                        (aging  turned  off).   In  that case, min need not be
195                        set.
196
197
198       -s               Changes the login shell. By  default,  only  the  NIS+
199                        administrator  can  change  the  login shell. The user
200                        will be prompted for the new login shell.
201
202
203       -w warn          Sets warn field for username. The warn field  contains
204                        the  number  of  days before the password expires that
205                        the user will be warned whenever he or she attempts to
206                        login.
207
208
209       -x max           Sets  maximum  field  for username. The max field con‐
210                        tains the number of days that  the password  is  valid
211                        for  username.  The  aging for username will be turned
212                        off immediately  if max is set to -1.  If it is set to
213                        0,  then the user is forced to change the password  at
214                        the next login session and aging is turned off.
215
216

EXIT STATUS

218       The following exit values are returned:
219
220       0     Success.
221
222
223       1     Permission denied.
224
225
226       2     Invalid combination of options.
227
228
229       3     Unexpected failure. NIS+ passwd table unchanged.
230
231
232       4     NIS+ passwd table missing.
233
234
235       5     NIS+ is busy. Try again later.
236
237
238       6     Invalid argument to option.
239
240
241       7     Aging is disabled.
242
243
244       8     No memory.
245
246
247       9     System error.
248
249
250       10    Account expired.
251
252

ATTRIBUTES

254       See attributes(5) for descriptions of the following attributes:
255
256
257
258
259       ┌─────────────────────────────┬─────────────────────────────┐
260       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
261       ├─────────────────────────────┼─────────────────────────────┤
262       │Availability                 │SUNWnisu                     │
263       └─────────────────────────────┴─────────────────────────────┘
264

SEE ALSO

266       keylogin(1), login(1),  NIS+(1),  nistbladm(1),  passwd(1),  rlogin(1),
267       domainname(1M),      nisserver(1M),     getpwnam(3C),     getspnam(3C),
268       nis_local_directory(3NSL),  nsswitch.conf(4),   passwd(4),   shadow(4),
269       attributes(5)
270

NOTES

272       NIS+ might not be supported in future releases of the Solaris operating
273       system. Tools to aid the migration from NIS+ to LDAP are  available  in
274       the    current   Solaris   release.   For   more   information,   visit
275       http://www.sun.com/directory/nisplus/transition.html.
276
277
278
279SunOS 5.11                        2 Dec 2005                      nispasswd(1)
Impressum