1.\" $NetBSD: passwd.5,v 1.17 2000/11/17 10:06:27 lukem Exp $ 2.\" 3.\" Copyright (c) 1988, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" Portions Copyright (c) 1994, Jason Downs. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by the University of 18.\" California, Berkeley and its contributors. 19.\" 4. Neither the name of the University nor the names of its contributors 20.\" may be used to endorse or promote products derived from this software 21.\" without specific prior written permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" @(#)passwd.5 8.1 (Berkeley) 6/5/93 36.\" 37.Dd November 17, 2000 38.Dt PASSWD 5 39.Os 40.Sh NAME 41.Nm passwd , 42.Nm master.passwd 43.Nd format of the password file 44.Sh DESCRIPTION 45The 46.Nm passwd 47files are the local source of password information. 48They can be used in conjunction with the Hesiod domain 49.Sq passwd 50and the 51.Tn NIS 52maps 53.Sq passwd.byname , 54.Sq passwd.byuid , 55.Sq master.passwd.byname , 56and 57.Sq master.passwd.byuid , 58as controlled by 59.Xr nsswitch.conf 5 . 60.Pp 61The 62.Nm master.passwd 63file is readable only by root, and consists of newline separated 64.Tn ASCII 65records, one per user, containing ten colon 66.Pq Dq \&: 67separated fields. 68.Pp 69Each line has the form: 70.Dl name:password:uid:gid:class:change:expire:gecos:home_dir:shell 71.Pp 72These fields are as follows: 73.Bl -tag -width password -offset indent -compact 74.It Em name 75User's login name. 76.It Em password 77User's 78.Em encrypted 79password. 80.It Em uid 81User's id. 82.It Em gid 83User's login group id. 84.It Em class 85User's login class. 86.It Em change 87Password change time. 88.It Em expire 89Account expiration time. 90.It Em gecos 91General information about the user. 92.It Em home_dir 93User's home directory. 94.It Em shell 95User's login shell. 96.El 97.Pp 98The 99.Nm 100file is generated from the 101.Nm master.passwd 102file by 103.Xr pwd_mkdb 8 , 104has the 105.Em class , 106.Em change , 107and 108.Em expire 109fields removed, and the 110.Em password 111field replaced by a 112.Dq \&* . 113.Pp 114The 115.Em name 116field is the login used to access the computer account, and the 117.Em uid 118field is the number associated with it. They should both be unique 119across the system (and often across a group of systems) since they 120control file access. 121.Pp 122While it is possible to have multiple entries with identical login names 123and/or identical user id's, it is usually a mistake to do so. Routines 124that manipulate these files will often return only one of the multiple 125entries, and that one by random selection. 126.Pp 127The login name must never begin with a hyphen 128.Pq Dq \&- ; 129also, it is strongly suggested that neither upper-case characters or dots 130.Pq Dq \&. 131be part of the name, as this tends to confuse mailers. 132No field may contain a colon 133.Pq Dq \&: 134as this has been used historically to separate the fields in the user database. 135.Pp 136The 137.Em password 138field is the 139.Em encrypted 140form of the password. 141If the 142.Em password 143field is empty, no password will be required to gain access to the 144machine. This is almost invariably a mistake. 145Because these files contain the encrypted user passwords, they should 146not be readable by anyone without appropriate privileges. 147.Pp 148The 149.Em gid 150field is the group that the user will be placed in upon login. 151Since this system supports multiple groups (see 152.Xr groups 1 ) 153this field currently has little special meaning. 154.Pp 155The 156.Em class 157field is a key for a user's login class. 158Login classes are defined in 159.Xr login.conf 5 , 160which is a 161.Xr termcap 5 162style database of user attributes, accounting, resource and 163environment settings. 164.Pp 165The 166.Em change 167field is the number of seconds from the epoch, 168.Dv UTC , 169until the 170password for the account must be changed. 171This field may be left empty to turn off the password aging feature. 172If this is set to 173.Dq -1 174then the user will be prompted to change their password at the next 175login. 176.Pp 177The 178.Em expire 179field is the number of seconds from the epoch, 180.Dv UTC , 181until the 182account expires. 183This field may be left empty to turn off the account aging feature. 184.Pp 185If either of the 186.Em change 187or 188.Em expire 189fields are set, the system will remind the user of the impending 190change or expiry if they login within a configurable period 191(defaulting to 14 days) before the event. 192.Pp 193The 194.Em gecos 195field normally contains comma 196.Pq Dq \&, 197separated subfields as follows: 198.Pp 199.Bl -tag -width office -offset indent -compact 200.It Em name 201user's full name 202.It Em office 203user's office number 204.It Em wphone 205user's work phone number 206.It Em hphone 207user's home phone number 208.El 209.Pp 210The full name may contain a ampersand 211.Pq Dq \&& 212which will be replaced by 213the capitalized login name when the gecos field is displayed or used 214by various programs such as 215.Xr finger 1 , 216.Xr sendmail 8 , 217etc. 218.Pp 219The office and phone number subfields are used by the 220.Xr finger 1 221program, and possibly other applications. 222.Pp 223The user's home directory is the full 224.Ux 225path name where the user 226will be placed on login. 227.Pp 228The shell field is the command interpreter the user prefers. 229If there is nothing in the 230.Em shell 231field, the Bourne shell 232.Pq Pa /bin/sh 233is assumed. 234.Sh HESIOD SUPPORT 235If 236.Sq dns 237is specified for the 238.Sq passwd 239database in 240.Xr nsswitch.conf 5 , 241then 242.Nm 243lookups occur from the 244.Sq passwd 245Hesiod domain. 246.Sh NIS SUPPORT 247If 248.Sq nis 249is specified for the 250.Sq passwd 251database in 252.Xr nsswitch.conf 5 , 253then 254.Nm 255lookups occur from the 256.Sq passwd.byname , 257.Sq passwd.byuid , 258.Sq master.passwd.byname , 259and 260.Sq master.passwd.byuid 261.Tn NIS 262maps. 263.Sh COMPAT SUPPORT 264If 265.Sq compat 266is specified for the 267.Sq passwd 268database, and either 269.Sq dns 270or 271.Sq nis 272is specified for the 273.Sq passwd_compat 274database in 275.Xr nsswitch.conf 5 , 276then the 277.Nm 278file also supports standard 279.Sq +/- 280exclusions and inclusions, based on user names and netgroups. 281.Pp 282Lines beginning with a minus sign 283.Pq Dq \&- 284are entries marked as being excluded from any following inclusions, 285which are marked with a plus sign 286.Pq Dq \&+ . 287.Pp 288If the second character of the line is an at sign 289.Pq Dq \&@ , 290the operation 291involves the user fields of all entries in the netgroup specified by the 292remaining characters of the 293.Em name 294field. 295Otherwise, the remainder of the 296.Em name 297field is assumed to be a specific user name. 298.Pp 299The 300.Dq \&+ 301token may also be alone in the 302.Em name 303field, which causes all users from either the Hesiod domain 304.Nm 305(with 306.Sq passwd_compat: dns ) 307or 308.Sq passwd.byname 309and 310.Sq passwd.byuid 311.Tn NIS 312maps (with 313.Sq passwd_compat: nis ) 314to be included. 315.Pp 316If the entry contains non-empty 317.Em uid 318or 319.Em gid 320fields, the specified numbers will override the information retrieved 321from the Hesiod domain or the 322.Tn NIS 323maps. As well, if the 324.Em gecos, 325.Em home_dir 326or 327.Em shell 328entries contain text, it will override the information included via 329Hesiod or 330.Tn NIS . 331On some systems, the 332.Em passwd 333field may also be overridden. 334.Sh SEE ALSO 335.Xr chpass 1 , 336.Xr login 1 , 337.Xr passwd 1 , 338.Xr getpwent 3 , 339.Xr login_getclass 3 , 340.Xr login.conf 5 , 341.Xr netgroup 5 , 342.Xr adduser 8 , 343.Xr pwd_mkdb 8 , 344.Xr vipw 8 , 345.Xr yp 8 346.Pp 347.%T "Managing NFS and NIS" 348(O'Reilly & Associates) 349.Sh BUGS 350User information should (and eventually will) be stored elsewhere. 351.Pp 352Placing 353.Sq compat 354exclusions in the file after any inclusions will have 355unexpected results. 356.Sh COMPATIBILITY 357The password file format has changed since 358.Bx 4.3 . 359The following awk script can be used to convert your old-style password 360file into a new style password file. 361The additional fields 362.Dq class , 363.Dq change 364and 365.Dq expire 366are added, but are turned off by default. 367To set them, 368use the current day in seconds from the epoch + whatever number of seconds 369of offset you want. 370.Bd -literal -offset indent 371BEGIN { FS = ":"} 372{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 } 373.Ed 374.Sh HISTORY 375A 376.Nm 377file format appeared in 378.At v6 . 379.Pp 380The 381.Tn NIS 382.Nm 383file format first appeared in SunOS. 384.Pp 385The Hesiod support first appeared in 386.Nx 1.4 . 387.Pp 388The 389.Xr login.conf 5 390capability first appeared in 391.Nx 1.5 . 392