1.\" $NetBSD: passwd.5,v 1.20 2002/02/13 08:18:15 ross Exp $ 2.\" 3.\" Copyright (c) 1988, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" Portions Copyright (c) 1994, Jason Downs. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by the University of 18.\" California, Berkeley and its contributors. 19.\" 4. Neither the name of the University nor the names of its contributors 20.\" may be used to endorse or promote products derived from this software 21.\" without specific prior written permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" @(#)passwd.5 8.1 (Berkeley) 6/5/93 36.\" 37.Dd November 17, 2000 38.Dt PASSWD 5 39.Os 40.Sh NAME 41.Nm passwd , 42.Nm master.passwd 43.Nd format of the password file 44.Sh DESCRIPTION 45The 46.Nm passwd 47files are the local source of password information. 48They can be used in conjunction with the Hesiod domain 49.Sq passwd 50and the 51.Tn NIS 52maps 53.Sq passwd.byname , 54.Sq passwd.byuid , 55.Sq master.passwd.byname , 56and 57.Sq master.passwd.byuid , 58as controlled by 59.Xr nsswitch.conf 5 . 60.Pp 61The 62.Nm master.passwd 63file is readable only by root, and consists of newline separated 64.Tn ASCII 65records, one per user, containing ten colon 66.Pq Dq \&: 67separated fields. 68.Pp 69Each line has the form: 70.Dl name:password:uid:gid:class:change:expire:gecos:home_dir:shell 71.Pp 72These fields are as follows: 73.Bl -tag -width password -offset indent -compact 74.It Em name 75User's login name. 76.It Em password 77User's 78.Em encrypted 79password. 80.It Em uid 81User's id. 82.It Em gid 83User's login group id. 84.It Em class 85User's login class. 86.It Em change 87Password change time. 88.It Em expire 89Account expiration time. 90.It Em gecos 91General information about the user. 92.It Em home_dir 93User's home directory. 94.It Em shell 95User's login shell. 96.El 97.Pp 98The 99.Nm 100file is generated from the 101.Nm master.passwd 102file by 103.Xr pwd_mkdb 8 , 104has the 105.Em class , 106.Em change , 107and 108.Em expire 109fields removed, and the 110.Em password 111field replaced by a 112.Dq \&* . 113.Pp 114The 115.Em name 116field is the login used to access the computer account, and the 117.Em uid 118field is the number associated with it. They should both be unique 119across the system (and often across a group of systems) since they 120control file access. 121.Pp 122While it is possible to have multiple entries with identical login names 123and/or identical user id's, it is usually a mistake to do so. Routines 124that manipulate these files will often return only one of the multiple 125entries, and that one by random selection. 126.Pp 127The login name must never begin with a hyphen 128.Pq Dq \&- ; 129also, it is strongly suggested that neither upper-case characters nor dots 130.Pq Dq \&. 131be part of the name, as this tends to confuse mailers. 132No field may contain a colon 133.Pq Dq \&: 134as this has been used historically to separate the fields in the user database. 135.Pp 136The 137.Em password 138field is the 139.Em encrypted 140form of the password. 141If the 142.Em password 143field is empty, no password will be required to gain access to the 144machine. This is almost invariably a mistake. 145Because these files contain the encrypted user passwords, they should 146not be readable by anyone without appropriate privileges. 147For the possible ciphers used in this field see 148.Xr passwd.conf 5 . 149.Pp 150The 151.Em gid 152field is the group that the user will be placed in upon login. 153Since this system supports multiple groups (see 154.Xr groups 1 ) 155this field currently has little special meaning. 156.Pp 157The 158.Em class 159field is a key for a user's login class. 160Login classes are defined in 161.Xr login.conf 5 , 162which is a 163.Xr termcap 5 164style database of user attributes, accounting, resource and 165environment settings. 166.Pp 167The 168.Em change 169field is the number of seconds from the epoch, 170.Dv UTC , 171until the 172password for the account must be changed. 173This field may be left empty to turn off the password aging feature. 174If this is set to 175.Dq -1 176then the user will be prompted to change their password at the next 177login. 178.Pp 179The 180.Em expire 181field is the number of seconds from the epoch, 182.Dv UTC , 183until the 184account expires. 185This field may be left empty to turn off the account aging feature. 186.Pp 187If either of the 188.Em change 189or 190.Em expire 191fields are set, the system will remind the user of the impending 192change or expiry if they login within a configurable period 193(defaulting to 14 days) before the event. 194.Pp 195The 196.Em gecos 197field normally contains comma 198.Pq Dq \&, 199separated subfields as follows: 200.Pp 201.Bl -tag -width office -offset indent -compact 202.It Em name 203user's full name 204.It Em office 205user's office number 206.It Em wphone 207user's work phone number 208.It Em hphone 209user's home phone number 210.El 211.Pp 212The full name may contain a ampersand 213.Pq Dq \&\*[Am] 214which will be replaced by 215the capitalized login name when the gecos field is displayed or used 216by various programs such as 217.Xr finger 1 , 218.Xr sendmail 8 , 219etc. 220.Pp 221The office and phone number subfields are used by the 222.Xr finger 1 223program, and possibly other applications. 224.Pp 225The user's home directory is the full 226.Ux 227path name where the user 228will be placed on login. 229.Pp 230The shell field is the command interpreter the user prefers. 231If there is nothing in the 232.Em shell 233field, the Bourne shell 234.Pq Pa /bin/sh 235is assumed. 236.Sh HESIOD SUPPORT 237If 238.Sq dns 239is specified for the 240.Sq passwd 241database in 242.Xr nsswitch.conf 5 , 243then 244.Nm 245lookups occur from the 246.Sq passwd 247Hesiod domain. 248.Sh NIS SUPPORT 249If 250.Sq nis 251is specified for the 252.Sq passwd 253database in 254.Xr nsswitch.conf 5 , 255then 256.Nm 257lookups occur from the 258.Sq passwd.byname , 259.Sq passwd.byuid , 260.Sq master.passwd.byname , 261and 262.Sq master.passwd.byuid 263.Tn NIS 264maps. 265.Sh COMPAT SUPPORT 266If 267.Sq compat 268is specified for the 269.Sq passwd 270database, and either 271.Sq dns 272or 273.Sq nis 274is specified for the 275.Sq passwd_compat 276database in 277.Xr nsswitch.conf 5 , 278then the 279.Nm 280file also supports standard 281.Sq +/- 282exclusions and inclusions, based on user names and netgroups. 283.Pp 284Lines beginning with a minus sign 285.Pq Dq \&- 286are entries marked as being excluded from any following inclusions, 287which are marked with a plus sign 288.Pq Dq \&+ . 289.Pp 290If the second character of the line is an at sign 291.Pq Dq \&@ , 292the operation 293involves the user fields of all entries in the netgroup specified by the 294remaining characters of the 295.Em name 296field. 297Otherwise, the remainder of the 298.Em name 299field is assumed to be a specific user name. 300.Pp 301The 302.Dq \&+ 303token may also be alone in the 304.Em name 305field, which causes all users from either the Hesiod domain 306.Nm 307(with 308.Sq passwd_compat: dns ) 309or 310.Sq passwd.byname 311and 312.Sq passwd.byuid 313.Tn NIS 314maps (with 315.Sq passwd_compat: nis ) 316to be included. 317.Pp 318If the entry contains non-empty 319.Em uid 320or 321.Em gid 322fields, the specified numbers will override the information retrieved 323from the Hesiod domain or the 324.Tn NIS 325maps. As well, if the 326.Em gecos , 327.Em home_dir 328or 329.Em shell 330entries contain text, it will override the information included via 331Hesiod or 332.Tn NIS . 333On some systems, the 334.Em passwd 335field may also be overridden. 336.Sh SEE ALSO 337.Xr chpass 1 , 338.Xr login 1 , 339.Xr passwd 1 , 340.Xr getpwent 3 , 341.Xr login_getclass 3 , 342.Xr login.conf 5 , 343.Xr netgroup 5 , 344.Xr passwd.conf 5 , 345.Xr adduser 8 , 346.Xr pwd_mkdb 8 , 347.Xr vipw 8 , 348.Xr yp 8 349.Pp 350.%T "Managing NFS and NIS" 351(O'Reilly \*[Am] Associates) 352.Sh BUGS 353User information should (and eventually will) be stored elsewhere. 354.Pp 355Placing 356.Sq compat 357exclusions in the file after any inclusions will have 358unexpected results. 359.Sh COMPATIBILITY 360The password file format has changed since 361.Bx 4.3 . 362The following awk script can be used to convert your old-style password 363file into a new style password file. 364The additional fields 365.Dq class , 366.Dq change 367and 368.Dq expire 369are added, but are turned off by default. 370To set them, 371use the current day in seconds from the epoch + whatever number of seconds 372of offset you want. 373.Bd -literal -offset indent 374BEGIN { FS = ":"} 375{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 } 376.Ed 377.Sh HISTORY 378A 379.Nm 380file format appeared in 381.At v6 . 382.Pp 383The 384.Tn NIS 385.Nm 386file format first appeared in SunOS. 387.Pp 388The Hesiod support first appeared in 389.Nx 1.4 . 390.Pp 391The 392.Xr login.conf 5 393capability first appeared in 394.Nx 1.5 . 395