1 .\" $NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $
3 .\" Copyright (c) 1988, 1991, 1993
4 .\" The Regents of the University of California. All rights reserved.
5 .\" Portions Copyright (c) 1994, Jason Downs. All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\" 3. All advertising materials mentioning features or use of this software
16 .\" must display the following acknowledgement:
17 .\" This product includes software developed by the University of
18 .\" California, Berkeley and its contributors.
19 .\" 4. Neither the name of the University nor the names of its contributors
20 .\" may be used to endorse or promote products derived from this software
21 .\" without specific prior written permission.
23 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93
44 .Nd format of the password file
48 files are the local source of password information.
49 They can be used in conjunction with the Hesiod domains
56 .Sq Li passwd.byname ,
58 .Sq Li master.passwd.byname ,
60 .Sq Li master.passwd.byuid ,
64 For consistency, none of these files should ever be modified
69 file is readable only by root, and consists of newline separated
70 records, one per user, containing ten colon
74 These fields are as follows:
75 .Bl -tag -width ".Ar password" -offset indent
85 User's login group id.
91 Account expiration time.
93 General information about the user.
95 User's home directory.
102 file is generated from the
111 fields removed, and the
119 field is the login used to access the computer account, and the
121 field is the number associated with it.
122 They should both be unique
123 across the system (and often across a group of systems) since they
126 While it is possible to have multiple entries with identical login names
127 and/or identical user id's, it is usually a mistake to do so.
129 that manipulate these files will often return only one of the multiple
130 entries, and that one by random selection.
132 The login name must not begin with a hyphen
134 and cannot contain 8-bit characters, tabs or spaces, or any of these
136 .Ql \&,:+&#%^\&(\&)!@~*?<>=|\e\\&/" .
139 is allowed only as the last character for use with Samba.
140 No field may contain a
143 as this has been used historically to separate the fields
144 in the user database.
151 represent different users.
152 Be aware of this when interoperating with systems that do not have
153 case-sensitive login names.
162 form of the password, see
166 field is empty, no password will be required to gain access to the
168 This is almost invariably a mistake, so authentication components
169 such as PAM can forcibly disallow remote access to passwordless accounts.
170 Because this file contains the encrypted user passwords, it should
171 not be readable by anyone without appropriate privileges.
176 password authentication is disabled for that account
177 (logins through other forms of
178 authentication, e.g., using
180 keys, will still work).
181 The field only contains encrypted passwords, and
183 can never be the result of encrypting a password.
185 An encrypted password prefixed by
187 means that the account is temporarily locked out
188 and no one can log into it using any authentication.
189 For a convenient command-line interface to account locking, see
194 field is the group that the user will be placed in upon login.
195 Since this system supports multiple groups (see
197 this field currently has little special meaning.
201 field is a key for a user's login class.
207 style database of user attributes, accounting, resource,
208 and environment settings.
212 field is the number of seconds from the epoch,
215 password for the account must be changed.
216 This field may be left empty to turn off the password aging feature;
217 a value of zero is equivalent to leaving the field empty.
221 field is the number of seconds from the epoch,
225 This field may be left empty to turn off the account aging feature;
226 a value of zero is equivalent to leaving the field empty.
230 field normally contains comma
232 separated subfields as follows:
234 .Bl -tag -width ".Ar office" -offset indent -compact
240 user's work phone number
242 user's home phone number
247 may contain an ampersand
249 which will be replaced by
250 the capitalized login
254 field is displayed or used
255 by various programs such as
262 and phone number subfields are used by the
264 program, and possibly other applications.
266 The user's home directory,
270 path name where the user
271 will be placed on login.
275 field is the command interpreter the user prefers.
276 If there is nothing in the
278 field, the Bourne shell
281 The conventional way to disable logging into an account once and for all,
282 as it is done for system accounts,
287 .Pq see Xr nologin 8 .
294 .Xr nsswitch.conf 5 ,
297 lookups occur from the
306 .Xr nsswitch.conf 5 ,
309 lookups occur from the
310 .Sq Li passwd.byname ,
311 .Sq Li passwd.byuid ,
312 .Sq Li master.passwd.byname ,
314 .Sq Li master.passwd.byuid
329 .Xr nsswitch.conf 5 ,
332 file also supports standard
333 .Sq Li + Ns / Ns Li -
334 exclusions and inclusions, based on user names and netgroups.
336 Lines beginning with a
338 (minus sign) are entries marked as being excluded
339 from any following inclusions, which are marked with a
343 If the second character of the line is a
345 (at sign), the operation
346 involves the user fields of all entries in the netgroup specified by the
347 remaining characters of the
350 Otherwise, the remainder of the
352 field is assumed to be a specific user name.
356 token may also be alone in the
358 field, which causes all users from either the Hesiod domain
361 .Sq Li passwd_compat: dns )
368 .Sq Li passwd_compat: nis )
371 If the entry contains non-empty
375 fields, the specified numbers will override the information retrieved
376 from the Hesiod domain or the
384 entries contain text, it will override the information included via
389 field may also be overridden.
391 .Bl -tag -width ".Pa /etc/master.passwd" -compact
394 password file, with passwords removed
397 password database, with passwords removed
398 .It Pa /etc/master.passwd
400 password file, with passwords intact
403 password database, with passwords intact
406 The password file format has changed since
408 The following awk script can be used to convert your old-style password
409 file into a new style password file.
410 The additional fields
415 are added, but are turned off by default
416 .Pq setting these fields to zero is equivalent to leaving them blank .
417 Class is currently not implemented, but change and expire are; to set them,
418 use the current day in seconds from the epoch + whatever number of seconds
420 .Bd -literal -offset indent
422 { print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }
432 .Xr nsswitch.conf 5 ,
440 .%T "Managing NFS and NIS"
441 (O'Reilly & Associates)
445 file format appeared in
451 file format first appeared in SunOS.
453 The Hesiod support first appeared in
455 It was imported from the
457 Project, where it first appeared in
460 User information should (and eventually will) be stored elsewhere.
464 exclusions in the file after any inclusions will have