1 .\" $NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $
3 .\" Copyright (c) 1988, 1991, 1993
4 .\" The Regents of the University of California. All rights reserved.
5 .\" Portions Copyright (c) 1994, Jason Downs. All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\" 3. Neither the name of the University nor the names of its contributors
16 .\" may be used to endorse or promote products derived from this software
17 .\" without specific prior written permission.
19 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 .\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93
40 .Nd format of the password file
44 files are the local source of password information.
45 They can be used in conjunction with the Hesiod domains
52 .Sq Li passwd.byname ,
54 .Sq Li master.passwd.byname ,
56 .Sq Li master.passwd.byuid ,
60 For consistency, none of these files should ever be modified
65 file is readable only by root, and consists of newline separated
66 records, one per user, containing ten colon
70 These fields are as follows:
71 .Bl -tag -width ".Ar password" -offset indent
81 User's login group id.
87 Account expiration time.
89 General information about the user.
91 User's home directory.
98 file is generated from the
107 fields removed, and the
115 field is the login used to access the computer account, and the
117 field is the number associated with it.
118 They should both be unique
119 across the system (and often across a group of systems) since they
122 While it is possible to have multiple entries with identical login names
123 and/or identical user id's, it is usually a mistake to do so.
125 that manipulate these files will often return only one of the multiple
126 entries, and that one by random selection.
128 The login name must not begin with a hyphen
130 and cannot contain 8-bit characters, tabs or spaces, or any of these
132 .Ql \&,:+&#%^\&(\&)!@~*?<>=|\e\\&/" .
135 is allowed only as the last character for use with Samba.
136 No field may contain a
139 as this has been used historically to separate the fields
140 in the user database.
147 represent different users.
148 Be aware of this when interoperating with systems that do not have
149 case-sensitive login names.
158 form of the password, see
162 field is empty, no password will be required to gain access to the
164 This is almost invariably a mistake, so authentication components
165 such as PAM can forcibly disallow remote access to passwordless accounts.
166 Because this file contains the encrypted user passwords, it should
167 not be readable by anyone without appropriate privileges.
172 password authentication is disabled for that account
173 (logins through other forms of
174 authentication, e.g., using
176 keys, will still work).
177 The field only contains encrypted passwords, and
179 can never be the result of encrypting a password.
181 An encrypted password prefixed by
183 means that the account is temporarily locked out
184 and no one can log into it using any authentication.
185 For a convenient command-line interface to account locking, see
190 field is the group that the user will be placed in upon login.
191 Since this system supports multiple groups (see
193 this field currently has little special meaning.
197 field is a key for a user's login class.
203 style database of user attributes, accounting, resource,
204 and environment settings.
208 field is the number of seconds from the epoch,
211 password for the account must be changed.
212 This field may be left empty to turn off the password aging feature;
213 a value of zero is equivalent to leaving the field empty.
217 field is the number of seconds from the epoch,
221 This field may be left empty to turn off the account aging feature;
222 a value of zero is equivalent to leaving the field empty.
226 field normally contains comma
228 separated subfields as follows:
230 .Bl -tag -width ".Ar office" -offset indent -compact
236 user's work phone number
238 user's home phone number
243 may contain an ampersand
245 which will be replaced by
246 the capitalized login
250 field is displayed or used
251 by various programs such as
258 and phone number subfields are used by the
260 program, and possibly other applications.
262 The user's home directory,
266 path name where the user
267 will be placed on login.
271 field is the command interpreter the user prefers.
272 If there is nothing in the
274 field, the Bourne shell
277 The conventional way to disable logging into an account once and for all,
278 as it is done for system accounts,
283 .Pq see Xr nologin 8 .
290 .Xr nsswitch.conf 5 ,
293 lookups occur from the
302 .Xr nsswitch.conf 5 ,
305 lookups occur from the
306 .Sq Li passwd.byname ,
307 .Sq Li passwd.byuid ,
308 .Sq Li master.passwd.byname ,
310 .Sq Li master.passwd.byuid
325 .Xr nsswitch.conf 5 ,
328 file also supports standard
329 .Sq Li + Ns / Ns Li -
330 exclusions and inclusions, based on user names and netgroups.
332 Lines beginning with a
334 (minus sign) are entries marked as being excluded
335 from any following inclusions, which are marked with a
339 If the second character of the line is a
341 (at sign), the operation
342 involves the user fields of all entries in the netgroup specified by the
343 remaining characters of the
346 Otherwise, the remainder of the
348 field is assumed to be a specific user name.
352 token may also be alone in the
354 field, which causes all users from either the Hesiod domain
357 .Sq Li passwd_compat: dns )
364 .Sq Li passwd_compat: nis )
367 If the entry contains non-empty
371 fields, the specified numbers will override the information retrieved
372 from the Hesiod domain or the
380 entries contain text, it will override the information included via
385 field may also be overridden.
387 .Bl -tag -width ".Pa /etc/master.passwd" -compact
390 password file, with passwords removed
393 password database, with passwords removed
394 .It Pa /etc/master.passwd
396 password file, with passwords intact
399 password database, with passwords intact
402 The password file format has changed since
404 The following awk script can be used to convert your old-style password
405 file into a new style password file.
406 The additional fields
411 are added, but are turned off by default
412 .Pq setting these fields to zero is equivalent to leaving them blank .
413 Class is currently not implemented, but change and expire are; to set them,
414 use the current day in seconds from the epoch + whatever number of seconds
416 .Bd -literal -offset indent
418 { print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }
428 .Xr nsswitch.conf 5 ,
436 .%T "Managing NFS and NIS"
437 (O'Reilly & Associates)
441 file format appeared in
447 file format first appeared in SunOS.
449 The Hesiod support first appeared in
451 It was imported from the
453 Project, where it first appeared in
456 User information should (and eventually will) be stored elsewhere.
460 exclusions in the file after any inclusions will have