prpw(F)

prpw -- protected password authentication database files

Format

Description

An authentication profile is maintained for each user on the system. This profile is kept in a protected password database file that is accessible only to trusted programs acting on behalf of the TCB. The protected password (prpw) database file contains the encrypted password for the user account. On a trusted system, this must be hidden from untrusted users.

The protected password database files do not remove the need for the /etc/passwd and the /etc/group files. Users must be defined in the passwd file in order to use the system. The protected password database file for a user contains the user name and user ID as defined in the user's /etc/passwd entry.

Protected password database files are maintained in a directory hierarchy below the /tcb/files/auth directory. This directory contains 26 directories, named for every letter in the alphabet. User authentication profiles are stored in these directories according to the first letter of the account name. For example, the authentication profile for the root account is located in the /tcb/files/auth/r directory and can be accessed by opening the file /tcb/files/auth/r/root.

Changes to these files are normally made by the Accounts selection of the Accounts manager or by the useradd command.

A user's prpw file defines their authentication profile by specifying values to be interpreted by trusted programs instead of the system default value. (Trusted programs check for the existence of user specific parameters before using a system default value. See default(F).)

The following keyword identifiers are supported:

u_auditcntl: A comma separated list of audit event names (such as insuff_priv, proc_mod, or ob_create) that defines those audit events that are explicitly controlled by a disposition mask for any process initiated by this user. Any event specified in this mask can be enabled or disabled for auditing regardless of the system audit mask. This provides a user specific audit control capability. Events not specified in this list will be subject to the system-wide audit disposition mask. This field is used in conjunction with the u_auditdisp mask.
u_auditdisp: A comma separated list of audit event names (such as insuff_priv, proc_mod, or ob_create) that defines which of those audit events specified in the audit control mask, u_auditcntl, should always be audited. An event which appears in the control mask but not in this mask will never be audited for this user.
u_cmdpriv: A comma separated list of subsystem authorization names that lists the subsystem authorizations in effect for the user. Subsystem authorizations for a user are not established by this field, but are instead derived from lists for each subsystem in the directory /etc/auth/subsystems. This field should match the definition of the user's subsystem authorizations in those files, although only the authck trusted program checks this.
u_exp: Defines the number of seconds after a successful password change until an account password expires. When a password expires, system authentication programs will request that the password be changed when the user logs into the system.
u_genpwd: This flag controls the ability of a user to use a password generated by the system for their account.
u_id: The user ID for the account. This is the same as the user ID field of the corresponding /etc/passwd entry.
u_life: The lifetime of a password in seconds. If this time is exceeded, the account will be locked and can only be unlocked by an authorized system administrator.
u_lock: This flag is used to lock an account. A user cannot login to a locked account.
u_maxlen: The maximum length of generated passwords for the user account.
u_maxtries: The maximum number of consecutive unsuccessful login attempts to the account that are permitted until the account is locked.
u_minchg: The minimum password change time in seconds. If non-zero, the password cannot be changed until the specified number of seconds have passed since the last successful password change, unless the person changing the password is authorized to override this constraint.
u_name: The user name for the account. This should be the same as the name of the prpw file, and the user name from the corresponding entry in /etc/passwd.
u_nullpw: This flag controls the ability of the user to select a null password for the account.
u_numunsuclog: A count of the number of unsuccessful login attempts to the account. This count is reset when a successful login to the account occurs.
u_owner: Typically used for accounts which do not represent a real user (that is, accounts with a type other than general). It specifies a user who is allowed to use su to enter the account without requiring su secondary subsystem authorization.
u_pickpw: A flag that controls the ability of the user to choose a password for the account. This permits an account to be configured so that the system generates a password rather than letting the user provide one.
u_priority: The priority value used by authentication programs to modify the nice value of a user's login process.
u_pswduser: The user name of the account which is allowed to change this user's password. Typically, this is the same as the account name.
u_pwd: The encrypted password for the account if the account has a password.
u_restrict: This flag controls whether thorough or brief password triviality checks are performed on any user chosen passwords. Triviality checks performed include verifying that the password does not represent a login or group name, a palindrome (a word that reads the same forwards as backwards), or a word recognized by the spell program.
u_succhg: The time of the last successful password change as a time_t value. This field should only be set by programs that can be used to change the account password.
u_suclog: The system time of the last successful login to the account as a time_t value.
u_suctty: The terminal name associated with the last successful login to the account.
u_syspriv: A comma separated list of kernel privileges for the user. Any valid kernel privilege name (such as chown, or execsuid) may appear in this list.
u_type: The account type, used for informational purposes. For a normal user, this will be general. Other account types are: root, operator, sso, admin, or pseudo. The type retired indicates that this account is no longer in use, and is used to prevent logins on the account.
u_unsucchg: The time of the last unsuccessful password change as a time_t value. This field should only be set by programs that can be used to change the account password.
u_unsuclog: The system time of the last unsuccessful login to the account as a time_t value.
u_unsuctty: The terminal name associated with the last unsuccessful login attempt to the account.

Examples

The following is an example of a typical protected password database file named craig:

   craig:u_name=craig:u_id#20034:\
   	:u_pwd=ObaRIyszZwYuUgtH9d8T0Ei6:\
   	:u_type=general:u_pswduser=craig:\
   	:u_cmdpriv=su,queryspace,lp,mem,sysadmin,root:\
   	:u_syspriv=execsuid,nopromain,chmodsugid,chown:\
   	:u_minchg#0:u_succhg#696188670:u_unsucchg#696527826:\
   	:u_suclog#699804441:u_suctty=tty06:\
   	:u_unsuclog#699620228:u_unsuctty=tty04:\
   	:u_lock@:chkent:

This protected password database file is for the user craig. The user ID for craig is 20034 which should match the /etc/passwd entry. The encrypted password is specified by the u_pwd field. The account is assigned several subsystem authorizations. The specified kernel privileges will be raised for this user's login shell processes.

The minimum password change time is 0, indicating that the password can be changed at any time. The remaining fields provide account information such as the last successful and unsuccessful password change times as well as the last successful and unsuccessful login times and terminal names.

Files

/tcb/files/auth/[a-z]/: protected password authentication database files

Standards conformance