prpw(F)
prpw --
protected password authentication database files
Format
See
authcap(F)
Description
An authentication profile is maintained for each user on the
system. This profile is kept in a protected password
database file that is accessible only to trusted programs
acting on behalf of the TCB. The protected password (prpw)
database file contains the encrypted password for the user account.
On a trusted system, this must be hidden from untrusted users.
The protected password database files do not remove the
need for the /etc/passwd and the /etc/group files.
Users must be defined in the passwd file in order to use the
system. The protected password database file for a user
contains the user name and user ID as defined in
the user's /etc/passwd entry.
Protected password database files are maintained in a directory hierarchy
below the /tcb/files/auth directory. This directory contains 26
directories, named for every letter in the alphabet.
User authentication profiles are stored in these
directories according to the first letter of the account name. For example, the
authentication profile for the root account is located in
the /tcb/files/auth/r directory and can be accessed by
opening the file /tcb/files/auth/r/root.
Changes to these files are normally made by
the Accounts selection of the Accounts manager or
by the useradd command.
A user's prpw file defines their authentication profile by
specifying values to be interpreted by trusted programs
instead of the system default value.
(Trusted programs check for the existence of user specific parameters before
using a system default value. See
default(F).)
The following keyword identifiers are supported:
u_auditcntl-
A comma separated list
of audit event names (such as insuff_priv, proc_mod,
or ob_create) that defines those audit
events that are explicitly controlled by a
disposition mask for any process initiated by
this user. Any event specified in this mask
can be enabled or disabled for auditing
regardless of the system audit mask. This
provides a user specific audit control
capability. Events not specified in this
list will be subject to the system-wide audit
disposition mask. This field is used in
conjunction with the u_auditdisp mask.
u_auditdisp-
A comma separated list
of audit event names (such as insuff_priv, proc_mod,
or ob_create) that defines which of those
audit events specified in the audit control
mask, u_auditcntl, should always be audited.
An event which appears in the control mask but
not in this mask will never be
audited for this user.
u_cmdpriv-
A comma separated list of
subsystem authorization names that lists the
subsystem authorizations in effect for the
user. Subsystem authorizations for a user
are not established by this field, but are
instead derived from lists for each subsystem in
the directory /etc/auth/subsystems. This
field should match the definition of the
user's subsystem authorizations in those
files, although only the
authck
trusted program checks this.
u_exp-
Defines the number of seconds after a successful password change until
an account password expires.
When a password expires, system authentication
programs will request that the password be
changed when the user logs into the system.
u_genpwd-
This flag controls the ability of a
user to use a password generated by the system for
their account.
u_id-
The user ID for the account. This is the same as
the user ID field of the
corresponding /etc/passwd entry.
u_life-
The lifetime of a password in seconds. If this time is
exceeded, the account will be locked and can
only be unlocked by an authorized system
administrator.
u_lock-
This flag is used to lock an account. A user cannot login to a
locked account.
u_maxlen-
The maximum length of generated passwords for the user account.
u_maxtries-
The maximum number of
consecutive unsuccessful login attempts to
the account that are permitted until the
account is locked.
u_minchg-
The minimum password
change time in seconds. If non-zero, the
password cannot be changed until the
specified number of seconds have passed since the last
successful password change, unless
the person changing the password is
authorized to override this constraint.
u_name-
The user name for the account. This should be the same as the name of
the prpw file, and the user name from the corresponding entry
in /etc/passwd.
u_nullpw-
This flag controls the ability of the user to
select a null password for the account.
u_numunsuclog-
A count of the number of unsuccessful login attempts to the account.
This count is reset when a successful login to the account occurs.
u_owner-
Typically used for accounts
which do not represent a real user (that is,
accounts with a type other than general). It
specifies a user who is allowed to use
su
to enter the account without requiring su
secondary subsystem authorization.
u_pickpw-
A flag that controls the
ability of the user to choose a password for
the account. This permits an account to be
configured so that the system generates a password rather
than letting the user provide one.
u_priority-
The priority value used by
authentication programs to modify the
nice
value of a user's login process.
u_pswduser-
The user name of the
account which is allowed to change this
user's password. Typically, this is the
same as the account name.
u_pwd-
The encrypted password for the account if the account has a
password.
u_restrict-
This flag controls whether thorough or
brief password triviality checks are
performed on any user chosen passwords.
Triviality checks performed include verifying
that the password does not represent a login
or group name, a palindrome (a word that reads the
same forwards as backwards), or a word
recognized by the
spell
program.
u_succhg-
The time of the last successful password
change as a time_t value.
This field should only be set by
programs that can be used to change the
account password.
u_suclog-
The system time of the last successful login to
the account as a time_t value.
u_suctty-
The terminal name associated with the last successful login to
the account.
u_syspriv-
A comma separated list of
kernel privileges for the user. Any
valid kernel privilege name (such as chown, or execsuid)
may appear in this list.
u_type-
The account type, used for informational purposes. For a
normal user, this will be general. Other
account types are: root, operator,
sso, admin,
or pseudo. The type retired
indicates that this account is no
longer in use, and is used to prevent logins on the account.
u_unsucchg-
The time of the last unsuccessful password
change as a time_t value.
This field should only be set by
programs that can be used to change the
account password.
u_unsuclog-
The system time of the last unsuccessful login to
the account as a time_t value.
u_unsuctty-
The terminal name associated with the last unsuccessful login
attempt to the account.
Examples
The following is an example of a typical protected password
database file named craig:
craig:u_name=craig:u_id#20034:\
:u_pwd=ObaRIyszZwYuUgtH9d8T0Ei6:\
:u_type=general:u_pswduser=craig:\
:u_cmdpriv=su,queryspace,lp,mem,sysadmin,root:\
:u_syspriv=execsuid,nopromain,chmodsugid,chown:\
:u_minchg#0:u_succhg#696188670:u_unsucchg#696527826:\
:u_suclog#699804441:u_suctty=tty06:\
:u_unsuclog#699620228:u_unsuctty=tty04:\
:u_lock@:chkent:
This protected password database file is for the user craig.
The user ID for craig is 20034 which should match the
/etc/passwd entry. The encrypted password is specified by
the u_pwd field. The
account is assigned several subsystem authorizations. The
specified kernel privileges will be raised for this
user's login shell processes.
The minimum password change time
is 0, indicating that the password can be changed at any time.
The remaining fields provide account information such as the
last successful and unsuccessful password change times as
well as the last successful and unsuccessful login times and
terminal names.
Files
/tcb/files/auth/[a-z]/-
protected password authentication database files
See also
authcap(F),
authck(ADM),
default(F),
getprpwent(S),
login(M),
nice(C),
spell(C),
su(C),
useradd(ADM)
Standards conformance
prpw is not part of any currently supported
standard; it is an extension of AT&T System V provided by
The Santa Cruz Operation, Inc.
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005