nispasswd(1) User Commands nispasswd(1)NAMEnispasswd - change NIS+ password information
SYNOPSISnispasswd [-ghs] [-D domainname] [username]
nispasswd-a
nispasswd [-D domainname] [-d [username]]
nispasswd [-l] [-f] [-n min] [-x max] [-w warn]
[-D domainname] username
DESCRIPTION
The nispasswd utility changes a password, gecos (finger) field (-g
option), home directory (-h option), or login shell (-s option) asso‐
ciated with the username (invoker by default) in the NIS+ passwd table.
Additionally, the command can be used to view or modify aging informa‐
tion associated with the user specified if the invoker has the right
NIS+ privileges.
nispasswd uses secure RPC to communicate with the NIS+ server, and
therefore, never sends unencrypted passwords over the communication
medium.
nispasswd does not read or modify the local password information stored
in the /etc/passwd and /etc/shadow files.
When used to change a password, nispasswd prompts non-privileged users
for their old password. It then prompts for the new password twice to
forestall typing mistakes. When the old password is entered, nispasswd
checks to see if it has "aged" sufficiently. If "aging" is insuffi‐
cient, nispasswd terminates; see getspnam(3C).
The old password is used to decrypt the username's secret key. If the
password does not decrypt the secret key, nispasswd prompts for the
old secure-RPC password. It uses this password to decrypt the secret
key. If this fails, it gives the user one more chance. The old password
is also used to ensure that the new password differs from the old by at
least three characters. Assuming aging is sufficient, a check is made
to ensure that the new password meets construction requirements
described below. When the new password is entered a second time, the
two copies of the new password are compared. If the two copies are not
identical, the cycle of prompting for the new password is repeated
twice. The new password is used to re-encrypt the user's secret key.
Hence, it also becomes their secure-RPC password. Therefore, the
secure-RPC password is no longer a different password from the user's
password.
Passwords must be constructed to meet the following requirements:
o Each password must have at least six characters. Only the
first eight characters are significant.
o Each password must contain at least two alphabetic charac‐
ters and at least one numeric or special character. In this
case, "alphabetic" refers to all upper or lower case let‐
ters.
o Each password must differ from the user's login username
and any reverse or circular shift of that login username.
For comparison purposes, an upper case letter and its cor‐
responding lower case letter are equivalent.
o New passwords must differ from the old by at least three
characters. For comparison purposes, an upper case letter
and its corresponding lower case letter are equivalent.
Network administrators, who own the NIS+ password table, may change any
password attributes if they establish their credentials (see keylo‐
gin(1)) before invoking nispasswd. Hence, nispasswd does not prompt
these privileged-users for the old password and they are not forced to
comply with password aging and password construction requirements.
Any user may use the -d option to display password attributes for his
or her own login name. The format of the display will be:
username status mm/dd/yy min max warn
or, if password aging information is not present,
username status
where
username The login ID of the user.
status The password status of username: "PS" stands for password
exists or locked, "LK" stands for locked, and "NP" stands
for no password.
mm/dd/yy The date password was last changed for username. (Note that
all password aging dates are determined using Greenwich
Mean Time (Universal Time) and, therefore, may differ by as
much as a day in other time zones.)
min The minimum number of days required between password
changes for username.
max The maximum number of days the password is valid for user‐
name.
warn The number of days relative to max before the password
expires that the username will be warned.
The use of nispasswd is strongly discouraged. It is a wrapper around
the passwd(1) command.
Using passwd(1) with the -r nisplus option will achieve the same result
and will be consistent across all the different name services avail‐
able. This is the recommended way to change the password in NIS+.
The login program, file access display programs (for example, ls -l),
and network programs that require user passwords, for example,
rlogin(1), ftp(1), and so on, use the standard getpwnam(3C) and getsp‐
nam(3C) interfaces to get password information. These programs will get
the NIS+ password information, which is modified by nispasswd, only if
the passwd: entry in the /etc/nsswitch.conf file includes nisplus.
See nsswitch.conf(4) for more details.
OPTIONS
The following options are supported:
-a Shows the password attributes for all entries. This
will show only the entries in the NIS+ passwd table in
the local domain that the invoker is authorized to
"read".
-d [username] Displays password attributes for the caller or the
user specified if the invoker has the right privi‐
leges.
-D domainname Consults the passwd.org_dir table in domainname. If
this option is not specified, the default domainname
returned by nis_local_directory() will be used. This
domainname is the same as that returned by domain‐
name(1M).
-f Forces the user to change password at the next login
by expiring the password for username.
-g Changes the gecos (finger) information.
-h Changes the home directory.
-l Locks the password entry for username. Subsequently,
login(1) would disallow logins with this NIS+ password
entry.
-n min Sets minimum field for username. The min field con‐
tains the minimum number of days between password
changes for username. If min is greater than max, the
user may not change the password. Always use this
option with the -x option, unless max is set to -1
(aging turned off). In that case, min need not be
set.
-s Changes the login shell. By default, only the NIS+
administrator can change the login shell. The user
will be prompted for the new login shell.
-w warn Sets warn field for username. The warn field contains
the number of days before the password expires that
the user will be warned whenever he or she attempts to
login.
-x max Sets maximum field for username. The max field con‐
tains the number of days that the password is valid
for username. The aging for username will be turned
off immediately if max is set to -1. If it is set to
0, then the user is forced to change the password at
the next login session and aging is turned off.
EXIT STATUS
The following exit values are returned:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. NIS+ passwd table unchanged.
4 NIS+ passwd table missing.
5 NIS+ is busy. Try again later.
6 Invalid argument to option.
7 Aging is disabled.
8 No memory.
9 System error.
10 Account expired.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWnisu │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOkeylogin(1), login(1), NIS+(1), nistbladm(1), passwd(1), rlogin(1),
domainname(1M), nisserver(1M), getpwnam(3C), getspnam(3C),
nis_local_directory(3NSL), nsswitch.conf(4), passwd(4), shadow(4),
attributes(5)NOTES
NIS+ might not be supported in future releases of the Solaris operating
system. Tools to aid the migration from NIS+ to LDAP are available in
the current Solaris release. For more information, visit
http://www.sun.com/directory/nisplus/transition.html.
SunOS 5.10 2 Dec 2005 nispasswd(1)