1.\" $NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $ 2.\" 3.\" Copyright (c) 1988, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" Portions Copyright (c) 1994, Jason Downs. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by the University of 18.\" California, Berkeley and its contributors. 19.\" 4. Neither the name of the University nor the names of its contributors 20.\" may be used to endorse or promote products derived from this software 21.\" without specific prior written permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 36.\" $FreeBSD$ 37.\" 38.Dd January 16, 1999 39.Dt PASSWD 5 40.Os 41.Sh NAME 42.Nm passwd , 43.Nm master.passwd 44.Nd format of the password file 45.Sh DESCRIPTION 46The 47.Nm 48files are the local source of password information. 49They can be used in conjunction with the Hesiod domains 50.Sq passwd 51and 52.Sq uid , 53and the 54.Tn NIS 55maps 56.Sq passwd.byname , 57.Sq passwd.byuid , 58.Sq master.passwd.byname , 59and 60.Sq master.passwd.byuid , 61as controlled by 62.Xr nsswitch.conf 5 . 63.Pp 64The 65.Nm master.passwd 66file is readable only by root, and consists of newline separated 67records, one per user, containing ten colon (``:'') separated 68fields. These fields are as follows: 69.Pp 70.Bl -tag -width password -offset indent 71.It name 72User's login name. 73.It password 74User's 75.Em encrypted 76password. 77.It uid 78User's id. 79.It gid 80User's login group id. 81.It class 82User's general classification (unused). 83.It change 84Password change time. 85.It expire 86Account expiration time. 87.It gecos 88General information about the user. 89.It home_dir 90User's home directory. 91.It shell 92User's login shell. 93.El 94.Pp 95The 96.Nm 97file is generated from the 98.Nm master.password 99file by 100.Xr pwd_mkdb 8 , 101has the class, change, and expire fields removed, and the password 102field replaced by a ``*''. 103.Pp 104The 105.Ar name 106field is the login used to access the computer account, and the 107.Ar uid 108field is the number associated with it. They should both be unique 109across the system (and often across a group of systems) since they 110control file access. 111.Pp 112While it is possible to have multiple entries with identical login names 113and/or identical user id's, it is usually a mistake to do so. Routines 114that manipulate these files will often return only one of the multiple 115entries, and that one by random selection. 116.Pp 117The login name must never begin with a hyphen (``-''); also, it is strongly 118suggested that neither upper-case characters or dots (``.'') be part 119of the name, as this tends to confuse mailers. No field may contain a 120colon (``:'') as this has been used historically to separate the fields 121in the user database. 122.Pp 123The password field is the 124.Em encrypted 125form of the password. 126If the 127.Ar password 128field is empty, no password will be required to gain access to the 129machine. This is almost invariably a mistake. 130Because these files contain the encrypted user passwords, they should 131not be readable by anyone without appropriate privileges. 132.Pp 133The group field is the group that the user will be placed in upon login. 134Since this system supports multiple groups (see 135.Xr groups 1 ) 136this field currently has little special meaning. 137.Pp 138The 139.Ar class 140field is a key for a user's login class. Login classes 141are defined in 142.Xr login.conf 5 , 143which is a 144.Xr termcap 5 145style database of user attributes, accounting, resource, 146and environment settings. 147.Pp 148The 149.Ar change 150field is the number of seconds from the epoch, 151.Dv UTC , 152until the 153password for the account must be changed. 154This field may be left empty to turn off the password aging feature. 155.Pp 156The 157.Ar expire 158field is the number of seconds from the epoch, 159.Dv UTC , 160until the 161account expires. 162This field may be left empty to turn off the account aging feature. 163.Pp 164The 165.Ar gecos 166field normally contains comma (``,'') separated subfields as follows: 167.Pp 168.Bl -tag -width office -offset indent -compact 169.It name 170user's full name 171.It office 172user's office number 173.It wphone 174user's work phone number 175.It hphone 176user's home phone number 177.El 178.Pp 179The full name may contain a ampersand (``&'') which will be replaced by 180the capitalized login name when the gecos field is displayed or used 181by various programs such as 182.Xr finger 1 , 183.Xr sendmail 8 , 184etc. 185.Pp 186The office and phone number subfields are used by the 187.Xr finger 1 188program, and possibly other applications. 189.Pp 190The user's home directory is the full 191.Ux 192path name where the user 193will be placed on login. 194.Pp 195The shell field is the command interpreter the user prefers. 196If there is nothing in the 197.Ar shell 198field, the Bourne shell 199.Pq Pa /bin/sh 200is assumed. 201.Sh HESIOD SUPPORT 202If 203.Sq dns 204is specified for the 205.Sq passwd 206database in 207.Xr nsswitch.conf 5 , 208then 209.Nm 210lookups occur from the 211.Sq passwd 212Hesiod domain. 213.Sh NIS SUPPORT 214If 215.Sq nis 216is specified for the 217.Sq passwd 218database in 219.Xr nsswitch.conf 5 , 220then 221.Nm 222lookups occur from the 223.Sq passwd.byname , 224.Sq passwd.byuid , 225.Sq master.passwd.byname , 226and 227.Sq master.passwd.byuid 228.Tn NIS 229maps. 230.Sh COMPAT SUPPORT 231If 232.Sq compat 233is specified for the 234.Sq passwd 235database, and either 236.Sq dns 237or 238.Sq nis 239is specified for the 240.Sq passwd_compat 241database in 242.Xr nsswitch.conf 5 , 243then the 244.Nm 245file also supports standard 246.Sq +/- 247exclusions and inclusions, based on user names and netgroups. 248.Pp 249Lines beginning with a ``-'' (minus sign) are entries marked as being excluded 250from any following inclusions, which are marked with a ``+'' (plus sign). 251.Pp 252If the second character of the line is a ``@'' (at sign), the operation 253involves the user fields of all entries in the netgroup specified by the 254remaining characters of the 255.Ar name 256field. 257Otherwise, the remainder of the 258.Ar name 259field is assumed to be a specific user name. 260.Pp 261The ``+'' token may also be alone in the 262.Ar name 263field, which causes all users from either the Hesiod domain 264.Nm 265(with 266.Sq passwd_compat: dns ) 267or 268.Sq passwd.byname 269and 270.Sq passwd.byuid 271.Tn NIS 272maps (with 273.Sq passwd_compat: nis ) 274to be included. 275.Pp 276If the entry contains non-empty 277.Ar uid 278or 279.Ar gid 280fields, the specified numbers will override the information retrieved 281from the Hesiod domain or the 282.Tn NIS 283maps. As well, if the 284.Ar gecos , 285.Ar dir 286or 287.Ar shell 288entries contain text, it will override the information included via 289Hesiod or 290.Tn NIS . 291On some systems, the 292.Ar passwd 293field may also be overridden. 294.Sh SEE ALSO 295.Xr chpass 1 , 296.Xr login 1 , 297.Xr passwd 1 , 298.Xr getpwent 3 , 299.Xr netgroup 5 , 300.Xr adduser 8 , 301.Xr pwd_mkdb 8 , 302.Xr vipw 8 , 303.Xr yp 8 304.Pp 305.%T "Managing NFS and NIS" 306(O'Reilly & Associates) 307.Sh BUGS 308User information should (and eventually will) be stored elsewhere. 309.Pp 310Placing 311Sq compat 312exclusions in the file after any inclusions will have 313unexpected results. 314.Sh COMPATIBILITY 315The password file format has changed since 316.Bx 4.3 . 317The following awk script can be used to convert your old-style password 318file into a new style password file. 319The additional fields 320.Dq class , 321.Dq change 322and 323.Dq expire 324are added, but are turned off by default. 325Class is currently not implemented, but change and expire are; to set them, 326use the current day in seconds from the epoch + whatever number of seconds 327of offset you want. 328.Bd -literal -offset indent 329BEGIN { FS = ":"} 330{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 } 331.Ed 332.Sh HISTORY 333A 334.Nm 335file format appeared in 336.At v6 . 337.Pp 338The 339.Tn NIS 340.Nm 341file format first appeared in SunOS. 342.Pp 343The Hesiod support first appeared in 344.Fx 4.1 . 345It was imported from the 346.Nx 347Project, where it first appeared in 348.Nx 1.4 . 349