1.\" $NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $ 2.\" 3.\" Copyright (c) 1988, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" Portions Copyright (c) 1994, Jason Downs. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by the University of 18.\" California, Berkeley and its contributors. 19.\" 4. Neither the name of the University nor the names of its contributors 20.\" may be used to endorse or promote products derived from this software 21.\" without specific prior written permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 36.\" $FreeBSD$ 37.\" 38.Dd February 8, 2005 39.Dt PASSWD 5 40.Os 41.Sh NAME 42.Nm passwd , 43.Nm master.passwd 44.Nd format of the password file 45.Sh DESCRIPTION 46The 47.Nm 48files are the local source of password information. 49They can be used in conjunction with the Hesiod domains 50.Sq passwd 51and 52.Sq uid , 53and the 54.Tn NIS 55maps 56.Sq passwd.byname , 57.Sq passwd.byuid , 58.Sq master.passwd.byname , 59and 60.Sq master.passwd.byuid , 61as controlled by 62.Xr nsswitch.conf 5 . 63.Pp 64For consistency, none of these files should ever be modified 65manually. 66.Pp 67The 68.Nm master.passwd 69file is readable only by root, and consists of newline separated 70records, one per user, containing ten colon (``:'') separated 71fields. 72These fields are as follows: 73.Pp 74.Bl -tag -width password -offset indent 75.It name 76User's login name. 77.It password 78User's 79.Em encrypted 80password. 81.It uid 82User's id. 83.It gid 84User's login group id. 85.It class 86User's login class. 87.It change 88Password change time. 89.It expire 90Account expiration time. 91.It gecos 92General information about the user. 93.It home_dir 94User's home directory. 95.It shell 96User's login shell. 97.El 98.Pp 99The 100.Nm 101file is generated from the 102.Nm master.passwd 103file by 104.Xr pwd_mkdb 8 , 105has the class, change, and expire fields removed, and the password 106field replaced by a ``*''. 107.Pp 108The 109.Ar name 110field is the login used to access the computer account, and the 111.Ar uid 112field is the number associated with it. 113They should both be unique 114across the system (and often across a group of systems) since they 115control file access. 116.Pp 117While it is possible to have multiple entries with identical login names 118and/or identical user id's, it is usually a mistake to do so. 119Routines 120that manipulate these files will often return only one of the multiple 121entries, and that one by random selection. 122.Pp 123The login name must never begin with a hyphen (``-''); also, it is strongly 124suggested that neither upper-case characters or dots (``.'') be part 125of the name, as this tends to confuse mailers. 126No field may contain a 127colon (``:'') as this has been used historically to separate the fields 128in the user database. 129.Pp 130The password field is the 131.Em encrypted 132form of the password, see 133.Xr crypt 3 . 134If the 135.Ar password 136field is empty, no password will be required to gain access to the 137machine. 138This is almost invariably a mistake. 139Because these files contain the encrypted user passwords, they should 140not be readable by anyone without appropriate privileges. 141.Pp 142The group field is the group that the user will be placed in upon login. 143Since this system supports multiple groups (see 144.Xr groups 1 ) 145this field currently has little special meaning. 146.Pp 147The 148.Ar class 149field is a key for a user's login class. 150Login classes 151are defined in 152.Xr login.conf 5 , 153which is a 154.Xr termcap 5 155style database of user attributes, accounting, resource, 156and environment settings. 157.Pp 158The 159.Ar change 160field is the number of seconds from the epoch, 161.Dv UTC , 162until the 163password for the account must be changed. 164This field may be left empty to turn off the password aging feature. 165.Pp 166The 167.Ar expire 168field is the number of seconds from the epoch, 169.Dv UTC , 170until the 171account expires. 172This field may be left empty to turn off the account aging feature. 173.Pp 174The 175.Ar gecos 176field normally contains comma (``,'') separated subfields as follows: 177.Pp 178.Bl -tag -width office -offset indent -compact 179.It name 180user's full name 181.It office 182user's office number 183.It wphone 184user's work phone number 185.It hphone 186user's home phone number 187.El 188.Pp 189The full name may contain a ampersand (``&'') which will be replaced by 190the capitalized login name when the gecos field is displayed or used 191by various programs such as 192.Xr finger 1 , 193.Xr sendmail 8 , 194etc. 195.Pp 196The office and phone number subfields are used by the 197.Xr finger 1 198program, and possibly other applications. 199.Pp 200The user's home directory is the full 201.Ux 202path name where the user 203will be placed on login. 204.Pp 205The shell field is the command interpreter the user prefers. 206If there is nothing in the 207.Ar shell 208field, the Bourne shell 209.Pq Pa /bin/sh 210is assumed. 211.Sh HESIOD SUPPORT 212If 213.Sq dns 214is specified for the 215.Sq passwd 216database in 217.Xr nsswitch.conf 5 , 218then 219.Nm 220lookups occur from the 221.Sq passwd 222Hesiod domain. 223.Sh NIS SUPPORT 224If 225.Sq nis 226is specified for the 227.Sq passwd 228database in 229.Xr nsswitch.conf 5 , 230then 231.Nm 232lookups occur from the 233.Sq passwd.byname , 234.Sq passwd.byuid , 235.Sq master.passwd.byname , 236and 237.Sq master.passwd.byuid 238.Tn NIS 239maps. 240.Sh COMPAT SUPPORT 241If 242.Sq compat 243is specified for the 244.Sq passwd 245database, and either 246.Sq dns 247or 248.Sq nis 249is specified for the 250.Sq passwd_compat 251database in 252.Xr nsswitch.conf 5 , 253then the 254.Nm 255file also supports standard 256.Sq +/- 257exclusions and inclusions, based on user names and netgroups. 258.Pp 259Lines beginning with a ``-'' (minus sign) are entries marked as being excluded 260from any following inclusions, which are marked with a ``+'' (plus sign). 261.Pp 262If the second character of the line is a ``@'' (at sign), the operation 263involves the user fields of all entries in the netgroup specified by the 264remaining characters of the 265.Ar name 266field. 267Otherwise, the remainder of the 268.Ar name 269field is assumed to be a specific user name. 270.Pp 271The ``+'' token may also be alone in the 272.Ar name 273field, which causes all users from either the Hesiod domain 274.Nm 275(with 276.Sq passwd_compat: dns ) 277or 278.Sq passwd.byname 279and 280.Sq passwd.byuid 281.Tn NIS 282maps (with 283.Sq passwd_compat: nis ) 284to be included. 285.Pp 286If the entry contains non-empty 287.Ar uid 288or 289.Ar gid 290fields, the specified numbers will override the information retrieved 291from the Hesiod domain or the 292.Tn NIS 293maps. 294As well, if the 295.Ar gecos , 296.Ar dir 297or 298.Ar shell 299entries contain text, it will override the information included via 300Hesiod or 301.Tn NIS . 302On some systems, the 303.Ar passwd 304field may also be overridden. 305.Sh FILES 306.Bl -tag -width ".Pa /etc/master.passwd" -compact 307.It Pa /etc/passwd 308.Tn ASCII 309password file, with passwords removed 310.It Pa /etc/pwd.db 311.Xr db 3 Ns -format 312password database, with passwords removed 313.It Pa /etc/master.passwd 314.Tn ASCII 315password file, with passwords intact 316.It Pa /etc/spwd.db 317.Xr db 3 Ns -format 318password database, with passwords intact 319.El 320.Sh COMPATIBILITY 321The password file format has changed since 322.Bx 4.3 . 323The following awk script can be used to convert your old-style password 324file into a new style password file. 325The additional fields 326.Dq class , 327.Dq change 328and 329.Dq expire 330are added, but are turned off by default. 331Class is currently not implemented, but change and expire are; to set them, 332use the current day in seconds from the epoch + whatever number of seconds 333of offset you want. 334.Bd -literal -offset indent 335BEGIN { FS = ":"} 336{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 } 337.Ed 338.Sh SEE ALSO 339.Xr chpass 1 , 340.Xr login 1 , 341.Xr passwd 1 , 342.Xr crypt 3 , 343.Xr getpwent 3 , 344.Xr login.conf 5 , 345.Xr netgroup 5 , 346.Xr adduser 8 , 347.Xr pw 8 , 348.Xr pwd_mkdb 8 , 349.Xr vipw 8 , 350.Xr yp 8 351.Pp 352.%T "Managing NFS and NIS" 353(O'Reilly & Associates) 354.Sh HISTORY 355A 356.Nm 357file format appeared in 358.At v6 . 359.Pp 360The 361.Tn NIS 362.Nm 363file format first appeared in SunOS. 364.Pp 365The Hesiod support first appeared in 366.Fx 4.1 . 367It was imported from the 368.Nx 369Project, where it first appeared in 370.Nx 1.4 . 371.Sh BUGS 372User information should (and eventually will) be stored elsewhere. 373.Pp 374Placing 375.Sq compat 376exclusions in the file after any inclusions will have 377unexpected results. 378