1.\" $NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $ 2.\" 3.\" Copyright (c) 1988, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" Portions Copyright (c) 1994, Jason Downs. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by the University of 18.\" California, Berkeley and its contributors. 19.\" 4. Neither the name of the University nor the names of its contributors 20.\" may be used to endorse or promote products derived from this software 21.\" without specific prior written permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 36.\" $FreeBSD$ 37.\" 38.Dd January 16, 1999 39.Dt PASSWD 5 40.Os 41.Sh NAME 42.Nm passwd , 43.Nm master.passwd 44.Nd format of the password file 45.Sh DESCRIPTION 46The 47.Nm 48files are the local source of password information. 49They can be used in conjunction with the Hesiod domains 50.Sq passwd 51and 52.Sq uid , 53and the 54.Tn NIS 55maps 56.Sq passwd.byname , 57.Sq passwd.byuid , 58.Sq master.passwd.byname , 59and 60.Sq master.passwd.byuid , 61as controlled by 62.Xr nsswitch.conf 5 . 63.Pp 64The 65.Nm master.passwd 66file is readable only by root, and consists of newline separated 67records, one per user, containing ten colon (``:'') separated 68fields. 69These fields are as follows: 70.Pp 71.Bl -tag -width password -offset indent 72.It name 73User's login name. 74.It password 75User's 76.Em encrypted 77password. 78.It uid 79User's id. 80.It gid 81User's login group id. 82.It class 83User's login class. 84.It change 85Password change time. 86.It expire 87Account expiration time. 88.It gecos 89General information about the user. 90.It home_dir 91User's home directory. 92.It shell 93User's login shell. 94.El 95.Pp 96The 97.Nm 98file is generated from the 99.Nm master.passwd 100file by 101.Xr pwd_mkdb 8 , 102has the class, change, and expire fields removed, and the password 103field replaced by a ``*''. 104.Pp 105The 106.Ar name 107field is the login used to access the computer account, and the 108.Ar uid 109field is the number associated with it. 110They should both be unique 111across the system (and often across a group of systems) since they 112control file access. 113.Pp 114While it is possible to have multiple entries with identical login names 115and/or identical user id's, it is usually a mistake to do so. 116Routines 117that manipulate these files will often return only one of the multiple 118entries, and that one by random selection. 119.Pp 120The login name must never begin with a hyphen (``-''); also, it is strongly 121suggested that neither upper-case characters or dots (``.'') be part 122of the name, as this tends to confuse mailers. 123No field may contain a 124colon (``:'') as this has been used historically to separate the fields 125in the user database. 126.Pp 127The password field is the 128.Em encrypted 129form of the password. 130If the 131.Ar password 132field is empty, no password will be required to gain access to the 133machine. 134This is almost invariably a mistake. 135Because these files contain the encrypted user passwords, they should 136not be readable by anyone without appropriate privileges. 137.Pp 138The group field is the group that the user will be placed in upon login. 139Since this system supports multiple groups (see 140.Xr groups 1 ) 141this field currently has little special meaning. 142.Pp 143The 144.Ar class 145field is a key for a user's login class. 146Login classes 147are defined in 148.Xr login.conf 5 , 149which is a 150.Xr termcap 5 151style database of user attributes, accounting, resource, 152and environment settings. 153.Pp 154The 155.Ar change 156field is the number of seconds from the epoch, 157.Dv UTC , 158until the 159password for the account must be changed. 160This field may be left empty to turn off the password aging feature. 161.Pp 162The 163.Ar expire 164field is the number of seconds from the epoch, 165.Dv UTC , 166until the 167account expires. 168This field may be left empty to turn off the account aging feature. 169.Pp 170The 171.Ar gecos 172field normally contains comma (``,'') separated subfields as follows: 173.Pp 174.Bl -tag -width office -offset indent -compact 175.It name 176user's full name 177.It office 178user's office number 179.It wphone 180user's work phone number 181.It hphone 182user's home phone number 183.El 184.Pp 185The full name may contain a ampersand (``&'') which will be replaced by 186the capitalized login name when the gecos field is displayed or used 187by various programs such as 188.Xr finger 1 , 189.Xr sendmail 8 , 190etc. 191.Pp 192The office and phone number subfields are used by the 193.Xr finger 1 194program, and possibly other applications. 195.Pp 196The user's home directory is the full 197.Ux 198path name where the user 199will be placed on login. 200.Pp 201The shell field is the command interpreter the user prefers. 202If there is nothing in the 203.Ar shell 204field, the Bourne shell 205.Pq Pa /bin/sh 206is assumed. 207.Sh HESIOD SUPPORT 208If 209.Sq dns 210is specified for the 211.Sq passwd 212database in 213.Xr nsswitch.conf 5 , 214then 215.Nm 216lookups occur from the 217.Sq passwd 218Hesiod domain. 219.Sh NIS SUPPORT 220If 221.Sq nis 222is specified for the 223.Sq passwd 224database in 225.Xr nsswitch.conf 5 , 226then 227.Nm 228lookups occur from the 229.Sq passwd.byname , 230.Sq passwd.byuid , 231.Sq master.passwd.byname , 232and 233.Sq master.passwd.byuid 234.Tn NIS 235maps. 236.Sh COMPAT SUPPORT 237If 238.Sq compat 239is specified for the 240.Sq passwd 241database, and either 242.Sq dns 243or 244.Sq nis 245is specified for the 246.Sq passwd_compat 247database in 248.Xr nsswitch.conf 5 , 249then the 250.Nm 251file also supports standard 252.Sq +/- 253exclusions and inclusions, based on user names and netgroups. 254.Pp 255Lines beginning with a ``-'' (minus sign) are entries marked as being excluded 256from any following inclusions, which are marked with a ``+'' (plus sign). 257.Pp 258If the second character of the line is a ``@'' (at sign), the operation 259involves the user fields of all entries in the netgroup specified by the 260remaining characters of the 261.Ar name 262field. 263Otherwise, the remainder of the 264.Ar name 265field is assumed to be a specific user name. 266.Pp 267The ``+'' token may also be alone in the 268.Ar name 269field, which causes all users from either the Hesiod domain 270.Nm 271(with 272.Sq passwd_compat: dns ) 273or 274.Sq passwd.byname 275and 276.Sq passwd.byuid 277.Tn NIS 278maps (with 279.Sq passwd_compat: nis ) 280to be included. 281.Pp 282If the entry contains non-empty 283.Ar uid 284or 285.Ar gid 286fields, the specified numbers will override the information retrieved 287from the Hesiod domain or the 288.Tn NIS 289maps. 290As well, if the 291.Ar gecos , 292.Ar dir 293or 294.Ar shell 295entries contain text, it will override the information included via 296Hesiod or 297.Tn NIS . 298On some systems, the 299.Ar passwd 300field may also be overridden. 301.Sh FILES 302.Bl -tag -width ".Pa /etc/master.passwd" -compact 303.It Pa /etc/passwd 304.Tn ASCII 305password file, with passwords removed 306.It Pa /etc/pwd.db 307.Xr db 3 Ns -format 308password database, with passwords removed 309.It Pa /etc/master.passwd 310.Tn ASCII 311password file, with passwords intact 312.It Pa /etc/spwd.db 313.Xr db 3 Ns -format 314password database, with passwords intact 315.El 316.Sh SEE ALSO 317.Xr chpass 1 , 318.Xr login 1 , 319.Xr passwd 1 , 320.Xr getpwent 3 , 321.Xr login.conf 5 , 322.Xr netgroup 5 , 323.Xr adduser 8 , 324.Xr pwd_mkdb 8 , 325.Xr vipw 8 , 326.Xr yp 8 327.Pp 328.%T "Managing NFS and NIS" 329(O'Reilly & Associates) 330.Sh BUGS 331User information should (and eventually will) be stored elsewhere. 332.Pp 333Placing 334.Sq compat 335exclusions in the file after any inclusions will have 336unexpected results. 337.Sh COMPATIBILITY 338The password file format has changed since 339.Bx 4.3 . 340The following awk script can be used to convert your old-style password 341file into a new style password file. 342The additional fields 343.Dq class , 344.Dq change 345and 346.Dq expire 347are added, but are turned off by default. 348Class is currently not implemented, but change and expire are; to set them, 349use the current day in seconds from the epoch + whatever number of seconds 350of offset you want. 351.Bd -literal -offset indent 352BEGIN { FS = ":"} 353{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 } 354.Ed 355.Sh HISTORY 356A 357.Nm 358file format appeared in 359.At v6 . 360.Pp 361The 362.Tn NIS 363.Nm 364file format first appeared in SunOS. 365.Pp 366The Hesiod support first appeared in 367.Fx 4.1 . 368It was imported from the 369.Nx 370Project, where it first appeared in 371.Nx 1.4 . 372