xref: /illumos-gate/usr/src/lib/passwdutil/README.SunOS-aging (revision 7c478bd95313f5f23a4c958a745db2134aa03244)

#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#

 Copyright (c) 2001 by Sun Microsystems, Inc.
 All rights reserved.

 ident	"%Z%%M%	%I%	%E% SMI"





From ALT 2600 FAQ:

A-06. What are those weird characters after the comma in my passwd file?

The characters are password aging data.  Password aging forces the
user to change passwords after a system administrator-specified period
of time.  Password aging can also force a user to keep a password for
a certain number of weeks before changing it.

]
] Sample entry from /etc/passwd with password aging installed:
]
] voyager:5fg63fhD3d,M.z8:9406:12:The Voyager:/home/voyager:/bin/bash
]

Note the comma in the encrypted password field.  The characters after
the comma are used by the password aging mechanism.

]
] Password aging characters from above example:
]
] M.z8
]

The four characters are interpreted as follows:

  1: Maximum number of weeks a password can be used without changing.
  2: Minimum number of weeks a password must be used before changing.
3& 4: Last time password was changed, in number of weeks since 1970.

JV: 3 & 4 are in (low,high), where the number of weeks is (low+high*64).


Three special cases should be noted:

If the first and second characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in.  The
passwd program will then remove the passwd aging characters, and the
user will not be subjected to password aging requirements again.

If the third and fourth characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in. Password
aging will then occur as defined by the first and second characters.

If the first character (MAX) is less than the second character (MIN),
the user is not allowed to change his/her password.  Only root can
change that users password.

It should also be noted that the su command does not check the password
aging data.  An account with an expired password can be su'd to
without being forced to change the password.


                        Password Aging Codes
+------------------------------------------------------------------------+
|                                                                        |
| Character:  .  /  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  G  H |
|    Number:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 |
|                                                                        |
| Character:  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  a  b |
|    Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|                                                                        |
| Character:  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v |
|    Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|                                                                        |
| Character:  w  x  y  z                                                 |
|    Number: 60 61 62 63                                                 |
|                                                                        |
+------------------------------------------------------------------------+