diff options
Diffstat (limited to 'static/freebsd/man5/passwd.5 3.html')
| -rw-r--r-- | static/freebsd/man5/passwd.5 3.html | 282 |
1 files changed, 282 insertions, 0 deletions
diff --git a/static/freebsd/man5/passwd.5 3.html b/static/freebsd/man5/passwd.5 3.html new file mode 100644 index 00000000..713b1d4e --- /dev/null +++ b/static/freebsd/man5/passwd.5 3.html @@ -0,0 +1,282 @@ +<table class="head"> + <tr> + <td class="head-ltitle">PASSWD(5)</td> + <td class="head-vol">File Formats Manual</td> + <td class="head-rtitle">PASSWD(5)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">passwd</code>, + <code class="Nm">master.passwd</code>, <code class="Nm">pwd.db</code>, + <code class="Nm">spwd.db</code> — <span class="Nd">format of the + password file</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">passwd</code> files are the local source of + password information. They can be used in conjunction with the Hesiod + domains ‘<code class="Li">passwd</code>’ and + ‘<code class="Li">uid</code>’, and the NIS maps + ‘<code class="Li">passwd.byname</code>’, + ‘<code class="Li">passwd.byuid</code>’, + ‘<code class="Li">master.passwd.byname</code>’, and + ‘<code class="Li">master.passwd.byuid</code>’, as controlled + by <a class="Xr">nsswitch.conf(5)</a>.</p> +<p class="Pp">For consistency, none of these files should ever be modified + manually.</p> +<p class="Pp">The <code class="Nm">master.passwd</code> file is readable only by + root, and consists of newline separated records, one per user, containing + ten colon (‘<code class="Li">:</code>’) separated fields. + These fields are as follows:</p> +<div class="Bd-indent"> +<dl class="Bl-tag"> + <dt><var class="Ar">name</var></dt> + <dd>User's login name.</dd> + <dt><var class="Ar">password</var></dt> + <dd>User's <i class="Em">encrypted</i> password.</dd> + <dt><var class="Ar">uid</var></dt> + <dd>User's id.</dd> + <dt><var class="Ar">gid</var></dt> + <dd>User's login group id.</dd> + <dt><var class="Ar">class</var></dt> + <dd>User's login class.</dd> + <dt><var class="Ar">change</var></dt> + <dd>Password change time.</dd> + <dt><var class="Ar">expire</var></dt> + <dd>Account expiration time.</dd> + <dt><var class="Ar">gecos</var></dt> + <dd>General information about the user.</dd> + <dt><var class="Ar">home_dir</var></dt> + <dd>User's home directory.</dd> + <dt><var class="Ar">shell</var></dt> + <dd>User's login shell.</dd> +</dl> +</div> +<p class="Pp">The <code class="Nm">passwd</code> file is generated from the + <code class="Nm">master.passwd</code> file by <a class="Xr">pwd_mkdb(8)</a>, + has the <var class="Ar">class</var>, <var class="Ar">change</var>, and + <var class="Ar">expire</var> fields removed, and the + <var class="Ar">password</var> field replaced by a + ‘<code class="Li">*</code>’ character.</p> +<p class="Pp">The <var class="Ar">name</var> field is the login used to access + the computer account, and the <var class="Ar">uid</var> field is the number + associated with it. They should both be unique across the system (and often + across a group of systems) since they control file access.</p> +<p class="Pp">While it is possible to have multiple entries with identical login + names and/or identical user id's, it is usually a mistake to do so. Routines + that manipulate these files will often return only one of the multiple + entries, and that one by random selection.</p> +<p class="Pp">The login name must not begin with a hyphen + (‘<code class="Li">-</code>’), and cannot contain 8-bit + characters, tabs or spaces, or any of these symbols: + ‘<code class="Li">,:+&#%^()!@~*?<>=|\/";</code>’. + The dollar symbol (‘<code class="Li">$</code>’) is allowed + only as the last character for use with Samba. No field may contain a colon + (‘<code class="Li">:</code>’) as this has been used + historically to separate the fields in the user database.</p> +<p class="Pp">Case is significant. Login names + ‘<code class="Li">Lrrr</code>’ and + ‘<code class="Li">lrrr</code>’ represent different users. Be + aware of this when interoperating with systems that do not have + case-sensitive login names.</p> +<p class="Pp">In the <code class="Nm">master.passwd</code> file, the + <var class="Ar">password</var> field is the <i class="Em">encrypted</i> form + of the password, see <a class="Xr">crypt(3)</a>. If the + <var class="Ar">password</var> field is empty, no password will be required + to gain access to the machine. This is almost invariably a mistake, so + authentication components such as PAM can forcibly disallow remote access to + passwordless accounts. Because this file contains the encrypted user + passwords, it should not be readable by anyone without appropriate + privileges.</p> +<p class="Pp">A password of ‘<code class="Li">*</code>’ indicates + that password authentication is disabled for that account (logins through + other forms of authentication, e.g., using <a class="Xr">ssh(1)</a> keys, + will still work). The field only contains encrypted passwords, and + ‘<code class="Li">*</code>’ can never be the result of + encrypting a password.</p> +<p class="Pp">An encrypted password prefixed by + ‘<code class="Li">*LOCKED*</code>’ means that the account is + temporarily locked out and no one can log into it using any authentication. + For a convenient command-line interface to account locking, see + <a class="Xr">pw(8)</a>.</p> +<p class="Pp">The <var class="Ar">group</var> field is the group that the user + will be placed in upon login. Since this system supports multiple groups + (see <a class="Xr">groups(1)</a>) this field currently has little special + meaning.</p> +<p class="Pp">The <var class="Ar">class</var> field is a key for a user's login + class. Login classes are defined in <a class="Xr">login.conf(5)</a>, which + is a <a class="Xr">termcap(5)</a> style database of user attributes, + accounting, resource, and environment settings.</p> +<p class="Pp">The <var class="Ar">change</var> field is the number of seconds + from the epoch, <code class="Dv">UTC</code>, until the password for the + account must be changed. This field may be left empty to turn off the + password aging feature; a value of zero is equivalent to leaving the field + empty.</p> +<p class="Pp">The <var class="Ar">expire</var> field is the number of seconds + from the epoch, <code class="Dv">UTC</code>, until the account expires. This + field may be left empty to turn off the account aging feature; a value of + zero is equivalent to leaving the field empty.</p> +<p class="Pp">The <var class="Ar">gecos</var> field normally contains comma + (‘<code class="Li">,</code>’) separated subfields as + follows:</p> +<p class="Pp"></p> +<div class="Bd-indent"> +<dl class="Bl-tag Bl-compact"> + <dt><var class="Ar">name</var></dt> + <dd>user's full name</dd> + <dt><var class="Ar">office</var></dt> + <dd>user's office number</dd> + <dt><var class="Ar">wphone</var></dt> + <dd>user's work phone number</dd> + <dt><var class="Ar">hphone</var></dt> + <dd>user's home phone number</dd> +</dl> +</div> +<p class="Pp">The full <var class="Ar">name</var> may contain an ampersand + (‘<code class="Li">&</code>’) which will be replaced by + the capitalized login <var class="Ar">name</var> when the + <var class="Ar">gecos</var> field is displayed or used by various programs + such as <a class="Xr">finger(1)</a>, <a class="Xr">sendmail(8)</a>, etc.</p> +<p class="Pp">The <var class="Ar">office</var> and phone number subfields are + used by the <a class="Xr">finger(1)</a> program, and possibly other + applications.</p> +<p class="Pp">The user's home directory, <var class="Ar">home_dir</var>, is the + full <span class="Ux">UNIX</span> path name where the user will be placed on + login.</p> +<p class="Pp">The <var class="Ar">shell</var> field is the command interpreter + the user prefers. If there is nothing in the <var class="Ar">shell</var> + field, the Bourne shell (<span class="Pa">/bin/sh</span>) is assumed. The + conventional way to disable logging into an account once and for all, as it + is done for system accounts, is to set its <var class="Ar">shell</var> to + <span class="Pa">/sbin/nologin</span> (see + <a class="Xr">nologin(8)</a>).</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HESIOD_SUPPORT"><a class="permalink" href="#HESIOD_SUPPORT">HESIOD + SUPPORT</a></h1> +<p class="Pp">If ‘<code class="Li">dns</code>’ is specified for + the ‘<code class="Li">passwd</code>’ database in + <a class="Xr">nsswitch.conf(5)</a>, then <code class="Nm">passwd</code> + lookups occur from the ‘<code class="Li">passwd</code>’ Hesiod + domain.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="NIS_SUPPORT"><a class="permalink" href="#NIS_SUPPORT">NIS + SUPPORT</a></h1> +<p class="Pp">If ‘<code class="Li">nis</code>’ is specified for + the ‘<code class="Li">passwd</code>’ database in + <a class="Xr">nsswitch.conf(5)</a>, then <code class="Nm">passwd</code> + lookups occur from the + ‘<code class="Li">passwd.byname</code>’, + ‘<code class="Li">passwd.byuid</code>’, + ‘<code class="Li">master.passwd.byname</code>’, and + ‘<code class="Li">master.passwd.byuid</code>’ NIS maps.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="COMPAT_SUPPORT"><a class="permalink" href="#COMPAT_SUPPORT">COMPAT + SUPPORT</a></h1> +<p class="Pp">If ‘<code class="Li">compat</code>’ is specified for + the ‘<code class="Li">passwd</code>’ database, and either + ‘<code class="Li">dns</code>’ or + ‘<code class="Li">nis</code>’ is specified for the + ‘<code class="Li">passwd_compat</code>’ database in + <a class="Xr">nsswitch.conf(5)</a>, then the <code class="Nm">passwd</code> + file also supports standard + ‘<code class="Li">+</code>/<code class="Li">-</code>’ + exclusions and inclusions, based on user names and netgroups.</p> +<p class="Pp">Lines beginning with a ‘<code class="Li">-</code>’ + (minus sign) are entries marked as being excluded from any following + inclusions, which are marked with a + ‘<code class="Li">+</code>’ (plus sign).</p> +<p class="Pp">If the second character of the line is a + ‘<code class="Li">@</code>’ (at sign), the operation involves + the user fields of all entries in the netgroup specified by the remaining + characters of the <var class="Ar">name</var> field. Otherwise, the remainder + of the <var class="Ar">name</var> field is assumed to be a specific user + name.</p> +<p class="Pp">The ‘<code class="Li">+</code>’ token may also be + alone in the <var class="Ar">name</var> field, which causes all users from + either the Hesiod domain <code class="Nm">passwd</code> (with + ‘<code class="Li">passwd_compat: dns</code>’) or + ‘<code class="Li">passwd.byname</code>’ and + ‘<code class="Li">passwd.byuid</code>’ NIS maps (with + ‘<code class="Li">passwd_compat: nis</code>’) to be + included.</p> +<p class="Pp">If the entry contains non-empty <var class="Ar">uid</var> or + <var class="Ar">gid</var> fields, the specified numbers will override the + information retrieved from the Hesiod domain or the NIS maps. Likewise, if + the <var class="Ar">gecos</var>, <var class="Ar">dir</var> or + <var class="Ar">shell</var> entries contain text, it will override the + information included via Hesiod or NIS . On some systems, the + <var class="Ar">passwd</var> field may also be overridden.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="FILES"><a class="permalink" href="#FILES">FILES</a></h1> +<dl class="Bl-tag Bl-compact"> + <dt><span class="Pa">/etc/passwd</span></dt> + <dd>ASCII password file, with passwords removed</dd> + <dt><span class="Pa">/etc/pwd.db</span></dt> + <dd><a class="Xr">db(3)</a>-format password database, with passwords + removed</dd> + <dt><span class="Pa">/etc/master.passwd</span></dt> + <dd>ASCII password file, with passwords intact</dd> + <dt><span class="Pa">/etc/spwd.db</span></dt> + <dd><a class="Xr">db(3)</a>-format password database, with passwords + intact</dd> +</dl> +</section> +<section class="Sh"> +<h1 class="Sh" id="COMPATIBILITY"><a class="permalink" href="#COMPATIBILITY">COMPATIBILITY</a></h1> +<p class="Pp">The password file format has changed since + <span class="Ux">4.3BSD</span>. The following awk script can be used to + convert your old-style password file into a new style password file. The + additional fields <var class="Ar">class</var>, <var class="Ar">change</var> + and <var class="Ar">expire</var> are added, but are turned off by default + (setting these fields to zero is equivalent to leaving them blank). Class is + currently not implemented, but change and expire are; to set them, use the + current day in seconds from the epoch + whatever number of seconds of offset + you want.</p> +<div class="Bd Pp Bd-indent Li"> +<pre>BEGIN { FS = ":"} +{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">chpass(1)</a>, <a class="Xr">login(1)</a>, + <a class="Xr">passwd(1)</a>, <a class="Xr">crypt(3)</a>, + <a class="Xr">getpwent(3)</a>, <a class="Xr">login.conf(5)</a>, + <a class="Xr">netgroup(5)</a>, <a class="Xr">nsswitch.conf(5)</a>, + <a class="Xr">adduser(8)</a>, <a class="Xr">nologin(8)</a>, + <a class="Xr">pw(8)</a>, <a class="Xr">pwd_mkdb(8)</a>, + <a class="Xr">vipw(8)</a>, <a class="Xr">yp(8)</a></p> +<p class="Pp"><span class="RsT">Managing NFS and NIS</span> (O'Reilly & + Associates)</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">A <code class="Nm">passwd</code> file format first appeared in + <span class="Ux">Version 1 AT&T UNIX</span>.</p> +<p class="Pp">The NIS <code class="Nm">passwd</code> file format first appeared + in SunOS.</p> +<p class="Pp">The Hesiod support first appeared in <span class="Ux">FreeBSD + 4.1</span>. It was imported from the <span class="Ux">NetBSD</span> Project, + where it first appeared in <span class="Ux">NetBSD 1.4</span>.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> +<p class="Pp">User information should (and eventually will) be stored + elsewhere.</p> +<p class="Pp">Placing ‘<code class="Li">compat</code>’ exclusions + in the file after any inclusions will have unexpected results.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">May 16, 2023</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |