passwd(5)
NAME
passwd, master.passwd - format of the password file
DESCRIPTION
- The passwd files are the local source of password informa
- tion. They can
be used in conjunction with the Hesiod domains `passwd' and - `uid', and
the NIS maps `passwd.byname', `passwd.byuid', `master.pass - wd.byname', and
`master.passwd.byuid', as controlled by nsswitch.conf(5). - For consistency, none of these files should ever be modified
- manually.
- The master.passwd file is readable only by root, and con
- sists of newline
separated records, one per user, containing ten colon - (``:'') separated
fields. These fields are as follows:
name User's login name.- password User's encrypted password.
- uid User's id.
- gid User's login group id.
- class User's login class.
- change Password change time.
- expire Account expiration time.
- gecos General information about the user.
- home_dir User's home directory.
- shell User's login shell.
- The passwd file is generated from the master.passwd file by
- pwd_mkdb(8),
has the class, change, and expire fields removed, and the - password field
replaced by a `*' character. In the master.passwd file, a - password of
`*' is used to indicate that no one can ever log into that - account using
password authentication (logins through other forms of au - thentication,
i.e. using ssh(1) keys, will still work). The field only - contains
encrypted passwords, and `*' can never be the result of en - crypting a
password. - The name field is the login used to access the computer ac
- count, and the
uid field is the number associated with it. They should - both be unique
across the system (and often across a group of systems) - since they control file access.
- While it is possible to have multiple entries with identical
- login names
and/or identical user id's, it is usually a mistake to do - so. Routines
that manipulate these files will often return only one of - the multiple
entries, and that one by random selection. - The login name must never begin with a hyphen (``-''); also,
- it is
strongly suggested that neither upper-case characters or - dots (``.'') be
part of the name, as this tends to confuse mailers. No - field may contain
a colon (``:'') as this has been used historically to sepa - rate the fields
in the user database. - The password field is the encrypted form of the password,
- see crypt(3).
If the password field is empty, no password will be required - to gain
access to the machine. This is almost invariably a mistake. - Because
these files contain the encrypted user passwords, they - should not be
readable by anyone without appropriate privileges. - The group field is the group that the user will be placed in
- upon login.
Since this system supports multiple groups (see groups(1)) - this field
currently has little special meaning. - The class field is a key for a user's login class. Login
- classes are
defined in login.conf(5), which is a termcap(5) style - database of user
attributes, accounting, resource, and environment settings. - The change field is the number of seconds from the epoch,
- UTC, until the
password for the account must be changed. This field may be - left empty
to turn off the password aging feature. - The expire field is the number of seconds from the epoch,
- UTC, until the
account expires. This field may be left empty to turn off - the account
aging feature. - The gecos field normally contains comma (``,'') separated
- subfields as
follows:
name user's full name
office user's office number
wphone user's work phone number
hphone user's home phone number- The full name may contain a ampersand (``&'') which will be
- replaced by
the capitalized login name when the gecos field is displayed - or used by
various programs such as finger(1), sendmail(8), etc. - The office and phone number subfields are used by the fin
- ger(1) program,
and possibly other applications. - The user's home directory is the full UNIX path name where
- the user will
be placed on login. - The shell field is the command interpreter the user prefers.
- If there is
nothing in the shell field, the Bourne shell (/bin/sh) is - assumed.
HESIOD SUPPORT
- If `dns' is specified for the `passwd' database in nss
- witch.conf(5), then
passwd lookups occur from the `passwd' Hesiod domain.
NIS SUPPORT
- If `nis' is specified for the `passwd' database in nss
- witch.conf(5), then
passwd lookups occur from the `passwd.byname', `pass - wd.byuid',
`master.passwd.byname', and `master.passwd.byuid' NIS maps.
COMPAT SUPPORT
- If `compat' is specified for the `passwd' database, and ei
- ther `dns' or
`nis' is specified for the `passwd_compat' database in nss - witch.conf(5),
then the passwd file also supports standard `+/-' exclusions - and inclusions, based on user names and netgroups.
- Lines beginning with a ``-'' (minus sign) are entries marked
- as being
excluded from any following inclusions, which are marked - with a ``+''
(plus sign). - If the second character of the line is a ``@'' (at sign),
- the operation
involves the user fields of all entries in the netgroup - specified by the
remaining characters of the name field. Otherwise, the re - mainder of the
name field is assumed to be a specific user name. - The ``+'' token may also be alone in the name field, which
- causes all
users from either the Hesiod domain passwd (with `pass - wd_compat: dns') or
`passwd.byname' and `passwd.byuid' NIS maps (with `pass - wd_compat: nis')
to be included. - If the entry contains non-empty uid or gid fields, the spec
- ified numbers
will override the information retrieved from the Hesiod do - main or the NIS
maps. As well, if the gecos, dir or shell entries contain - text, it will
override the information included via Hesiod or NIS. On - some systems,
the passwd field may also be overridden.
FILES
- /etc/passwd ASCII password file, with passwords
- removed
/etc/pwd.db db(3)-format password database, with - passwords
- removed
- /etc/master.passwd ASCII password file, with passwords
- intact
/etc/spwd.db db(3)-format password database, with - passwords
- intact
COMPATIBILITY
- The password file format has changed since 4.3BSD. The fol
- lowing awk
script can be used to convert your old-style password file - into a new
style password file. The additional fields ``class'', - ``change'' and
``expire'' are added, but are turned off by default. Class - is currently
not implemented, but change and expire are; to set them, use - the current
day in seconds from the epoch + whatever number of seconds - of offset you
want.
BEGIN { FS = ":"}
{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":"- $7 }
SEE ALSO
- chpass(1), login(1), passwd(1), crypt(3), getpwent(3), lo
- gin.conf(5),
netgroup(5), adduser(8), pw(8), pwd_mkdb(8), vipw(8), yp(8) - Managing NFS and NIS (O'Reilly & Associates)
HISTORY
A passwd file format appeared in Version 6 AT&T UNIX.
The NIS passwd file format first appeared in SunOS.
- The Hesiod support first appeared in FreeBSD 4.1. It was
- imported from
the NetBSD Project, where it first appeared in NetBSD 1.4.
BUGS
- User information should (and eventually will) be stored
- elsewhere.
- Placing `compat' exclusions in the file after any inclusions
- will have
unexpected results. - BSD February 8, 2005