nispasswd(1)




NAME

     nispasswd - change NIS+ password information


SYNOPSIS

     nispasswd [-ghs] [-D domainname] [username]

     nispasswd -a

     nispasswd [-D domainname] [ -d [username]]

     nispasswd  [-l]  [-f]   [-n min]   [-x max]   [-w warn]   [-
     D domainname] username


DESCRIPTION

     The nispasswd utility changes a  password,   gecos  (finger)
     field  (-g  option),   home directory (-h option),  or login
     shell (-s option) associated with the username  (invoker  by
     default) in the NIS+ passwd table.

     Additionally, the command can be  used  to  view  or  modify
     aging information associated with the user specified  if the
     invoker has the right NIS+ privileges.

     nispasswd uses secure  RPC  to  communicate  with  the  NIS+
     server,   and  therefore,  never sends unencrypted passwords
     over  the communication medium.

     nispasswd does not read or modify the local password  infor-
     mation stored in the /etc/passwd and  /etc/shadow files.

     When used to  change  a  password,  nispasswd  prompts  non-
     privileged  users  for  their old password.  It then prompts
     for the new password twice  to  forestall  typing  mistakes.
     When the old password is entered, nispasswd checks to see if
     it has "aged" sufficiently.   If  "aging"  is  insufficient,
     nispasswd terminates; see getspnam(3C).

     The old password is used to decrypt  the  username's  secret
     key.  If  the  password  does  not  decrypt  the secret key,
     nispasswd prompts for the old secure-RPC password.  It  uses
     this  password  to decrypt the secret key. If this fails, it
     gives the user one more chance. The  old  password  is  also
     used to ensure that the new password differs from the old by
     at least three characters. Assuming aging is  sufficient,  a
     check  is  made  to ensure that  the new password meets con-
     struction requirements described below. When the  new  pass-
     word  is  entered  a second time,  the two copies of the new
     password are compared.  If the two copies are not identical,
     the  cycle  of  prompting  for  the new password is repeated
     twice. The new password is used to   re-encrypt  the  user's
     secret  key.  Hence,  it also becomes their secure-RPC pass-
     word. Therefore, the secure-RPC  password  is  no  longer  a
     different password from the user's password.

     Passwords must be constructed to meet the following require-
     ments:

        o  Each password must have at least six characters.  Only
           the first eight characters are significant.

        o  Each password must contain  at  least  two  alphabetic
           characters and at least one numeric or special charac-
           ter. In this case, "alphabetic" refers to all upper or
           lower case letters.

        o  Each password  must  differ  from  the   user's  login
           username  and  any   reverse or circular shift of that
           login username. For comparison purposes, an upper case
           letter   and  its  corresponding lower case letter are
           equivalent.

        o  New passwords must differ from the  old  by  at  least
           three  characters.  For  comparison purposes, an upper
           case letter and its corresponding  lower  case  letter
           are equivalent.

     Network administrators, who own the NIS+ password table, may
     change  any  password  attributes   if  they establish their
     credentials (see keylogin(1))  before  invoking   nispasswd.
     Hence, nispasswd does not prompt these privileged-users  for
     the old password and they are  not  forced  to  comply  with
     password aging and password construction requirements.

     Any user may use the -d option to  display  password  attri-
     butes  for  his  or  her  own  login name. The format of the
     display will be:

     username status mm/dd/yy min max warn

     or, if password aging information is not present,

     username status

     where

     username
           The login ID of the user.

     status
           The password status of username: "PS" stands for pass-
           word  exists  or  locked,  "LK" stands for locked, and
           "NP" stands for no password.

     mm/dd/yy
           The date password was last changed for username. (Note
           that  all  password  aging  dates are determined using
           Greenwich Mean Time (Universal Time)  and,  therefore,
           may differ by as much as a day in other
            time zones.)

     min   The minimum number of days required  between  password
           changes for username.

     max   The maximum number of days the password is  valid  for
           username.

     warn  The number of days relative to max before the password
           expires that the username will be warned.

     The use of  nispasswd  is  strongly  discouraged.  It  is  a
     wrapper around the passwd(1) command.

     Using passwd(1) with the -r nisplus option will achieve  the
     same  result and will be consistent across all the different
     name services available. This  is  the  recommended  way  to
     change the password in NIS+.

     The login program, file access display programs  (for  exam-
     ple,  ls  -l),  and network programs that require user pass-
     words, for example, rlogin(1), ftp(1), and so  on,  use  the
     standard  getpwnam(3C) and
      getspnam(3C) interfaces to get password information.  These
     programs  will  get  the NIS+ password information, which is
     modified by nispasswd, only if the   passwd:  entry  in  the
     /etc/nsswitch.conf     file     includes     nisplus.    See
     nsswitch.conf(4) for more details.


OPTIONS

     The following options are supported:

     -a    Shows the password attributes for  all  entries.  This
           will show only the entries in the NIS+ passwd table in
           the local domain that the  invoker  is  authorized  to
           "read".

     -d [username]
           Displays password attributes for  the  caller  or  the
           user   specified   if   the   invoker  has  the  right
           privileges.

     -D domainname
           Consults the passwd.org_dir table  in  domainname.  If
           this  option  is not specified, the default domainname
           returned by nis_local_directory() will be  used.  This
           domainname   is   the   same   as   that  returned  by
           domainname(1M).

     -f    Forces the user to change password at the  next  login
           by expiring the password for username.

     -g    Changes the gecos (finger) information.

     -h    Changes the home directory.

     -l    Locks the password entry for  username.  Subsequently,
           login(1) would disallow logins with this NIS+ password
           entry.

     -n min
           Sets minimum field for username. The  min  field  con-
           tains  the  minimum  number  of days  between password
           changes for username.  If min is greater than max, the
           user  may  not  change  the  password. Always use this
           option with the -x option, unless max is  set   to  -1
           (aging  turned  off).   In  that case, min need not be
           set.

     -s    Changes the login shell. By  default,  only  the  NIS+
           administrator  can  change  the  login shell. The user
           will be prompted for the new login shell.

     -w warn
           Sets warn field for username. The warn field  contains
           the  number  of  days before the password expires that
           the user will be warned whenever he or she attempts to
           login.

     -x max
           Sets maximum field for username. The  max  field  con-
           tains  the  number of days that  the password is valid
           for username. The aging for username  will  be  turned
           off immediately  if max is set to -1.  If it is set to
           0, then the user is forced to change the password   at
           the next login session and aging is turned off.


EXIT STATUS

     The following exit values are returned:

     0     Success.

     1     Permission denied.

     2     Invalid combination of options.

     3     Unexpected failure. NIS+ passwd table unchanged.

     4     NIS+ passwd table missing.

     5     NIS+ is busy. Try again later.
     6     Invalid argument to option.

     7     Aging is disabled.

     8     No memory.

     9     System error.

     10    Account expired.


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWnisu                    |
    |_____________________________|_____________________________|


SEE ALSO

     keylogin(1),  login(1),  nis+(1),  nistbladm(1),  passwd(1),
     rlogin(1),   domainname(1M),   nisserver(1M),  getpwnam(3C),
     getspnam(3C),  nis_local_directory(3NSL),  nsswitch.conf(4),
     passwd(4), shadow(4), attributes(5)


NOTES

     NIS+ might not  be  supported  in  future  releases  of  the
     SolarisTM  Operating Environment. Tools to aid the migration
     from NIS+ to LDAP are available in the Solaris  9  operating
     environment.      For      more      information,      visit
     http://www.sun.com/directory/nisplus/transition.html.


Man(1) output converted with man2html