modprpw(1M) modprpw(1M)
NAME [Toc] [Back]
modprpw - modify protected password database
SYNOPSIS [Toc] [Back]
modprpw [-E|-V] [-l|-n [domain]]
modprpw [-x] [-l|-n [domain]] username
modprpw [-A|-e|-v|-k] [-m field=value,... ] [-l|-n [domain]] username
DESCRIPTION [Toc] [Back]
modprpw updates the user's protected password database settings. This
command is available only to the superuser in a trusted system.
Usage other than via SAM, and/or modifications out of sync with
/etc/passwd or NIS+ tables, may result in serious database corruption
and the inability to access the system.
All updated values may be verified using getprpw(1M).
The database contains information for both local and NIS+ users.
However, some NIS+ information is kept on the master. Since a user
may be both local and NIS+, modprpw uses the nsswitch.conf(4) default
if neither -l nor -n are specified.
Options [Toc] [Back]
modprpw sets user's parameters as defined by the options specified.
At least one option is required. If a field is not specified in the
option then its value remains unchanged in the database.
modprpw recognizes the following options...
-A To add a new user entry and to return a random password which the
new user must use to login the first time. This entry has to be
created with the given username and the -m uid=value.
Error is returned if the user already exists.
May be combined with one of the -l or -n options. It also adds
entries to the NIS+ tables, if -n is specified.
Unlike useradd(1M), it does not create nor populate the home
directory, and it does not update /etc/passwd.
-E This option is specified WITHOUT a user name to expire all user's
passwords. It goes through the protected password database and
zeroes the successful change time of all users. The result is
all users will need to enter a new password at their next login.
May be combined with one of -l or -n options.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
modprpw(1M) modprpw(1M)
-e This option is specified with a user name to expire the specified
user's password. It zeroes the successful change time.
May be combined with options -l, -m, -n.
-k To unlock/enable a user's account that has become disabled,
except when the lock is due to a missing password or * password.
May be combined with options -l, -m, -n.
-l This option specifies to modify data for a local user. It cannot
be specified with the -n option. This option must be specified
with other options.
-m Modify the database field to the specified value and/or resets
locks. Valid with one of -A, -e, -v, -k options; and one of -l,
-n options.
A list of database fields may be used with comma as a delimiter.
An "invalid-opt" is printed, and processing terminates, if a list
of database fields passed to -m contains an invalid database
field.
Boolean values are specified as YES, NO, or DFT for system
default values (/tcb/files/auth/system/default). Numeric values
are specified as positive numbers, 0, or -1. If the value -1 is
specified, the numeric value in the database is removed, allowing
the system default value to be used. Time values are specified
in days, although the database keeps them in seconds.
No aging is present if the following 4 database parameters are
all zero: u_minchg, u_exp, u_life, u_pw_expire_warning.
Unless specified by n/a, all database fields can be set. They
are listed below in the order shown in prot.h. The database
fields are fully explained in prpwd(4).
FIELD=VALUE DATABASE FIELD
n/a database u_name.
uid=value database u_id.
Set the uid of the user. No sanity checking
is done on this value.
n/a database u_pwd.
n/a database u_owner.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
modprpw(1M) modprpw(1M)
bootpw=value database u_bootauth.
Set boot authorization privilege, YES/NO/DFT.
NO removes it from the user file.
audid=value database u_auditid.
Set audit id. Automatically limited not to
exceed the next available id.
audflg=value database u_auditflag.
Set audit flag.
mintm=value database u_minchg=(value*86400).
Set the minimum time interval between
password changes (days). 0 = none. Same as
non-trusted mode minimum time.
maxpwln=value database u_maxlen.
Set the maximum password length for system
generated passwords.
exptm=value database u_exp=(value*86400).
Set password expiration time interval (days).
0 = expired. Same as non-trusted mode
maximum time.
lftm=value database u_life.
Set password life time interval (days). 0 =
infinite.
n/a database u_succhg.
Modified by options e, E, v, V, maybe k.
n/a database u_unsucchg.
acctexp=value database u_acct_expire=(value*86400+now).
Set account expiration time interval (days).
This interval is added to "now" to form the
value in the database (database 0 = no
expiration).
llog=value database u_llogin.
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
modprpw(1M) modprpw(1M)
Set the last login time interval (days).
Used with u_succlog.
expwarn=value database u_pw_expire_warning=(value*86400).
Set password expiration warning time interval
(days). 0 = none.
n/a database u_pswduser. Obsoleted field.
usrpick=value database u_pickpw.
Set whether User Picks Password, YES/NO/DFT.
syspnpw=value database u_genpwd.
Set whether system generates pronounceable
passwords, YES/NO/DFT.
rstrpw=value database u_restrict.
Set if generated password is restricted,
YES/NO/DFT. If YES, password will be checked
for triviality.
nullpw=value database u_nullpw.
Set whether null passwords are allowed,
YES/NO/DFT. YES is not recommended!
n/a database u_pwchanger. Obsolescent field.
admnum=value database u_pw_admin_num. Obsoleted field.
syschpw=value database u_genchars.
Set whether system generates passwords having
characters only, YES/NO/DFT.
sysltpw=value database u_genletters.
Set whether system generates passwords having
letters only, YES/NO/DFT.
timeod=value database u_tod.
Set the time-of-day allowed for login.
The format is:
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003
modprpw(1M) modprpw(1M)
key0Starttime-Endtime,
key1Starttime-Endtime,...
keynStarttime-Endtime
Where key has the following values:
Mo - Monday
Tu - Tuesday
We - Wednesday
Th - Thursday
Fr - Friday
Sa - Saturday
Su - Sunday
Any - everyday
Wk - Monday -> Friday
and Starttime and Endtime are in military
format: HHMM, where:
00 <= HH <= 23, and 00 <= MM <= 59.
n/a database u_suclog.
n/a database u_unsuclog.
n/a database u_suctty.
n/a database u_numunsuclog.
n/a database u_unsuctty.
umaxlntr=value database u_maxtries.
Set Maximum Unsuccessful Login tries allowed.
0 = infinite.
alock=value database u_lock.
Set the administrator lock, YES/NO/DFT.
-n Can be specified with or without domain name; i.e., -n [domain].
If -n [domain] is specified, modifies data for the NIS+ user.
The domain name must be fully qualified, with a terminating
period. If domain name is not specified, the local domain will
be used.
It cannot be specified with the -l option. This option must be
specified with other options.
-V This option is specified WITHOUT a user name to
"validate/refresh" all user's passwords. It goes through the
protected password database and sets the successful change time
to the current time for all users. The result is that all user's
Hewlett-Packard Company - 5 - HP-UX 11i Version 2: August 2003
modprpw(1M) modprpw(1M)
password aging restarts at the current time.
May be combined with one of -l or -n options.
-v This option is specified with a user name to "validate/refresh"
the specified user's password. It sets the successful change
time to the current time.
May be combined with options -l, -m, -n.
-x Delete the user's password and return a random password that the
user must later supply to the login process to login and pick a
new password. Not valid for root. Also resets locks.
May be combined with one of -l or -n options.
RETURN VALUE [Toc] [Back]
0 Success.
1 User not privileged.
2 Incorrect usage.
3 Can not find the entry or file.
4 Can not change the entry.
5 Not a Trusted System.
6 Not a NIS+ user.
EXAMPLES [Toc] [Back]
Set the Minimum time between password changes to 12 (days), set the
System generates pronounceable password flag to NO, and set the System
generates password having characters only flag to YES.
modprpw -m mintm=12,syspnpw=NO,syschpw=YES someusr
The following example is to restrict the times that user joeblow can
get on the system on Mondays and Fridays to 5PM-9PM, and Sundays from
5AM-9AM. Other days are not restricted.
modprpw -m timeod=Mo1700-2100,Fr1700-2100,Su0500-0900 joeblow
WARNINGS [Toc] [Back]
This command is intended for SAM use only. It may change with each
release and can not be guaranteed to be backward compatible.
Several database fields interact with others. Side effects may not be
apparent until much later.
Special meanings may apply in the following cases:
+ an absent field,
+ a field without a value,
+ a field with a zero value.
Hewlett-Packard Company - 6 - HP-UX 11i Version 2: August 2003
modprpw(1M) modprpw(1M)
Very little, if any checking is done to see if values are valid. It
is the user's responsibility to range check values.
FILES [Toc] [Back]
/etc/passwd System Password file
/tcb/files/auth/*/* Protected Password Database
/tcb/files/auth/system/default System Defaults Database
AUTHOR [Toc] [Back]
modprpw was developed by HP.
SEE ALSO [Toc] [Back]
getprpw(1M), prpwd(4), nsswitch.conf(4).
Hewlett-Packard Company - 7 - HP-UX 11i Version 2: August 2003 [ Back ] |