/etc/security/passwd File

Purpose

Contains password information.

Description

The /etc/security/passwd file is an ASCII file that contains stanzas with password information. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute is ended with a new line character, and each stanza is ended with an additional new line character.

Each stanza can have the following attributes:

Attribute Definition
password Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *.
lastupdate Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed. If password aging (the minage attribute or the maxage attribute) is in effect, the lastupdate attribute forces a password change when the time limit expires. (See the /etc/security/user file for information on password aging.) The passwd and pwdadm commands normally set this attribute when a password is changed. The value is a decimal integer that can be converted to a text string using the ctime subroutine.
flags Specifies the restrictions applied by the login, passwd, and su commands. The value is a list of comma-separated attributes. The flags attribute can be left blank or can be one or more of the following values:
ADMIN
Defines the administrative status of the password information. If the ADMIN attribute is set, only the root user can change this password information.
ADMCHG
Indicates that the password was last changed by a member of the security group or the root user. Normally this flag is set implicitly when the pwdadm command changes another user's password. When this flag is set explicitly, it forces the password to be updated the next time a user gives the login command or the su command.
NOCHECK
None of the system password restrictions defined in the /etc/security/user file are enforced for this password.

When the passwd or pwdadm command updates a password, the command adds values for the password and lastupdate attributes and, if used to change another user's password, for the flags ADMCHG attribute.

Access to this file should be through the system commands and subroutines defined for this purpose. Other accesses may not be supported in future releases. Users can update their own passwords with the passwd command, administrators can set passwords and password flags with the pwdadm command, and the root user is able to use the passwd command to set the passwords of other users.

Refer to the "Files" section for information on where attributes and other information on users and groups are stored.

Although each user name must be in the /etc/passwd file, it is not necessary to have each user name listed in the /etc/security/passwd file. If the authentication attributes auth1 and auth2 are so defined in the /etc/security/user file, a user may use the authentication name of another user. For example, the authentication attributes for user tom can allow that user to use the entry in the /etc/security/passwd file for user carol for authentication.

Security

Access Control: This file should grant read (r) and write (w) access only to the root user.

Auditing Events:

Event Information
S_PASSWD_READ file name
S_PASSWD_WRITE file name

Examples

The following line indicates that the password information in the /etc/security/passwd file is available only to the root user, who has no restrictions on updating a password for the specified user:

flags = ADMIN,NOCHECK  

An example of this line in a typical stanza for user smith follows:

smith:
  password = MGURSj.F056Dj
  lastupdate = 623078865
  flags = ADMIN,NOCHECK 

The password line shows an encrypted password. The lastupdate line shows the number of seconds since the epoch that the password was last changed. The flags line shows two flags: the ADMIN flag indicates that the information is available only to the root user, and the NOCHECK flag indicates that the root user has no restrictions on updating a password for the specified user.

Files

Item Description
/etc/security/passwd Specifies the path to the file.
/etc/passwd Contains basic user attributes.
/etc/security/user Contains the extended attributes of users.
/etc/security/login.cfg Contains configuration information for login and user authentication.