[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Unix password "extensions"?

On Thu, Oct 19, 2000 at 02:21:09PM -0400, Nalin Dahyabhai wrote:
> On Thu, Oct 19, 2000 at 10:57:56AM -0400, Joseph S D Yao wrote:
> > These "extensions" date back to the late 1970's and PWB Unix 1.0.  They
> > relate to password aging.  The passwords use regular crypt().  If your
> > getpw*() functions don't terminate at the comma, then you can either use
> > strncmp() or replace the commas with NULs in-line [but beware of any
> > other problems that may cause].
> Since originally looking at it, I've noticed that it's easier to use
> strncmp() than attempting to terminate the string in the right place.

IMHO, that should work just fine.  You are dealing with a fixed-length
field, here.

As long as you are only using it for the one style of passwd entries.

> Do you have any pointers to online sources of documentation for what
> these fields are used for?

Oh, gee.  Let's see.  HP-UX is a good source for System V-compliant
information.  In passwd(4) it says here:

"The encrypted password consists of 13 characters chosen from a 64-
character set of "digits" described below, except when the password is
null, in which case the encrypted password is also null.  Login can be
prevented by entering in the password field a character that is not
part of the set of digits (such as *).

The characters used to represent "digits" are . for 0, / for 1, 0
through 9 for 2 through 11, A through Z for 12 through 37, and a
through z for 38 through 63.

Password aging is put in effect for a particular user if his encrypted
password in the password file is followed by a comma and a nonnull
string of characters from the above alphabet.  (Such a string must be
introduced in the first instance by a superuser.) This string defines
the "age" needed to implement password aging.

The first character of the age, M, denotes the maximum number of weeks
for which a password is valid.  A user who attempts to login after his
password has expired is forced to supply a new one.  The next
character, m, denotes the minimum period in weeks that must expire
before the password can be changed.  The remaining characters define
the week (counted from the beginning of 1970) when the password was
last changed (a null string is equivalent to zero).  M and m have
numerical values in the range 0 through 63 that correspond to the 64-
character set of "digits" shown above.  If m = M = 0 (derived from the
string . or ..), the user is forced to change his password next time
he logs in (and the "age" disappears from his entry in the password
file).  If m > M (signified, for example, by the string ./), then only
a superuser (not the user) can change the password. Not allowing the
user to ever change the password is discouraged, especially on a
trusted system.


Solaris is sometimes also a good source for System V-compliant
information, but the above should suffice.  Note that Linux shadow(5)
describes what appears to me a more flexible version of same.

** Joe Yao				jsdy@tux.org - Joseph S. D. Yao

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []