Contains password information.
The /etc/security/passwd file is an ASCII file that contains stanzas with password information. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute is ended with a new line character, and each stanza is ended with an additional new line character.
Each stanza can have the following attributes:
| Attribute | Definition |
|---|---|
| password | Specifies the encrypted password. The system encrypts the password created with the passwd command or the pwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *. |
| lastupdate | Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed. If password aging (the minage attribute or the maxage attribute) is in effect, the lastupdate attribute forces a password change when the time limit expires. (See the /etc/security/user file for information on password aging.) The passwd and pwdadm commands normally set this attribute when a password is changed. The value is a decimal integer that can be converted to a text string using the ctime subroutine. |
| flags | Specifies the restrictions applied by the login, passwd, and su commands. The value is a list of comma-separated
attributes. The flags attribute can be left blank or can be
one or more of the following values:
|
When the passwd or pwdadm command updates a password, the command adds values for the password and lastupdate attributes and, if used to change another user's password, for the flags ADMCHG attribute.
Access to this file should be through the system commands and subroutines defined for this purpose. Other accesses may not be supported in future releases. Users can update their own passwords with the passwd command, administrators can set passwords and password flags with the pwdadm command, and the root user is able to use the passwd command to set the passwords of other users.
Refer to the "Files" section for information on where attributes and other information on users and groups are stored.
Although each user name must be in the /etc/passwd file, it is not necessary to have each user name listed in the /etc/security/passwd file. If the authentication attributes auth1 and auth2 are so defined in the /etc/security/user file, a user may use the authentication name of another user. For example, the authentication attributes for user tom can allow that user to use the entry in the /etc/security/passwd file for user carol for authentication.
Access Control: This file should grant read (r) and write (w) access only to the root user.
Auditing Events:
| Event | Information |
|---|---|
| S_PASSWD_READ | file name |
| S_PASSWD_WRITE | file name |
The following line indicates that the password information in the /etc/security/passwd file is available only to the root user, who has no restrictions on updating a password for the specified user:
flags = ADMIN,NOCHECK An example of this line in a typical stanza for user smith follows:
smith:
password = MGURSj.F056Dj
lastupdate = 623078865
flags = ADMIN,NOCHECK The password line shows an encrypted password. The lastupdate line shows the number of seconds since the epoch that the password was last changed. The flags line shows two flags: the ADMIN flag indicates that the information is available only to the root user, and the NOCHECK flag indicates that the root user has no restrictions on updating a password for the specified user.
| Item | Description |
|---|---|
| /etc/security/passwd | Specifies the path to the file. |
| /etc/passwd | Contains basic user attributes. |
| /etc/security/user | Contains the extended attributes of users. |
| /etc/security/login.cfg | Contains configuration information for login and user authentication. |