FreeBSD 7.0 manual page repository

FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

passwd, master.passwd - format of the password file

 

NAME

      passwd, master.passwd - format of the password file
 

DESCRIPTION

      The passwd files are the local source of password information.  They can
      be used in conjunction with the Hesiod domains ‘passwd’ and ‘uid’, and
      the NIS maps ‘passwd.byname’, ‘passwd.byuid’, ‘master.passwd.byname’, and
      ‘master.passwd.byuid’, as controlled by nsswitch.conf(5).
 
      For consistency, none of these files should ever be modified manually.
 
      The master.passwd file is readable only by root, and consists of newline
      separated records, one per user, containing ten colon (‘:’) separated
      fields.  These fields are as follows:
 
            name      User’s login name.
 
            password  User’s encrypted password.
 
            uid       User’s id.
 
            gid       User’s login group id.
 
            class     User’s login class.
 
            change    Password change time.
 
            expire    Account expiration time.
 
            gecos     General information about the user.
 
            home_dir  User’s home directory.
 
            shell     User’s login shell.
 
      The passwd file is generated from the master.passwd file by pwd_mkdb(8),
      has the class, change, and expire fields removed, and the password field
      replaced by a ‘*’ character.
 
      The name field is the login used to access the computer account, and the
      uid field is the number associated with it.  They should both be unique
      across the system (and often across a group of systems) since they con‐
      trol file access.
 
      While it is possible to have multiple entries with identical login names
      and/or identical user id’s, it is usually a mistake to do so.  Routines
      that manipulate these files will often return only one of the multiple
      entries, and that one by random selection.
 
      The login name must never begin with a hyphen (‘-’); also, it is strongly
      suggested that neither upper-case characters or dots (‘.’) be part of the
      name, as this tends to confuse mailers.  No field may contain a colon
      (‘:’) as this has been used historically to separate the fields in the
      user database.
 
      In the master.passwd file, the password field is the encrypted form of
      the password, see crypt(3).  If the password field is empty, no password
      will be required to gain access to the machine.  This is almost invari‐
      ably a mistake, so authentication components such as PAM can forcibly
      disallow remote access to passwordless accounts.  Because this file con‐
      tains the encrypted user passwords, it should not be readable by anyone
      without appropriate privileges.
 
      A password of ‘*’ indicates that password authentication is disabled for
      that account (logins through other forms of authentication, e.g., using
      ssh(1) keys, will still work).  The field only contains encrypted pass‐
      words, and ‘*’ can never be the result of encrypting a password.
 
      An encrypted password prefixed by ‘*LOCKED*’ means that the account is
      temporarily locked out and no one can log into it using any authentica‐
      tion.  For a convenient command-line interface to account locking, see
      pw(8).
 
      The group field is the group that the user will be placed in upon login.
      Since this system supports multiple groups (see groups(1)) this field
      currently has little special meaning.
 
      The class field is a key for a user’s login class.  Login classes are
      defined in login.conf(5), which is a termcap(5) style database of user
      attributes, accounting, resource, and environment settings.
 
      The change field is the number of seconds from the epoch, UTC, until the
      password for the account must be changed.  This field may be left empty
      to turn off the password aging feature.
 
      The expire field is the number of seconds from the epoch, UTC, until the
      account expires.  This field may be left empty to turn off the account
      aging feature.
 
      The gecos field normally contains comma (‘,’) separated subfields as fol‐
      lows:
 
            name    user’s full name
            office  user’s office number
            wphone  user’s work phone number
            hphone  user’s home phone number
 
      The full name may contain a ampersand (‘&’) which will be replaced by the
      capitalized login name when the gecos field is displayed or used by vari‐
      ous programs such as finger(1), sendmail(8), etc.
 
      The office and phone number subfields are used by the finger(1) program,
      and possibly other applications.
 
      The user’s home directory, home_dir, is the full UNIX path name where the
      user will be placed on login.
 
      The shell field is the command interpreter the user prefers.  If there is
      nothing in the shell field, the Bourne shell (/bin/sh) is assumed.  The
      conventional way to disable logging into an account once and for all, as
      it is done for system accounts, is to set its shell to nologin(8).
      If ‘dns’ is specified for the ‘passwd’ database in nsswitch.conf(5), then
      passwd lookups occur from the ‘passwd’ Hesiod domain.
      If ‘nis’ is specified for the ‘passwd’ database in nsswitch.conf(5), then
      passwd lookups occur from the ‘passwd.byname’, ‘passwd.byuid’,
      ‘master.passwd.byname’, and ‘master.passwd.byuid’ NIS maps.
      If ‘compat’ is specified for the ‘passwd’ database, and either ‘dns’ or
      ‘nis’ is specified for the ‘passwd_compat’ database in nsswitch.conf(5),
      then the passwd file also supports standard ‘+/-’ exclusions and inclu‐
      sions, based on user names and netgroups.
 
      Lines beginning with a ‘-’ (minus sign) are entries marked as being
      excluded from any following inclusions, which are marked with a ‘+’ (plus
      sign).
 
      If the second character of the line is a ‘@’ (at sign), the operation
      involves the user fields of all entries in the netgroup specified by the
      remaining characters of the name field.  Otherwise, the remainder of the
      name field is assumed to be a specific user name.
 
      The ‘+’ token may also be alone in the name field, which causes all users
      from either the Hesiod domain passwd (with ‘passwd_compat: dns’) or
      ‘passwd.byname’ and ‘passwd.byuid’ NIS maps (with ‘passwd_compat: nis’)
      to be included.
 
      If the entry contains non-empty uid or gid fields, the specified numbers
      will override the information retrieved from the Hesiod domain or the NIS
      maps.  As well, if the gecos, dir or shell entries contain text, it will
      override the information included via Hesiod or NIS.  On some systems,
      the passwd field may also be overridden.
 

FILES

      /etc/passwd         ASCII password file, with passwords removed
      /etc/pwd.db         db(3)-format password database, with passwords
                          removed
      /etc/master.passwd  ASCII password file, with passwords intact
      /etc/spwd.db        db(3)-format password database, with passwords intact
 

COMPATIBILITY

      The password file format has changed since 4.3BSD.  The following awk
      script can be used to convert your old-style password file into a new
      style password file.  The additional fields class, change and expire are
      added, but are turned off by default.  Class is currently not imple‐
      mented, but change and expire are; to set them, use the current day in
      seconds from the epoch + whatever number of seconds of offset you want.
 
            BEGIN { FS = ":"}
            { print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }
      chpass(1), login(1), passwd(1), crypt(3), getpwent(3), login.conf(5),
      netgroup(5), nsswitch.conf(5), adduser(8), nologin(8), pw(8),
      pwd_mkdb(8), vipw(8), yp(8)
 
      Managing NFS and NIS (O’Reilly & Associates)
 

HISTORY

      A passwd file format appeared in Version 6 AT&T UNIX.
 
      The NIS passwd file format first appeared in SunOS.
 
      The Hesiod support first appeared in FreeBSD 4.1.  It was imported from
      the NetBSD Project, where it first appeared in NetBSD 1.4.
 

BUGS

      User information should (and eventually will) be stored elsewhere.
 
      Placing ‘compat’ exclusions in the file after any inclusions will have
      unexpected results.
 

Sections

Based on BSD UNIX
FreeBSD is an advanced operating system for x86 compatible (including Pentium and Athlon), amd64 compatible (including Opteron, Athlon64, and EM64T), UltraSPARC, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Additional platforms are in various stages of development.