Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

191

192

193

194

195

196

197

198

199

200

robin:*:102:99:Robin Hood,Rm 3,x9876,408-555-1234:/home/robin:/usr/bin/sh

The fields contain the following information (listed in order), separated by colons:

1. User (login) name, consisting of up to 8 characters. (In the example, robin)

2. Unused password field, held by an asterisk instead of an actual password. (*)

3. User ID, an integer ranging from 0 to MAXINT-1, equal to 2,147,483,646 or 2

-2. (102)

4. Group ID, from /etc/group, an integer ranging from 0 to MAXINT-1. (99)

5. Comment field, used to identify such information as the user's full name, location,

and phone numbers. For historic reasons, this is also called the gecos field.

(Robin Hood,Rm 3,x9876,408-555-1234)

6. Home directory, the user's initial login directory. (/home/robin)

7. Login program path name, executed when the user logs in. (/usr/bin/sh)

The user can change the comment field (fifth field) with the chfn command and the login

program path name (seventh field) with the chsh command. The system administrator

sets the remaining fields. The user ID should be unique. For more information, see chfn(1),

chsh(1), passwd(1), and passwd(4). The user can change the password in the protected

password database with passwd.

A.3.1.2 The /tcb/files/auth/ Database

When a system is converted to a trusted system, the encrypted password, normally held

in the second field of /etc/passwd, is moved to the protected password database,

and an asterisk holds its place in the /etc/passwd file.

Protected password database files are stored in the /tcb/files/auth/ hierarchy.

User authentication profiles are stored in these directories based on the first letter of the

user account name. For example, the authentication profile for user david is stored in

the file /tcb/files/auth/d/david.

On trusted systems, key security elements are held in the protected password database,

accessible only to superusers. Use HP SMH to set password data entries. Password data

that is not set for a user will default to the system defaults stored in the file /tcb/files/

auth/system/default.

The protected password database contains many authentication entries for the user. See

prpwd(4) for more information on these entries, which include the following:

• User name and user ID

• Encrypted password

• Account owner

• Boot authentication to allow specified users to boot the system; see security(4).

• Audit ID and audit flag for the user (whether audit is on or not)

• Minimum time between password change

• Password maximum length

• Password expiration time, after which the password must be changed

• Password lifetime, after which the account is locked

194 Trusted Systems