Solaris man マニュアル
User Commands                                        nispasswd(1)

NAME
     nispasswd - change NIS+ password information

SYNOPSIS
     nispasswd [-ghs] [-D domainname] [username]

     nispasswd -a

     nispasswd [-D domainname] [ -d [username]]

     nispasswd  [-l]  [-f]   [-n min]   [-x max]   [-w warn]   [-
     D domainname] username

DESCRIPTION
     The nispasswd utility changes a  password,   gecos  (finger)
     field  (-g  option),   home directory (-h option),  or login
     shell (-s option) associated with the username  (invoker  by
     default) in the NIS+ passwd table.

     Additionally, the command can be  used  to  view  or  modify
     aging information associated with the user specified  if the
     invoker has the right NIS+ privileges.

     nispasswd uses secure  RPC  to  communicate  with  the  NIS+
     server,   and  therefore,  never sends unencrypted passwords
     over  the communication medium.

     nispasswd does not read or modify the local password  infor-
     mation stored in the /etc/passwd and  /etc/shadow files.

     When used to  change  a  password,  nispasswd  prompts  non-
     privileged  users  for  their old password.  It then prompts
     for the new password twice  to  forestall  typing  mistakes.
     When the old password is entered, nispasswd checks to see if
     it has "aged" sufficiently.   If  "aging"  is  insufficient,
     nispasswd terminates; see getspnam(3C).

     The old password is used to decrypt  the  username's  secret
     key.  If  the  password  does  not  decrypt  the secret key,
     nispasswd prompts for the old secure-RPC password.  It  uses
     this  password  to decrypt the secret key. If this fails, it
     gives the user one more chance. The  old  password  is  also
     used to ensure that the new password differs from the old by
     at least three characters. Assuming aging is  sufficient,  a
     check  is  made  to ensure that  the new password meets con-
     struction requirements described below. When the  new  pass-
     word  is  entered  a second time,  the two copies of the new
     password are compared.  If the two copies are not identical,
     the  cycle  of  prompting  for  the new password is repeated
     twice. The new password is used to   re-encrypt  the  user's
     secret  key.  Hence,  it also becomes their secure-RPC pass-
     word. Therefore, the secure-RPC  password  is  no  longer  a
     different password from the user's password.

     Passwords must be constructed to meet the following require-
     ments:

       o  Each password must have at least six characters.   Only
          the first eight characters are significant.

       o  Each password must  contain  at  least  two  alphabetic
          characters  and at least one numeric or special charac-
          ter. In this case, "alphabetic" refers to all upper  or
          lower case letters.

       o  Each password must differ from the  user's login  user-
          name  and  any  reverse or circular shift of that login
          username. For comparison purposes, an upper case letter
          and its corresponding lower case letter are equivalent.

       o  New passwords must differ from the   old  by  at  least
          three  characters.  For  comparison  purposes, an upper
          case letter and its corresponding lower case letter are
          equivalent.


     Network administrators, who own the NIS+ password table, may
     change  any  password  attributes   if  they establish their
     credentials (see keylogin(1))  before  invoking   nispasswd.
     Hence, nispasswd does not prompt these privileged-users  for
     the old password and they are  not  forced  to  comply  with
     password aging and password construction requirements.

     Any user may use the -d option to  display  password  attri-
     butes  for  his  or  her  own  login name. The format of the
     display will be:

     username status mm/dd/yy min max warn

     or, if password aging information is not present,

     username status

     where

     username        The login ID of the user.



     status          The password status of username: "PS" stands
                     for  password  exists or locked, "LK" stands
                     for locked, and "NP" stands for no password.



     mm/dd/yy        The date password was last changed for user-
                     name.  (Note  that  all password aging dates
                     are determined  using  Greenwich  Mean  Time
                     (Universal  Time) and, therefore, may differ
                     by as much as a day in other
                      time zones.)



     min             The minimum number of days required  between
                     password changes for username.



     max             The maximum number of days the  password  is
                     valid for username.



     warn            The number of days relative  to  max  before
                     the  password expires that the username will
                     be warned.



     The use of  nispasswd  is  strongly  discouraged.  It  is  a
     wrapper around the passwd(1) command.

     Using passwd(1) with the -r nisplus option will achieve  the
     same  result and will be consistent across all the different
     name services available. This  is  the  recommended  way  to
     change the password in NIS+.

     The login program, file access display programs  (for  exam-
     ple,  ls  -l),  and network programs that require user pass-
     words, for example, rlogin(1), ftp(1), and so  on,  use  the
     standard  getpwnam(3C) and
      getspnam(3C) interfaces to get password information.  These
     programs  will  get  the NIS+ password information, which is
     modified by nispasswd, only if the   passwd:  entry  in  the
     /etc/nsswitch.conf     file     includes     nisplus.    See
     nsswitch.conf(4) for more details.

OPTIONS
     The following options are supported:

     -a              Shows  the  password  attributes   for   all
                     entries.  This will show only the entries in
                     the NIS+ passwd table in  the  local  domain
                     that the invoker is authorized to "read".



     -d [username]   Displays password attributes for the  caller
                     or the user specified if the invoker has the
                     right privileges.



     -D domainname   Consults the passwd.org_dir table in domain-
                     name.  If  this option is not specified, the
                     default     domainname      returned      by
                     nis_local_directory()  will  be  used.  This
                     domainname is the same as that  returned  by
                     domainname(1M).



     -f              Forces the user to change  password  at  the
                     next  login   by  expiring  the password for
                     username.



     -g              Changes the gecos (finger) information.



     -h              Changes the home directory.



     -l              Locks the password entry for username.  Sub-
                     sequently,   login(1)  would disallow logins
                     with this NIS+ password entry.



     -n min          Sets minimum field  for  username.  The  min
                     field  contains  the  minimum number of days
                     between password changes for  username.   If
                     min  is  greater  than max, the user may not
                     change the password. Always use this  option
                     with the -x option, unless max is set  to -1
                     (aging turned off).  In that case, min  need
                     not be set.



     -s              Changes the login shell.  By  default,  only
                     the  NIS+ administrator can change the login
                     shell. The user will be prompted for the new
                     login shell.



     -w warn         Sets warn field for username. The warn field
                     contains the number of days before the pass-
                     word expires that the user  will  be  warned
                     whenever he or she attempts to login.



     -x max          Sets maximum field  for  username.  The  max
                     field  contains the number of days that  the
                     password is valid for  username.  The  aging
                     for  username will be turned off immediately
                     if max is set to -1.  If it  is  set  to  0,
                     then  the user is forced to change the pass-
                     word  at the next login session and aging is
                     turned off.



EXIT STATUS
     The following exit values are returned:

     0        Success.



     1        Permission denied.



     2        Invalid combination of options.



     3        Unexpected failure. NIS+ passwd table unchanged.



     4        NIS+ passwd table missing.



     5        NIS+ is busy. Try again later.



     6        Invalid argument to option.



     7        Aging is disabled.



     8        No memory.



     9        System error.



     10       Account expired.



ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWnisu                    |
    |_____________________________|_____________________________|


SEE ALSO
     keylogin(1),  login(1),  nis+(1),  nistbladm(1),  passwd(1),
     rlogin(1),   domainname(1M),   nisserver(1M),  getpwnam(3C),
     getspnam(3C),  nis_local_directory(3NSL),  nsswitch.conf(4),
     passwd(4), shadow(4), attributes(5)

NOTES
     NIS+ might not  be  supported  in  future  releases  of  the
     SolarisTM  Operating Environment. Tools to aid the migration
     from NIS+ to LDAP are available in the Solaris  9  operating
     environment.      For      more      information,      visit
     http://www.sun.com/directory/nisplus/transition.html.