passwd
In the [passwd] section, the tokens define password replacement and other user-related services.
capamsc141
In the [passwd] section, the tokens define password replacement and other user-related services.
- AllowedGidRangeSpecifies the range of GIDs that the user can add, update, and delete. Values outside this range represent reserved GIDs thatPAM Server Controlcannot update.If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved GIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit. For example, ifAllowedUidRange = 100, 3000, then 101 is treated as the lower limit and 2999 is treated as the higher limit.Limits:-1 to 2147483647Default:100,30000
- AllowedUidRangeSpecifies the range of UIDs that the user can add, update, and delete. Values outside this range represent reserved UIDs thatPAM Server Controlcannot update.If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved UIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit. For example, ifAllowedUidRange = 100, 3000, then 101 is treated as the lower limit and 2999 is treated as the higher limit.Limits:-1 to 2147483647Default:100,30000
- AllowRootPropSpecifies whether root password changes made using sepass -p or sepass -s are sent to the Policy Model. The PMD then propagates the password to its subscribers.Valid values are yes and no.Default:no
- change_pamSpecifies whether the local host uses PAM for password authentication and changes in the LDAP database.Default:no
- Check_Adm_RulesSpecifies whether to enforce password rules for ADMIN and PWMANAGER users.Default:no
- Check_All_User_RulesSpecifies whether selang checks the Password Rules for all the users.Valid values are yes and no.If this token is set to yes, selang checks the Password Rules for all the users.If this token is set to no, selang checks the Password Rules only for the user who changes the password.Default:noThis token is supported when using the API only.
- CreateHashedPasswdDatabase(DEC UNIX only). Specifies whether an exit script runs after eachPAM Server Controlcommand that creates, updates, or removes a user record, or after each user password changed with the sepass utility.For more usage instructions, see the README file inACInstallDir/samples/exits-src/USER_POST directory.Default:no
- DefaultHomeSpecifies the default home directory of the system. The home directory of the user is a subdirectory of the specified system home directory. For example, if the system home directory is /home, the new home directory of the user is /home/username. If specified, the value for this token overrides the value in the client lang.ini file. If you specify nohomedir,then a home directory is not automatically set.Default:/home
- DefaultPasswdCmdSpecifies the default password program. If specified, this password program is used when sepass is started and seosd is not running.Default:/bin/passwd
- DefaultPgroupSpecifies the primary group thatPAM Server Controlassigns to a new UNIX user if no value is entered.Default:other
- DefaultShellSpecifies the default shell thatPAM Server Controlassigns to a new UNIX user if no value is entered. If specified, the value for this token overrides the value in the client lang.ini file.Default:/bin/sh (or /sbin/sh on HP-UX)
- DictionaryDefines the full pathname of the file containing the words thatcannotbe used as passwords.To use this file, you must set the dictionary format password rule (use_dbdict) tofileand set UseDict setting toyes. If the dictionary format is set todb, passwords that cannot be used are taken from thePAM Server Controldatabase and this setting is ignored. This value is the default on UNIX.This token is obsolete. Use dictionary in the database instead.Default:/usr/dict/words
- GeneratePasswdSpecifies whether sepass generates a new password by itself.Valid values are yes and no.Default:no (the user is asked to enter a new password.)
- HomeDirUpdSpecifies whetherPAM Server Controlupdates the group ownership of the home home directory of the user when the primary group of the user changes.Valid values areyesandnoDefault:yes
- nis_envSpecifies whether the local host is an NIS or NIS+ client.Valid values are no, nis, or nisplus.Default:no
- NisPlus_serverSpecifies whether this station is an NIS+ server.Valid values are yes and no.If token value is yes,PAM Server Controltreats password replacements as NIS+ password replacements.Default:no
- only_localDetermines whether the default setting for sepass includes the -l flag.Valid values are yes and no.If this token is set to yes, sepass replaces the password only in the local files. Example: the local password file (usually /etc/passwd), security files, and the local databaseDefault:no
- only_pmdbSpecifies whether the default setting for sepass includes the -p flag. If token value is yes, it instructs sepass to change the password only on the PMDB at the host specified.If no such database is defined, sepass does nothing.Default:no
- passwd_distribution_encryption_modeSpecifies which method is used to encrypt user passwords when passwords are distributed as part of the Policy Model service.Valid values are:1- Compatibility mode, to distribute passwords betweenPAM Server Controlsystems that do not use long passwords (This includes all machines running pre-r12.0 versions ofPAM Server Control.)2- MD5 mode, to distribute passwords betweenPAM Server Controlsystems that use long passwords and are also running Linux.3- Bidirectional mode, to distribute passwords securely, as clear text within encrypted messages, between anyPAM Server Controlsystems that use long passwords.Default:1
- passwd_formatIndicates whether the password changes are propagated to an NT host.Setting this token toNTmeans that one of the hosts you are administering is an NT host.Default:none
- passwd_local_encryption_methodSpecifies which method is used to encrypt user passwords when storing these passwords locally.Valid values are:crypt- The standard one-way UNIX encryption that uses only the first eight characters of the password (as a DES key). Specifying crypt disables the use of long passwords.md5- MD5 hash function that can encrypt passwords of indefinite length. Specifying md5 enables the use of long passwords.Default:crypt
- PromptOldPasswordSpecifies whether to prompt local users for their old password when sepass is invoked through /opt/CA/PAMSC/bin/segrace. (You must use the full path).Default:yes (indicates that the users are prompted for their old passwords)
- quiet_modeSpecifies whether sepass displays a copyright notice and a message about propagating passwords to Policy Models.Default:no
- RootPwAsOwnSpecifies whether sepass lets a privileged user change the root password as if changed by root (using the-xoption).Valid Values are:yes-Privileged users can use sepass to change the root password as if changed by root. They cannot change the root password as themselves (administrative change).no-Privileged users can use sepass to change the root password only as themselves (administrative change).For example, a privileged user can use the following command to change the root password if this token is set toyes:sepass -x rootThe same user cannot use the following command to change the root password:sepass rootIf this token is set tono, the opposite is true.Default:no
- SaveGroupAttrsSpecifies whether the previous group file owner, group, and mode are preserved after an update of a group in the UNIX environment.Valid values are yes and no.Default:no (new values are set to 0, 0, 644 respectively)
- SavePasswdAttrsSpecifies whether the previous password file owner, group, and mode are preserved after an update of a user in the UNIX environment.Valid values are yes and no.Default:no (new values are set to 0, 0, 644 respectively)
- Shadow_Admin_Change(AIX platforms only). Specifies whether the ADMCHG flag gets added to the user entry in the /etc/security/passwd file when an administrator changes the password from selang or using sepass.Default: no
- UIDAlgorithmSpecifies which free UID algorithm to employ when adding new users. Setting itto any other value would select the older process. Thenewalgorithm provides for UID numbers over 4 KB and is faster.Default:new
- UseDictSpecifies whether to use the dictionary file (set with the Dictionary setting) when verifying a password.To use the dictionary file, you must also set the dictionary format password rule (use_dbdict) tofile. If the dictionary format is set todb, passwords that cannot be used are taken from thePAM Server Controldatabase and this setting is ignored.Default:no
- YpGrpCmdSpecifies the command to use for generating the NIS group map.Default:make group
- YpMakeDirSpecifies the name of the makefile directory to use when creating NIS maps.Default:/var/yp
- YpPassCmdSpecifies the command to use for generating the NIS password map.Default:make passwd
- YpServerGroupSpecifies the group file from which the NIS group map is made.Default:/etc/group
- YpServerPasswdSpecifies the password file from which the NIS password map is made.Default:/etc/passwd
- YpServerSecureSpecifies the name of the security file containing passwords that is used for building the NIS password map.Default:Varies by platform:
- IBM AIX: /etc/security/passwd
- HP-UX: /.secure/etc/passwd
- Sun Solaris: /etc/shadow
- YpTimeOutSpecifies the time, in seconds, that a new client (selang, Security Administrator, and so forth) can run the ypbind test. The ypbind test determines whether the local host is connected to a NIS server. At expiration, the client exits and an error message appears.The default value of zero (0) means that no ypbind test is conducted.Default:0