passwd

In the [passwd] section, the tokens define password replacement and other user-related services.
capamsc141
In the [passwd] section, the tokens define password replacement and other user-related services.
  • AllowedGidRange
    Specifies the range of GIDs that the user can add, update, and delete. Values outside this range represent reserved GIDs that 
    Privileged Access Manager
    cannot update.
    If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved GIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit. For example, if
    AllowedUidRange = 100, 3000
    , then 101 is treated as the lower limit and 2999 is treated as the higher limit.
    Limits:
    -1 to 2147483647
    Default:
    100,30000
  • AllowedUidRange
    Specifies the range of UIDs that the user can add, update, and delete. Values outside this range represent reserved UIDs that 
    Privileged Access Manager
    cannot update.
    If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved UIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit. For example, if
    AllowedUidRange = 100, 3000
    , then 101 is treated as the lower limit and 2999 is treated as the higher limit.
    Limits:
    -1 to 2147483647
    Default:
    100,30000
  • AllowRootProp
    Specifies whether root password changes made using sepass -p or sepass -s are sent to the Policy Model. The PMD then propagates the password to its subscribers.
    Valid values are yes and no.
    Default:
    no
  • change_pam
    Specifies whether the local host uses PAM for password authentication and changes in the LDAP database.
    Default:
    no
  • Check_Adm_Rules
    Specifies whether to enforce password rules for ADMIN and PWMANAGER users.
    Default:
    no
  • Check_All_User_Rules
    Specifies whether selang checks the Password Rules for all the users.
    Valid values are yes and no.
    If this token is set to yes, selang checks the Password Rules for all the users.
    If this token is set to no, selang checks the Password Rules only for the user who changes the password.
    Default:
    no
    This token is supported when using the API only.
  • CreateHashedPasswdDatabase
    (DEC UNIX only). Specifies whether an exit script runs after each 
    Privileged Access Manager
    command that creates, updates, or removes a user record, or after each user password changed with the sepass utility.
    For more usage instructions, see the README file in
    ACInstallDir
    /samples/exits-src/USER_POST directory.
    Default:
    no
  • DefaultHome
    Specifies the default home directory of the system. The home directory of the user is a subdirectory of the specified system home directory. For example, if the system home directory is /home, the new home directory of the user is /home/
    username
    . If specified, the value for this token overrides the value in the client lang.ini file. If you specify nohomedir,
    then a home directory is not automatically set.
    Default:
    /home
  • DefaultPasswdCmd
    Specifies the default password program. If specified, this password program is used when sepass is started and seosd is not running.
    Default:
    /bin/passwd
  • DefaultPgroup
    Specifies the primary group that 
    Privileged Access Manager
    assigns to a new UNIX user if no value is entered.
    Default:
    other
  • DefaultShell
    Specifies the default shell that 
    Privileged Access Manager
    assigns to a new UNIX user if no value is entered. If specified, the value for this token overrides the value in the client lang.ini file.
    Default:
    /bin/sh (or /sbin/sh on HP-UX)
  • Dictionary
    Defines the full pathname of the file containing the words that
    cannot
    be used as passwords.
    To use this file, you must set the dictionary format password rule (use_dbdict) to
    file
    and set UseDict setting to
    yes
    . If the dictionary format is set to
    db
    , passwords that cannot be used are taken from the 
    Privileged Access Manager
    database and this setting is ignored. This value is the default on UNIX.
    This token is obsolete. Use dictionary in the database instead.
    Default: 
    /usr/dict/words
  • GeneratePasswd
    Specifies whether sepass generates a new password by itself.
    Valid values are yes and no.
    Default:
    no (the user is asked to enter a new password.)
  • HomeDirUpd
    Specifies whether 
    Privileged Access Manager
    updates the group ownership of the home home directory of the user when the primary group of the user changes.
    Valid values are
    yes
    and
    no
    Default:
    yes
  • nis_env
    Specifies whether the local host is an NIS or NIS+ client.
    Valid values are no, nis, or nisplus.
    Default:
    no
  • NisPlus_server
    Specifies whether this station is an NIS+ server.
    Valid values are yes and no.
    If token value is yes, 
    Privileged Access Manager
    treats password replacements as NIS+ password replacements.
    Default:
    no
  • only_local
    Determines whether the default setting for sepass includes the -l flag.
    Valid values are yes and no.
    If this token is set to yes, sepass replaces the password only in the local files. Example: the local password file (usually /etc/passwd), security files, and the local database
    Default:
    no
  • only_pmdb
    Specifies whether the default setting for sepass includes the -p flag. If token value is yes, it instructs sepass to change the password only on the PMDB at the host specified.
    If no such database is defined, sepass does nothing.
    Default:
    no
  • passwd_distribution_encryption_mode
    Specifies which method is used to encrypt user passwords when passwords are distributed as part of the Policy Model service.
    Valid values are:
    1
    - Compatibility mode, to distribute passwords between 
    Privileged Access Manager
    systems that do not use long passwords (This includes all machines running pre-r12.0 versions of
    Privileged Access Manager
    .)
    2
    - MD5 mode, to distribute passwords between 
    Privileged Access Manager
    systems that use long passwords and are also running Linux.
    3
    - Bidirectional mode, to distribute passwords securely, as clear text within encrypted messages, between any 
    Privileged Access Manager
    systems that use long passwords.
    Default:
    1
  • passwd_format
    Indicates whether the password changes are propagated to an NT host.
    Setting this token to
    NT
    means that one of the hosts you are administering is an NT host.
    Default:
    none
  • passwd_local_encryption_method
    Specifies which method is used to encrypt user passwords when storing these passwords locally.
    Valid values are:
    crypt
    - The standard one-way UNIX encryption that uses only the first eight characters of the password (as a DES key). Specifying crypt disables the use of long passwords.
    md5
    - MD5 hash function that can encrypt passwords of indefinite length. Specifying md5 enables the use of long passwords.
    Default:
    crypt
  • PromptOldPassword
    Specifies whether to prompt local users for their old password when sepass is invoked through /opt/CA/PAMSC/bin/segrace. (You must use the full path).
    Default:
    yes (indicates that the users are prompted for their old passwords)
  • quiet_mode
    Specifies whether sepass displays a copyright notice and a message about propagating passwords to Policy Models.
    Default:
    no
  • RootPwAsOwn
    Specifies whether sepass lets a privileged user change the root password as if changed by root (using the
    -x
    option).
    Valid Values are:
    yes
    -Privileged users can use sepass to change the root password as if changed by root. They cannot change the root password as themselves (administrative change).
    no
    -Privileged users can use sepass to change the root password only as themselves (administrative change).
    For example, a privileged user can use the following command to change the root password if this token is set to
    yes
    :
    sepass -x root
    The same user cannot use the following command to change the root password:
    sepass root
    If this token is set to
    no
    , the opposite is true.
    Default:
    no
  • SaveGroupAttrs
    Specifies whether the previous group file owner, group, and mode are preserved after an update of a group in the UNIX environment.
    Valid values are yes and no.
    Default:
    no (new values are set to 0, 0, 644 respectively)
  • SavePasswdAttrs
    Specifies whether the previous password file owner, group, and mode are preserved after an update of a user in the UNIX environment.
    Valid values are yes and no.
    Default:
    no (new values are set to 0, 0, 644 respectively)
  • Shadow_Admin_Change
    (AIX platforms only). Specifies whether the ADMCHG flag gets added to the user entry in the /etc/security/passwd file when an administrator changes the password from selang or using sepass.
    Default
    : no
  • UIDAlgorithm
    Specifies which free UID algorithm to employ when adding new users. Setting itto any other value would select the older process. The
    new
    algorithm provides for UID numbers over 4 KB and is faster.
    Default:
    new
  • UseDict
    Specifies whether to use the dictionary file (set with the Dictionary setting) when verifying a password.
    To use the dictionary file, you must also set the dictionary format password rule (use_dbdict) to
    file
    . If the dictionary format is set to
    db
    , passwords that cannot be used are taken from the 
    Privileged Access Manager
    database and this setting is ignored.
    Default:
    no
  • YpGrpCmd
    Specifies the command to use for generating the NIS group map.
    Default:
    make group
  • YpMakeDir
    Specifies the name of the makefile directory to use when creating NIS maps.
    Default:
    /var/yp
  • YpPassCmd
    Specifies the command to use for generating the NIS password map.
    Default:
    make passwd
  • YpServerGroup
    Specifies the group file from which the NIS group map is made.
    Default:
    /etc/group
  • YpServerPasswd
    Specifies the password file from which the NIS password map is made.
    Default:
    /etc/passwd
  • YpServerSecure
    Specifies the name of the security file containing passwords that is used for building the NIS password map.
    Default:
    Varies by platform:
  • IBM AIX: /etc/security/passwd
    • HP-UX: /.secure/etc/passwd
    • Sun Solaris: /etc/shadow
  • YpTimeOut
    Specifies the time, in seconds, that a new client (selang, Security Administrator, and so forth) can run the ypbind test. The ypbind test determines whether the local host is connected to a NIS server. At expiration, the client exits and an error message appears.
    The default value of zero (
    0
    ) means that no ypbind test is conducted.
    Default:
    0