Choosing a Password and Password Files

Choosing a Password:


Passwords must be constructed to meet the following requirements:

• Each password must have atleast PASSLENGTH characters as set in /etc/default/passwd file.PASSLENGTH must contain a minimum of 6 characters, but only the first 8 characters are significant.
• Each  password must contain at least 2 alphabetic characters and atleast 1 numeric or special character.
• Each password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent .

• New passwords must differ from the old by atleast 3 characters.

Password Files:

The passwd  command uses the files /etc/shadow, /etc/passwd and /etc/oshadow.
The file /etc/passwd contains the following information for each user:

• login name
• dummy password
• numerical user ID
• numerical group ID
• comment
• initial working directory
• program to be used as the shell

passwd is an ASCII file . Each field within each user's entry is separarted from the next by a colon. The comment field  can contain any information that the user desires. each user is separated from the next by a new-line. If the shell field is null, /usr/bin/sh is used.

This file has user login information and general read permission. It can therefore be used , to map numerical user ID's to names.
The password field consists of the character x.Password information is contained in the file /etc/shadow.




The next command will be the echo command.

The passwd command- continued

To recollect the syntax of the passwd command is:
              passwd[name]
              passwd[-l |-d ][-f][-n min][ -x max][-w warn] name
              passwd -s [-a]
              passwd -g [name]


The following options can be used only by a privileged user:

• -l: Locks password entry for name.
• -d: Deletes password for name. The login name will not be prompted for password.
• -n: Sets minimum field for name.  The  min field contains the minimum number of days between password changes for  name.  If value of  min  >value of  max, the user may not change the password.Always use this option with the -x option, unless max is set to -1(ageing turned off ). In that case, min need not be set.
• -x: Sets maximum field for name. The max  field  contains the number of days that the password is valid for name. The ageing of name  will be turned off if max is set to -1.
• -w: Sets  warn  field for name. The warn  field contains the number of days the user will be warned before the password expires.
• -a:  Shows password attributes for all entries. Use only with -s option ; name  must not be provided.

• -f:  Forces the user to change password at the next login by expiring the password for name.

 Any user may use the -s option to show password attributes for one's own login name.
The format of the output will be:
name status mm/dd/yy min max warn

 Or, if password ageing information is absent,
name status

Super users may change any password; hence; passwd does not prompt privileged users for the old password. Privileged users are not forced to comply with password ageing and password construction requirements. A privileged user can create a null password by entering a carriage return in response to the prompt for a new password.

The passwd command exits with one of the following values:
0 SUCCESS
1 Permission denied
2 Invalid combination of options
3 Unexpected failure. Password file unchanged.
4 Unexpected failure .Password file is missing.
5 Password file(s) busy .Try again later
6 Invalid argument to option.


If root deletes a password for a user with the passwd -d command and password ageing is in effect for that user, the user will not be allowed to add a new password until the NULL password has been aged.This is true even if  the PASSREQ flag in /etc/login/default  is set to YES. This results in a  user without a password. It is recommended that the -f option be used with the  -d option so that the user is forced to change the password at the next login.


The next post will list the rules for choosing a password and the details of the files used by the passwd command.

The passwd command

The passwd command changes the password or lists attributes assosciated with the user's login name. Additionally, privileged users may use this command to install or change passwords and attributes assosciated with any login name.

Syntax:
              passwd[name]
              passwd[-l |-d ][-f][-n min][ -x max][-w warn] name
              passwd -s [-a]
              passwd -g [name]

  The behaviour of this command is extremely system-dependent.It asks you to enter your old  password, and if that is typed correctly,prompts you to enter your new password twice.The password may be chosen by a unix system or customized by the user. Some system administrators implement password aging which for security reasons forces the user to change the password after a certain period of usage.

Unix updates the corresponding files /etc/passwd  and /etc/shadow  for every change in password.
/etc/passwd  lists information about users.A user can read this file but not write into it. Each field of information is separated from the next by a ':' .An /etc/passwd file  dispalys login name, encrypted password,user ID, group Id, comment , default  working directory, default working shell.

There is another password file present in  /bin  directory called /bin/passwd . It is this file that actually gets executed when we change the password. Thus, /bin/passwd  is  an executable file which permits changing of password, whereas /etc/passwd  contains the information about each user.
 I shall discuss the options of the passwd command in the next post.

The uname command

The command uname prints the name of the current unix system.

Syntax:
uname[-amnprsv]
uname[-S system_name]
uname prints the current system name of the unix system to standard output.It is mainly useful to determine which system one is using.The options cause selected information returned by uname and/or sysinfo command to be printed:

• -a : Print all information.
• -m: Print the machine hardware name.
• -n:  Print the node name(name by which the system is known to the communication  network)   .This is the default setting.
• -p: Print the processor type of the current host.
• -r: Print the operating system release.
• -s:Print the name of the operating system.
• -v: Print the version of the operating system.

 On your computer specifying a system name argument to the -S option may change the node name. The system name argument is restricted to SYS_NMLN  characters.SYS_NMLN is an implementation specific value defined in <sys/utsname.h>  file. Only the super-user is allowed to use this capability.

The next post will talk about the passwd command.

The tty command

The unix command tty displays the name of the terminal type.tty is the controling terminal interface.
The file /dev/tty is, in each process a synonym for the control terminal assosciated with the process group of that process. It can be used for programs that demand the name of a file for output, when typed output is desired .

Syntax:
            tty[-l][-s]
 The tty command prints the path name of the user terminal.
-l prints the synchronous line number to which the user's terminal is connected, if it is on an active
    synchronous line.
-s inhibits the printing of the terminal path name, allowing one to just test the exit code.
    The exit codes are as follows:
 2 if invalid options were specified
 0 if standard input is a terminal.
 1 otherwise

The error message  not an active synchronous line,  appears if the standard input is not a synchronous terminal and -1 is specified.

The error message  not a tty, appears if the standard input is not a terminal and -s is not specified.

The who command -continued

The options assosciated with the who command are as follows:

• -u:    This option lists only those users who are currently logged in .The name  is the user's login name. The line is the name of the line as found in the directory /dev. The  time is the time that the user logged in. The  idle column contains the number of hours and minute  since  activity last occurred on that particular line. A dot(.) indicates that the terminal has seen activity in the last minute and is therefore 'current'. I f more than 24 hours have lapsed or the line has not been used since boot time, the entry is marked old. This field is useful to find out whether a person is currently working at the terminal line or not. The pid is the process-ID of the user's shell. The  comment is the comment field assosciated with this line as found in  /sbin/inittab  file. This can contain information about where the terminal is located, the telephone number of the data set, type of terminal if hard-wired and so on.
• -T:     This option is same as the -s option except that the state  of the terminal line is printed.The state  describes whether  someone else can write to that terminal. A '+' appears if the terminal is writeable by anyone, else a '-' sign appears.  root  can write to all lines whether a '+' appears or a '-'.If a bad line is encountered a question mark(?) is printed.
• -l:       This option lists only those lines on which the system is waiting for someone  to login.The  name is LOGIN  in such cases. Other fields are same except that the  state  field does not exist.
• -H:     This option will print column headings above the  regular output.
• -q:      This is a 'quick who' listing only the names and numbers of the users currently logged in. When this option is used all other options are ignored.
• -p:      This option lists any process that is currently active and has previously been spawned by init. The  name is the name of the program executed by init   as found in /sbin/inittab file. The state,line  and idle  fields have no meaning .The  comment  field shows the  id  field from the   /sbin/inittab  file that generated this process.
• -d:       This option displays all processes that have expired and not been regenerated by init.The exit field appears for dead processes and  contains the termination and exit values, as returned by the wait command. This can be useful in determining why a process terminated.
• -b:        This option indicates the time and date of the last reboot.
• -r:         This option indicates the current run level of the init process.It also displays the process termination status ,process-ID and process exit status under the idle,pid and the comment  headings respectively.
• -t:          This option indicates the last change to the system clock via the date  commnad , by root. 
• -a:         This option processes /var/adm/utmp  file or the named file with all options turned on.
• -s:         This option is the default and lists only the  name, line and time fields respectively.
• -nx:       This optin takes a numeric argument, x , which specifies the number of users to display per line. x must be at least 1. The -n option must be used with -q.

After a shutdown to the single user state, who returns a prompt.The reason is that since /var/adm/utmp file is updated at login time and there is no login in single user state, who cannot report accurately on this state.  who am i  however returns the correct information.
The who command uses the files / var/adm/utmp, / var/adm/wtmp  and /sbin/inittab.

 The next post would be about tty command.

The who command

The who command lists the login names of everyone currently working on your system. the tty designation refer to the special files that correspond to each user's terminal. The date and time at which each user logged in are also shown.

Syntax:

        who[-uTlHqpdbrtas] [file]

        who -qn x[file]

        who am i

        who am I

The who command can list the user's name,terminal line,login time,elapsed time since activity occured on the line and the process-ID of the command interpreter(shell) for each current unix system user. It examines the   /var/adm/utmp  file to obtain its information.If file  is given , that file, is examined. 

The am i or am I  option identifies the user invoking the who command.

The general format for output is:
name [state] line time [idle] [pid] [comment] [exit]

The name,line and time information is produced by all options except -q. The state information is produced only by -T; only u and -l produce the idle and pid information; and the comment and exit information is produced only by -a. With options who can list logins , logoffs, reboots and  changes  to the system clock, as well as other processes  generated by the init process.
The  options  will be discussed in the next post.

The date utility-Part 2

The date utility also supports specifications of native language translations of month and weekday-names. The names used for a language are based on the locale specified by the environment variables LC_TIME and LANG in the environ command. The month and weekday names are taken from a file whose format is specified in strftime command. This file also defines country specific date and time formats such as %c, which defines the default format of date 


The field descriptors mentioned in the previous post are:
 a- abbreviated weekday name
 A- full weekday name
 b- abbreviated month name
 B- full month name
 c- country specific date and time format
 d- day of month 01 to 31
 D- date as %m/%d/%y
 e-  day of month 1 to 31(single digits are preceeded by a blank.
 h- abbreviated month name(alias for %b)
 H- hour 00 to 23
 I- hour 1 to 12
 j- day of year 001 to 366
 m- month of year 01 to 12
 M- minute 00 to 59
 n- insert a new line character
 p- string containing anti-meridiem(A.M.-before noon ) or post meridiem(PM- after noon)    
      indicator

 r- time as %I:%M:%S:%p
 R- time as%H:%M
 S- second 00 to 61 allow for leap seconds
  t- insert a tab character
 T- time as %H:%M:%S
 U- week number of year(Sunday as first day of the week)-0 to 53
w- day of week sunday = 0
W- week number of year(Monday as first day of the week) 00 to 53
x- Country specific date format
X- Country specific time format
y- Year within century 00 to 99
Y- year as ccyy(4 digits)
Z- time zone name

Examples:

1.date

   Lists the date and time of the server. Below is an example of the output.

   Fri Nov 11 16:47:32 MST 2011

2.date '+DATE: %m/%d/%y%nTIME:%H:%M:%S'

   Would list the time and date in the following format.

   

    DATE: 11/11/11
    TIME:  13:50:15

The following example would work only if you are the super user:

3.date -s "11/11/2011  01:48:00"

Sets the date to the date and time shown.

The next post would be about the who  command.

 

The date utility-Part 1

date utility is used to display current time and date.No user can modify the date and time unless they are the  superuser  i.e the system administrator.This is required for the smooth functioning of the system. 
Syntax:
              date[-u][+format]
              date[-a[-]sss.fff][-u][[mmdd]HHMM | mmddHHMM[cc]yy]
 If no argument is given, or if the argument begins with +, the current  current date and time are printed.


-a[-]sss.fff     Slowly adjusts the time by sss.fff seconds,where fff represents fractions of a          
                        second.The adjustment can be positive or negative.The clock of the system will be
                        speeded up or slowed until it has drifted by the number of seconds specified.
-u                    Displays (or sets) the date in GMT(Greenwich Mean Time), bypassing the normal 
                        conversion to or from normal or local time.
mm                 is the month 
dd                   is the day of the month
HH                  is the hour in the 24 hr system.
MM                 is the minute 
cc                   is the century minus one.
yy                   is the last two digits of the year .The month, day,year and century may be
                        omitted; the current values are applied as defaults. 
                        For eg: date 12301600 sets the date to Dec 30, 4:00 PM. The current year is the  
                        default because no year is supplied . The system operates in GMT. date takes  
                        care of the conversion to and from the local standard and daylight saving time.
                        Only the superuser may change the date.After successfully setting the date and  
                        time date displays the new date according to the default format. The date utility
                        uses the TZ in environ  command to determine the correct time zone information.
+format         If the argument begins with +, the output of the date is under the control of the  
                        user. Each Field Descriptor, described in the next post,is preceeded by %, and  
                        is replaced  in the output by its corresponding value.A single % is encoded by  
                        %%.  All other characters are copied to the output without change. The string is 
                        always  terminated by a newline character.If the argument contains embedded 
                        blanks ,it must be qouted. 

Unix utilities- banner and cal

Utilities  are  the core tool kit of the Unix command set, including banner ,cal, who and many others.  Subcategories include:  
1. System utilities – administrative tools such as mkfs, fsck, and many others.
 
2.User utilities – environment management tools such as passwd, kill, and others.

banner:  The banner utility makes posters. 
                  Syntax:  banner strings
The banner utility prints its arguments , each up to 10 characters long, in large letters on the standard output.

However the banner utility works only in Unix and not in Linux.


cal:   The cal  utility prints a calendar.
          Syntax:  cal [ [month] year]
The cal utility prints a calendar for the specified year. If a month is also specified, a calendar is printed just for that month.If neither is specified, a calendar for the present month is printed.
The month is a number between 1 and 12. The year can be between 1 and 9999.The calendar produced is that for England and the United States, i.e. the Gregorian calendar.

An unusual calendar is printed for September 1752.In this month ,11 days were skipped to make  up for lack of leap year adjustments. To see this calendar type:  cal 9 1752

Also note that cal 83 refers to the year 83 and not to the year 1983.

Next we will be discussing the date utility which has a number of options.  

Internal and External Commands

Unix commands are grouped into two categories-Internal and External. There is a set of commands which are part of the shell and to execute them the shell does not need to search the given path in the PATH  variable. These are also called  shell builtins or Internal Commands. The shell does not fork a new process for these commands.

Commands that are available as independently compiled C programs usually located in the /bin or the /usr/bin directory are called  External Commands.  The shell searches the path for these command files. An example is the 'ls ' command which is used for directory listing.

To find out whether a particular command is Internal or External  and to find out the location of  an External Command, the 'type' command is used.

Example:

$ type ls
       ls is /bin/ls
the above command returns the location or the path of the ls command .Therefore ls is an external command.

$ type echo
          echo is a shell builtin
the 'echo' command is an Internal Command or a shell builtin.

$ type LS
         LS: not found

As unix is case sensitive the shell cannot locate the ls command when typed in upper case(capitals).

In the next post I shall list out some  unix utilities.