nispasswd (更改NIS +密码信息)

瑞兹 发表于 2021-02-09 06:44
浏览次数:
在手机上阅读

在Solaris操作系统上,nispasswd命令更改NIS +密码信息。

查看英文版

目录

1 nispasswd 运行系统环境

2 nispasswd 描述

3 nispasswd 语法

nispasswd 运行系统环境

Unix&Linux

nispasswd 描述

nispasswd工具更改密码,gecos字段(-g选项),主目录(-h选项),或登录 壳(-s在NIS +的用户名(默认情况下,谁调用该程序)相关的选项)passwd的表。

此外,如果调用者具有正确的NIS +特权,则该命令可用于查看或修改与指定用户关联的老化信息。

nispasswd使用安全的RPC与NIS +服务器通信,因此,决不会通过通信介质发送未加密的密码。

nispasswd不会读取或修改/ etc / passwd/ etc / shadow文件中存储的本地密码信息。

当用于更改密码时,nispasswd会提示非特权用户输入其旧密码。然后,它两次提示您输入新密码,以防止输入错误。输入旧密码后,nispasswd会检查它是否已经足够“老化”。如果“老化”不足,nispasswd终止。

旧密码用于解密用户名的密钥。如果密码没有解密密钥,则nispasswd提示输入旧的secure-RPC密码。它使用此密码来解密密钥。如果失败,则为用户带来更多机会。旧密码还用于确保新密码与旧密码至少相差三个字符。假设老化已足够,请进行检查以确保新密码满足以下构造要求。当第二次输入新密码时,将比较新密码的两个副本。如果两个副本不相同,则提示输入新密码的周期将重复两次。新密码用于重新加密用户的密钥。因此,它也成为他们的secure-RPC密码。因此,secure-RPC密码不再是与用户密码不同的密码。

必须构造密码来满足以下要求:

  • 每个密码必须至少包含六个字符。仅前八个字符有效。
  • 每个密码必须至少包含两个字母字符和至少一个数字或特殊字符。在这种情况下,“字母”是指所有大写或小写字母。
  • 每个密码都必须不同于用户的登录用户名以及该登录用户名的任何反向或循环移位。为了进行比较,大写字母及其对应的小写字母是等效的。
  • 新密码必须与旧密码至少相差三个字符。为了进行比较,大写字母及其对应的小写字母是等效的。

拥有NIS +密码表的网络管理员可以在调用nispasswd之前建立其凭据(请参阅keylogin)来更改任何密码属性。因此,nispasswd不会提示这些特权用户输入旧密码,也不会强制他们遵守密码时效和密码构造要求。

任何用户都可以使用-d选项显示其自己的登录名的密码属性。显示格式为:

username status mm/dd/yy min max warn

或者,如果不存在密码时效信息,

username status

使用以下值的地方:

用户名 用户的登录ID。
状态 用户名的密码状态:“ PS”代表密码存在或锁定,“ LK”代表锁定,“ NP”代表无密码。
毫米/日/年 日期密码上次更改的用户名。(请注意,所有密码有效期均由格林威治标准时间(通用时间)确定,因此在其他时区可能相差一天。)
用户名密码更改之间的最少天数。
最高 密码对用户名有效的最大天数。
警告 密码到期前相对于max的天数,将警告用户名。

The nispasswd utility changes a password, gecos field (-g option), home directory (-h option), or login shell (-s option) associated with the username (by default, whoever invoked the program) in the NIS+ passwd table.

Additionally, the command can be used to view or modify aging information associated with the user specified if the invoker has the right NIS+ privileges.

nispasswd uses secure RPC to communicate with the NIS+ server, and therefore, never sends unencrypted passwords over the communication medium.

nispasswd does not read or modify the local password information stored in the /etc/passwd and /etc/shadow files.

When used to change a password, nispasswd prompts non-privileged users for their old password. It then prompts for the new password twice to forestall typing mistakes. When the old password is entered, nispasswd checks to see if it has "aged" sufficiently. If "aging" is insufficient, nispasswd terminates.

The old password is used to decrypt the username's secret key. If the password does not decrypt the secret key, nispasswd prompts for the old secure-RPC password. It uses this password to decrypt the secret key. If this fails, it gives the user one more chance. The old password is also used to ensure that the new password differs from the old by at least three characters. Assuming aging is sufficient, a check is made to ensure that the new password meets construction requirements described below. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical, the cycle of prompting for the new password is repeated twice. The new password is used to re-encrypt the user's secret key. Hence, it also becomes their secure-RPC password. Therefore, the secure-RPC password is no longer a different password from the user's password.

Passwords must be constructed to meet the following requirements:

  • Each password must have at least six characters. Only the first eight characters are significant.
  • Each password must contain at least two alphabetic characters and at least one numeric or special character. In this case, "alphabetic" refers to all upper or lower case letters.
  • Each password must differ from the user's login username and any reverse or circular shift of that login username. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
  • New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.

Network administrators, who own the NIS+ password table, may change any password attributes if they establish their credentials (see keylogin) before invoking nispasswd. Hence, nispasswd does not prompt these privileged-users for the old password and they are not forced to comply with password aging and password construction requirements.

Any user may use the -d option to display password attributes for his or her own login name. The format of the display will be:

username status mm/dd/yy min max warn

or, if password aging information is not present,

username status

where the following values are used:

username The login ID of the user.
status The password status of username: "PS" stands for password exists or locked, "LK" stands for locked, and "NP" stands for no password.
mm/dd/yy The date password was last changed for username. (Note that all password aging dates are determined using Greenwich Mean Time (Universal Time) and, therefore, may differ by as much as a day in other time zones.)
min The minimum number of days required between password changes for username.
max The maximum number of days the password is valid for username.
warn The number of days relative to max before the password expires that the username will be warned.

查看英文版

查看中文版

nispasswd 语法

nispasswd [-ghs] [-D domainname] [username]
nispasswd -a
nispasswd [-D domainname] [-d[username]]
nispasswd [-l] [-f] [-n min] [-x max] [-w warn] [-D domainname] username

选件

nispasswd可以识别以下选项:

-G 更改gecos(手指)信息。
-H 更改主目录。
-s 更改登录外壳。默认情况下,只有NIS +管理员才能更改登录外壳。将提示用户输入新的登录shell。
-a 显示所有条目的密码属性。这将仅显示授权调用者被“读取”的本地域中NIS + passwd表中的条目。
-d [username] 显示调用者或指定的用户(如果调用者具有正确的特权)的密码属性。
-l 锁定用户名的密码条目。随后,登录将不允许使用此NIS +密码条目登录。
-F 通过使用户名的密码过期来强制用户在下次登录时更改密码。
-n min 设置username的最小字段。该字段包含密码更改之间相隔的最小数量的用户名。如果min大于max,则用户不能更改密码。始终将此选项与-x选项一起使用,除非将max设置为-1(关闭了老化)。在这种情况下,无需设置最小值
-x max 设置用户名的最大字段。该最大字段包含的天数,密码是有效的用户名。如果将max设置为-1,则用户名的有效期将立即关闭。如果将其设置为0,则将强制用户在下一次登录会话中更改密码,并且关闭老化。
-w warn username设置警告字段。“警告”字段包含密码过期之前的天数,每当用户尝试登录时都会被警告。
-D domainname 查询域名中的passwd.org_dir表。如果未指定此选项,将使用nis_local_directory()返回的默认域名。该域名与domainname(1M)返回的域名相同。

退出状态

0 成功。
1 没有权限。
2 无效的选项组合。
3 意外故障;NIS +密码表不变。
4 缺少NIS + passwd表。
5 NIS +表正忙。稍后再试。
6 选项的参数无效。
7 老化被禁用。

警告

强烈禁止使用nispasswd。即使它是与passwd的硬链接,它的操作还是有细微差别的,在现代NIS +域中并不理想。

尤其是,nispasswd不会尝试联系在NIS +主服务器上 运行的rpc.nispasswdd守护程序。相反,它将尝试通过NIS + API自行进行更新。为此,需要修改密码数据的权限(由nisserver设置脚本设置为默认值)。

passwd-r nisplus选项一起使用将获得相同的结果,并且在所有可用的所有不同名称服务之间保持一致。这是在NIS +中更改密码的推荐方法。

需要用户密码(例如rloginftp等)的登录程序,文件访问显示程序(例如ls -l)和网络程序使用标准的getpwnamgetspnam接口来获取密码信息。仅当/etc/nsswitch.conf文件中的“ passwd: ”条目包含nisplus时,这些程序才会获得nispasswd修改的NIS +密码信息。

nispasswd [-ghs] [-D domainname] [username]
nispasswd -a
nispasswd [-D domainname] [-d[username]]
nispasswd [-l] [-f] [-n min] [-x max] [-w warn] [-D domainname] username

Options

nispasswd recognizes the following options:

-g Changes the gecos (finger) information.
-h Changes the home directory.
-s Changes the login shell. By default, only the NIS+ administrator can change the login shell. User will be prompted for the new login shell.
-a Shows the password attributes for all entries. This will show only the entries in the NIS+ passwd table in the local domain that the invoker is authorized to "read".
-d [username] Displays password attributes for the caller or the user specified if the invoker has the right privileges.
-l Locks the password entry for username. Subsequently, login would disallow logins with this NIS+ password entry.
-f Forces the user to change password at the next login by expiring the password for username.
-n min Sets minimum field for username. The min field contains the minimum number of days between password changes for username. If min is greater than max, the user may not change the password. Always use this option with the -x option, unless max is set to -1 (aging turned off). In that case, min need not be set.
-x max Set maximum field for username. The max field contains the number of days that the password is valid for username. The aging for username will be turned off immediately if max is set to -1. If it is set to 0, then the user is forced to change the password at the next login session and aging is turned off.
-w warn Sets warn field for username. The warn field contains the number of days before the password expires that the user will be warned whenever he or she attempts to login.
-D domainname Consults the passwd.org_dir table in domainname. If this option is not specified, the default domainname returned by nis_local_directory() will be used. This domainname is the same as that returned by domainname(1M).

Exit Status

0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure; NIS+ password table unchanged.
4 NIS+ passwd table missing.
5 NIS+ table is busy. Try again later.
6 Invalid argument to option.
7 Aging is disabled.

Warning

The use of nispasswd is STRONGLY discouraged. Even though it is a hard link to passwd, its operation is subtly different and not desirable in a modern NIS+ domain.

In particular, nispasswd will not attempt to contact the rpc.nispasswdd daemon running on the NIS+ master. It will instead attempt to do the updates by itself via the NIS+ API. For this to work, the permissions on the password data need to be modified from the default as set up by the nisserver setup script.

Using passwd with the -r nisplus option will achieve the same result and will be consistent across all the different name services available. This is the recommended way to change the password in NIS+.

The login program, file access display programs (for example, 'ls -l'), and network programs that require user passwords (for example, rloginftp, and so on) use the standard getpwnam and getspnam interfaces to get password information. These programs will get the NIS+ password information, that is modified by nispasswd, only if the "passwd:" entry in the /etc/nsswitch.conf file includes nisplus.

查看英文版

查看中文版

其他命令行

newalias | newform | newgrp | niscat | nischmod | nischown | nischttl | nisdefaults | nl | nohup | nroff | nc | nisgrep | nistbladm | nice |

如此好文,分享给朋友
发表评论
验证码:
评论列表
共0条