| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: Naming and Directory Services (NIS+) |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: Naming and Directory Services (NIS+) |
Part I About Naming and Directory Services
Part II NIS+ Setup and Configuration
4. Configuring NIS+ With Scripts
5. Setting Up the NIS+ Root Domain
8. Configuring an NIS+ Non-Root Domain
10. NIS+ Tables and Information
12. Administering NIS+ Credentials
14. Administering Enhanced NIS+ Security Credentials
15. Administering NIS+ Access Rights
16. Administering NIS+ Passwords
nsswitch.conf File Requirements for Passwords
passwd and the nsswitch.conf Files
passwd Command and "NIS+ Environment"
passwd Command and Credentials
passwd Command and NIS+ Permissions
passwd Command and Other NIS+ Domains
nistbladm and NIS+ Shadow Column Fields
nistbladm and the Number of Days Password Parameter in NIS+
Password-Related Commands in NIS+
Displaying Password Information in NIS+
Changing Someone Else's Password in NIS+
Changing Root's Password in NIS+
Managing Password Aging in NIS+
Forcing Users to Change Passwords in NIS+
Setting a Password Age Limit in NIS+
Setting Minimum Password Life in NIS+
Establishing a Password Warning Period in NIS+
Turning Off Password Aging in NIS+
Password Privilege Expiration in NIS+
Specifying Maximum Number of Inactive Days for Users in NIS+
Specifying Password Criteria and Defaults in NIS+
18. Administering NIS+ Directories
20. NIS+ Server Use Customization
23. Information in NIS+ Tables
Common NIS+ Namespace Error Messages
When logging in to a machine, users must enter both a user name (also known as a login ID) and a password. Although login IDs are publicly known, passwords must be kept secret by their owners.
Logging in to a system is a two-step process.
(To maintain password secrecy, your password is not displayed on your screen when you type it.)
If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.
The Login incorrect message indicates that:
You have entered the wrong login ID or the wrong password. This is the most common cause of the Login incorrect message. Check your spelling and repeat the process. Note that most systems limit to five the number of unsuccessful login tries you can make:
If you exceed a number of tries limit, you will get a Too many failures - try later message and not be allowed to try again until a designated time span has passed.
If you fail to successfully log in within a specified amount of time you will receive a Too many tries; try again later message, and not be allowed to try again until a designated time span has passed.
Another possible cause of the Login incorrect message is that an administrator has locked your password and you cannot use it until it is unlocked. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.
Another possible cause of the Login incorrect message is that an administrator has expired your password privileges and you cannot use your password until your privileges are restored. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.
If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).
In essence, this message is telling you to change your password now. (See Changing Your NIS+ Password.)
After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations you cannot log in until an administrator unlocks your password or reactivates your account or privileges. Consult your system administrator.
To maintain security, you should change your password regularly. (See Choosing a Password for password requirements and criteria.)
Note - The passwd command now performs all functions previously performed by nispasswd. For operations specific to an NIS+ name space, use passwd -r nisplus.
Changing your password is a four-step process:
Your keystrokes are not shown on your screen.
If you receive a Sorry: less than N days since the last change message, it means that your old password has not been in use long enough and you will not be allowed to change it at this time. You are returned to your system prompt. Consult your system administrator to find out the minimum number of days a password must be in use before it can be changed.
If you receive a You may not change this password message, it means that your network administrator has blocked any change.
Your keystrokes are not shown on your screen.
At this point the system checks to make sure that your new password meets the requirements:
If it does meet the requirements, you are asked to enter it again.
If your new password does not meet the system requirements, a message is displayed informing you of the problem. You must then enter a new password that does meet the requirements.
See Password Requirements for the requirements a password must meet.
Your keystrokes are not shown on your screen.
If your second entry of the new password is not identical to your first entry, you are prompted to repeat the process.
Note - When changing root's password, you must always run chkey -p immediately after changing the password. (See Changing NIS+ Root Keys From Root and Changing Root Keys From Another NIS+ Machine for information on using chkey -p to change root's keys.) Failure to run chkey -p after changing root's password will result in root being unable to properly log in.
If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See Choosing a Password, for criteria that a new password must meet.)
In this case, choosing a new password is a three-step process:
Your keystrokes are not shown on your screen.
Your keystrokes are not shown on your screen.
Your keystrokes are not shown on your screen.
Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)
If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)
Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.
A password must meet the following requirements:
Length. By default, a password must have at least six characters. Only the first eight characters are significant. (In other words, you can have a password that is longer than eight characters, but the system only checks the first eight.) Because the minimum length of a password can be changed by a system administrator, it may be different on your system.
Characters. A password must contain at least two letters (either uppercase or lowercase) and at least one numeral or symbol such as @,#,%. For example, you can use dog#food or dog2food as a password, but you cannot use dogfood.
Not your login ID. A password cannot be the same as your login ID, nor can it be a rearrangement of the letters and characters of your login ID. (For the purpose of this criteria, upper and lower case letters are considered to be the same.) For example, if your login ID is Claire2 you cannot have e2clair as your password.
Different from old password. Your new password must differ from your old one by at least three characters. (For the purpose of this criterion, uppercase and lowercase letters are considered to be the same.) For example, if your current password is Dog#fooD you can change it to dog#Meat but you cannot change it to daT#Food.
Bad choices for passwords include:
Any password based on your name
Names of family members or pets
Car license numbers
Telephone numbers
Social Security numbers
Employee numbers
Names related to a hobby or interest
Seasonal themes, such as Santa in December
Any word that is in a standard dictionary
Good choices for passwords include:
Phrases plus numbers or symbols (beam#meup)
Nonsense words made up of the first letters of every word in a phrase plus a number or symbol (swotrb7 for SomeWhere Over The RainBow)
Words with numbers, or symbols substituted for letters (sn00py for snoopy)
|