Previous Topic: pam_seosNext Topic: pmd


passwd

In the [passwd] section, the tokens define password replacement and other user‑related services.

AllowedGidRange

Specifies the range of GIDs that the user can add, update, and delete. Values outside this range represent reserved GIDs that CA ControlMinder cannot update.

Note: If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved GIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit.For example, if AllowedUidRange = 100, 3000, then 101 is treated as the lower limit and 2999 is treated as the higher limit.

Limits: -1 to 2147483647

Default: 100,30000

AllowedUidRange

Specifies the range of UIDs that the user can add, update, and delete. Values outside this range represent reserved UIDs that CA ControlMinder cannot update.

Note: If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved UIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit.For example, if AllowedUidRange = 100, 3000, then 101 is treated as the lower limit and 2999 is treated as the higher limit.

Limits: -1 to 2147483647

Default: 100,30000

AllowRootProp

Specifies whether root password changes made using sepass -p or sepass -s are sent to the Policy Model. The PMD then propagates the password to its subscribers.

Valid values are yes and no.

Default: no

change_pam

Specifies whether the local host uses PAM for password authentication and changes in the LDAP database.

Default: no

Check_Adm_Rules

Specifies whether to enforce password rules for ADMIN and PWMANAGER users.

Default: no

Check_All_User_Rules

Specifies whether selang should check the Password Rules for all the users.

Valid values are yes and no.

If this token is set to yes, selang checks the Password Rules for all the users.

If this token is set to no, selang checks the Password Rules only for the user who changes the password.

Default: no

Note: This token is supported when using the API only.

CreateHashedPasswdDatabase

(DEC UNIX only). Specifies whether an exit script runs after each CA ControlMinder command that creates, updates or removes a user record, or after each user password changed with the sepass utility.

Note: For more usage instructions, see the README file in ACInstallDir/samples/exits-src/USER_POST directory.

Default: no

DefaultHome

Specifies the default home directory of the system. The user's home directory is a subdirectory of the specified system home directory. For example, if the system home directory is /home, the new user's home directory is /home/username. If specified, the value for this token overrides the value in the client's lang.ini file. If you specify nohomedir then a home directory is not automatically set.

Default: /home

DefaultPasswdCmd

Specifies the default password program. If specified, this password program is used when sepass is started and seosd is not running.

Default: /bin/passwd

DefaultPgroup

Specifies the primary group that CA ControlMinder assigns to a new UNIX user if no value is entered.

Default: other

DefaultShell

Specifies the default shell that CA ControlMinder assigns to a new UNIX user if no value is entered. If specified, the value for this token overrides the value in the client's lang.ini file.

Default: /bin/sh (or /sbin/sh on HP-UX)

Dictionary

Defines the full pathname of the file containing the words that cannot be used as passwords.

Note: To use this file, you must set the dictionary format password rule (use_dbdict) to file and set UseDict setting to yes. If the dictionary format is set to db, passwords that cannot be used are taken from the CA ControlMinder database and this setting is ignored. This is the default on UNIX.

Important! This token is obsolete. Use dictionary in the database instead.

Default: /usr/dict/words

GeneratePasswd

Specifies whether sepass generates a new password by itself.

Valid values are yes and no.

If you set this token to no, the user is asked to enter a new password.

Default: no

HomeDirUpd

Specifies whether CA ControlMinder updates the group ownership of the user's home home directory when the user's primary group changes.

Valid values are yes and no

Default: yes

nis_env

Specifies whether the local host is an NIS or NIS+ client.

Valid values are no, nis, or nisplus.

Default: no

NisPlus_server

Specifies whether this station is an NIS+ server.

Valid values are yes and no.

If token value is yes, CA ControlMinder treats password replacements as NIS+ password replacements.

Default: no

only_local

Determines whether the default setting for sepass includes the -l flag.

Valid values are yes and no.

If this token is set to yes, sepass will replace the password only in the local; that is, in the local password file (usually /etc/passwd), security files, and the local database.

Default: no

only_pmdb

Specifies whether the default setting for sepass includes the ‑p flag. If token value is yes, it instructs sepass to change the password only on the PMDB at the host specified.

If no such database is defined, sepass does nothing.

Default: no

passwd_distribution_encryption_mode

Specifies which method is used to encrypt user passwords when passwords are distributed as part of the Policy Model service.

Valid values are:

1 - Compatibility mode, to distribute passwords between CA ControlMinder systems that do not use long passwords (This includes all machines running pre-r12.0 versions of CA ControlMinder.)

2 - MD5 mode, to distribute passwords between CA ControlMinder systems that use long passwords and are also running Linux.

3 - Bidirectional mode, to distribute passwords securely, as clear text within encrypted messages, between any CA ControlMinder systems that use long passwords.

Default: 1

passwd_format

Indicates whether the password changes are propagated to an NT host.

Setting this token to NT means that one of the hosts you are administering is an NT host.

Default: none

passwd_local_encryption_method

Specifies which method is used to encrypt user passwords when storing these passwords locally.

Valid values are:

crypt - The standard one-way UNIX encryption that uses only the first eight characters of the password (as a DES key). Specifying crypt disables the use of long passwords.

md5 - MD5 hash function that can encrypt passwords of indefinite length. Specifying md5 enables the use of long passwords.

Default: crypt

PromptOldPassword

Specifies whether to prompt local users for their old password when sepass is invoked through /opt/CA/AccessControl/bin/segrace. (You must use the full path).

Setting this token to yes indicates that the users are prompted for their old passwords.

Default: yes

quiet_mode

Specifies whether sepass displays a copyright notice and a message about propagating passwords to Policy Models.

Default: no

RootPwAsOwn

Specifies whether sepass lets a privileged user change the root password as if changed by root (using the -x option).

Valid Values are:

yes-Privileged users can use sepass to change the root password as if changed by root. They cannot change the root password as themselves (administrative change).

no-Privileged users can use sepass to change the root password only as themselves (administrative change).

For example, a privileged user can use the following command to change the root password if this token is set to yes:

sepass -x root

The same user cannot use the following command to change the root password:

sepass root

If this token is set to no, the opposite is true.

Default: no

SaveGroupAttrs

Specifies whether the previous group file owner, group, and mode are preserved after an update of a group in the UNIX environment.

Valid values are yes and no.

If you set this token to no, new values are set to 0, 0, 644 respectively.

Default: no

SavePasswdAttrs

Specifies whether the previous password file owner, group, and mode are preserved after an update of a user in the UNIX environment.

Valid values are yes and no.

If you set this token to no, new values are set to 0, 0, 644 respectively.

Default: no

Shadow_Admin_Change

(AIX platforms only). Specifies whether the ADMCHG flag gets added to the user entry in the /etc/security/passwd file when an administrator changes the password from selang or using sepass.

Default: no

UIDAlgorithm

Specifies which free UID algorithm to employ when adding new users. Setting it to any other value would select the older process. The new algorithm provides for UID numbers over 4 KB and is faster.

Default: new

UseDict

Specifies whether to use the dictionary file (set with the Dictionary setting) when verifying a password.

Note: To use the dictionary file, you must also set the dictionary format password rule (use_dbdict) to file. If the dictionary format is set to db, passwords that cannot be used are taken from the CA ControlMinder database and this setting is ignored.

Default: no

YpGrpCmd

Specifies the command to use for generating the NIS group map.

Default: make group

YpMakeDir

Specifies the name of the makefile directory to be used when creating NIS maps.

Default: /var/yp

YpPassCmd

Specifies the command to use for generating the NIS password map.

Default: make passwd

YpServerGroup

Specifies the group file from which the NIS group map is made.

Default: /etc/group

YpServerPasswd

Specifies the password file from which the NIS password map is made.

Default: /etc/passwd

YpServerSecure

Specifies the name of the security file containing passwords that is used for building the NIS password map.

Default: Varies by platform:

YpTimeOut

Specifies the time, in seconds, that a new client (selang, Security Administrator, and so forth) can run the ypbind test, which determines whether the local host is connected to a NIS server. At expiration, the client exits and an error message appears.

The default value of zero (0) means that no ypbind test is conducted.

Default: 0

More information:

sepass Utility—Set or Replace a Password