pwdck Command

Edit online

Purpose

Verifies the correctness of local authentication information.

Syntax

pwdck { -p | -n | -t | -y } [-l]{ ALL | User ... }

Description

The pwdck command verifies the correctness of the password information in the user database files by checking the definitions for ALL the users or for the users who are specified by the User parameter. If more than one user is specified, add a space between the names.

Note: This command writes its messages to stderr.

Select a flag to indicate whether the system must try to fix erroneous attributes. The following attributes are checked for locally defined users in the /etc/passwd file:

Item Description
entry Ensures that each entry is readable and that it contains at least two: (colons). If you indicate that the system should fix errors, the entire entry is discarded.
passwd Ensures that the password field is an ! (exclamation point). If you indicate that the system should fix errors, it transfers the information in the password field to the /etc/security/passwd file, updates the lastupdate attribute in the /etc/security/passwd file, and then replaces the password field in the /etc/passwd file with an ! In general, passwords are required if the minalpha, minother, or minlen password restriction is set to a nonzero value in the /etc/security/user file.
user Ensures that the username is a unique string of 8 bytes or less. It cannot begin with a + (plus sign), a : (colon), a - (minus sign), or a ~ (tilde). It cannot contain a: (colon) in the string and cannot be the ALL, default, or * keywords. If you indicate that the system should fix errors, it removes this user's entry line from the /etc/passwd file. If the username starts with a + or a - symbol, the user is not locally defined, and checks are not performed.

Attributes that are checked in the /etc/security/passwd file are:

Item Description
line Ensures that each line is readable and is part of a stanza. Any invalid line is discarded.
password Ensures that the password attribute exists and is not blank, if passwords are required on the system. If you indicate that the system should fix errors, the password is set to * (asterisk), and the lastupdate attribute is discarded.

In general, passwords are required if either of the minalpha or minother password restrictions are set to nonzero values in the /etc/security/user file. If a users flags attribute specifies the NOCHECK keyword, a password is not required for this user, and the check is ignored.
lastupdate Ensures that the lastupdate attribute exists for a valid nonblank password, and that its time is before the current time. If you indicate that the system should fix errors, the lastupdate attribute is discarded or updated, depending on the password attribute. The lastupdate attribute is discarded if the password attribute doesn't exist, or equals a blank or an * (asterisk). Otherwise, the lastupdate time is set to the current time.
flags Ensures that the flags attribute contains only the keywords ADMIN, ADMCHG, and NOCHECK. If you indicate that the system should fix errors, it deletes any undefined flags.

Attributes that are checked in the /etc/security/user file are:

Item Description
auth1 Ensures that each SYSTEM;username entry that is defined for a local user has an username entry in the /etc/security/passwd file. If you indicate that the system should fix errors, a stanza is added to the /etc/security/passwd file for each missing entry, in the following format: 
username:
          password = *

If a user's entry and a default entry are both missing from the /etc/security/user file, the system assumes the following values and the check on auth1 is performed:

auth1 = SYSTEM;user
Note: The auth1 attribute is deprecated and should not be used.
auth2 Ensures that each authname;username entry that is defined for a local user has an username entry in the /etc/security/passwd file. If you indicate that the system should fix errors, an entry is added for each missing entry.

If a user's entry and a default entry are both missing from the /etc/security/user file, the system assumes the following values and the check on auth2 is performed:

auth2 = NONE

When ALL is specified, the pwdck command ensures that each stanza in the /etc/security/passwd file corresponds to an authentication name of a local user as a SYSTEM;username entry in the /etc/security/user file. If you indicate that the system should fix errors, a stanza, which does not correspond to a username entry in the /etc/security/user file is discarded from the /etc/security/passwd file.

The pwdck command locks the /etc/passwd file and the /etc/security/passwd file when it updates them. If either of these files are locked by another process, the pwdck command waits a few minutes for the files to be unlocked, and terminates if this does not happen.

The pwdck command checks to see whether the /etc/passwd file and the /etc/security/passwd file are modified by another process while the current pwdck process is running. If you indicate that the system should fix errors, the pwdck command updates the /etc/passwd file and the /etc/security/passwd file, and may overwrite any changes that are made by the other process.

Note: The pwdck command disables any Extended Access Control Lists (ACLs) on the files when it fixes errors and reports them.

The pwdck command also checks to see whether the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. Note, it is acceptable for the /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user should run the mkpasswd command.

Generally, the sysck command calls the pwdck command as part of the verification of a trusted-system installation. In addition, the root user or a member of the security group can enter the command.

Note: The auth2 attribute is deprecated and should not be used.

Flags

Table 1. Flags
Item Description
-l Locks file during the entire run.
-n Reports errors but does not fix them.
-p Fixes errors but does not report them.
-t Reports errors and asks if they should be fixed.
-y Fixes errors and reports them.

Security

Access Control
This command should grant execute (x) access to the root user and members of the security group. The command should be setuid to the root user, to read and write the authentication information, and have the trusted computing base attribute.
Files Accessed
Mode File
rw /etc/passwd
r /etc/security/user
rw /etc/security/passwd
r /etc/security/login.cfg
Auditing Events:
Table 2. Auditing Events:
Event Information
PASSWORD_Check user, error/fix, status
PASSWORD_Ckerr file/user, error, status
Attention RBAC users
Attention RBAC users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations that are associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To verify that all local users have valid passwords, enter:
    pwdck  -y ALL
    This reports errors, and fixes them.
  2. To ensure that user ariel has a valid stanza in the /etc/security/passwd file, enter:
    pwdck  -y ariel

Files

Table 3. Files
Item Description
/usr/bin/pwdck Contains the pwdck command.
/etc/security/passwd Contains actual passwords and security information.
/etc/security/login.cfg Contains configuration information and password restrictions.