authck(ADM)


authck, passwdupd -- check internal consistency of authentication database

Syntax

/tcb/bin/authck [ -a ] [ -p ] [ -s ] [ -t ] [ -y | -n ] [ -v ]

/tcb/bin/passwdupd [ -s ]

Description

authck checks both the overall structure and internal field consistency of all components of the Authentication database. It reports all problems that it finds.

The functionality of passwdupd has been subsumed into the authck command. passwdupd remains as a compatibility aid and may be removed in future releases. The -s option to passwdupd specifies that the authck subsystem check should be suppressed. If passwdupd is executed with the -s option, authck -y -p is executed, otherwise authck -y -p -s is executed.

authck takes the following options:


-p
Checks the Protected Password database. A number of tests are performed. The Protected Password database and /etc/passwd are checked for completeness such that neither contains entries not in the other. Once this is done, the fields common to the Protected Password database and /etc/passwd are checked to make sure they agree. Then, fields in the Protected Password database are checked for reasonable values. For instance, all time stamps of past events are checked to make sure they have times less than that returned by .time(S-osr5)

-t
Checks the fields in the Terminal Control database for reasonable values. All time stamps of past events are checked to make sure they have times less than that returned by time.

-s
Checks the Protected Subsystem database files to ensure they reflect the subsystem authorization entries in the Protected Password database correctly. Each name listed in each subsystem file is verified against the Protected Password entry with the same name, so that no authorization is inconsistent between the files. Also, each Protected Password entry is scanned to ensure that all the privileges listed are in fact reflected in the Protected Subsystem database. If any inconsistencies are found and neither the -n or -y options are specified, the administrator is asked whether authck should repair the Subsystem database.

-a
Turns on the -p, -t, and -s options.

-y
Repairs the database without asking for confirmation.

-n
Prevents authck from repairing the database.

-v
Provides running diagnostics as the program proceeds. It also produces warnings on events that should not occur but otherwise do not harm the Authentication database and the routines operating on it.
Network Information Service (NIS) entries in /etc/passwd are not expected to be found in the Protected Password database.

authck prints a warning if it finds an NIS entry in /etc/passwd but NIS is not enabled.

If u_integrity is not set in /etc/auth/system/default and a Protected Password entry exists for an NIS user, authck non-interactively removes the Protected Password entry.

Authorization

authck requires the invoking user to be root or have the auth subsystem authorization. The chown kernel privilege is also required for authck to repair the subsystem databases.

Files


/etc/passwd
System password file

/tcb/files/auth/?/*
Protected Password database

/etc/auth/system/ttys
Terminal Control database

/etc/auth/system/files
File Control database

/etc/auth/subsystems/*
Protected Subsystem database

/etc/auth/system/default
System Defaults database

See also

authcap(F), default(F), getprpwent(S-osr5), getprtcent(S-osr5), getprfient(S-osr5), getprdfent(S-osr5), integrity(ADM), prpw(F), subsystems(S-osr5)

``Maintaining system security'' in Managing system security

Standards conformance

authck is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005