verify integrity of password files
' pwck 'u pwck [options] [ passwd [ shadow ]]
The pwck command verifies the integrity of the users and authentication information . It checks that all entries in /etc/passwd and /etc/shadow have the proper format and contain valid data . The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors .
Checks are made to verify that each entry has:
2.3 the correct number of fields '-04' '+03' .sp -1
2.3 a unique and valid user name '-04' '+03' .sp -1
2.3 a valid user and group identifier '-04' '+03' .sp -1
2.3 a valid primary group '-04' '+03' .sp -1
2.3 a valid home directory '-04' '+03' .sp -1
2.3 a valid login shell
shadow checks are enabled when a second file parameter is specified or when /etc/shadow exists on the system .
These checks are the following: '-04' '+03' .sp -1
2.3 every passwd entry has a matching shadow entry, and every shadow entry has a matching passwd entry '-04' '+03' .sp -1
2.3 passwords are specified in the shadowed file '-04' '+03' .sp -1
2.3 shadow entries have the correct number of fields '-04' '+03' .sp -1
2.3 shadow entries are unique in shadow '-04' '+03' .sp -1
2.3 the last password changes are not in the future
The checks for correct number of fields and unique user name are fatal . If the entry has the wrong number of fields, the user will be prompted to delete the entire line . If the user does not answer affirmatively, all further checks are bypassed . An entry with a duplicated user name is prompted for deletion, but the remaining checks will still be made . All other errors are warning and the user is encouraged to run the usermod command to correct the error .
The commands which operate on the /etc/passwd file are not able to alter corrupted or duplicated entries . pwck should be used in those circumstances to remove the offending entry .
The -r and -s options cannot be combined .
The options which apply to the pwck command are:
-h , --help Display help message and exit .
-q , --quiet Report errors only . The warnings which do not require any action from the user won (Aqt be displayed .
-r , --read -only Execute the pwck command in read -only mode .
-R , --root CHROOT_DIR Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory .
-s , --sort Sort entries in /etc/passwd and /etc/shadow by UID .
By default, pwck operates on the files /etc/passwd and /etc/shadow . The user may select alternate files with the passwd and shadow parameters .
The following configuration variables in /etc/login .defs change the behavior of this tool:
PASS_MAX_DAYS (number) The maximum number of days a password may be used . If the password is older than this, a password change will be forced . If not specified, -1 will be assumed (which disables the restriction) .
PASS_MIN_DAYS (number) The minimum number of days allowed between password changes . Any password changes attempted sooner than this will be rejected . If not specified, -1 will be assumed (which disables the restriction) .
PASS_WARN_AGE (number) The number of days warning given before a password expires . A zero means warning is given only upon the day of expiration, a negative value means no warning is given . If not specified, no warning will be provided .
/etc/group Group account information .
/etc/passwd User account information .
/etc/shadow Secure user account information .
The pwck command exits with the following values:
1 invalid command syntax
2 one or more bad password entries
3 can (Aqt open password files
4 can (Aqt lock password files
5 can (Aqt update password files
6 can (Aqt sort password files