NAME

modbks - modify a BoKS user account

SYNOPSIS

(UNIX)
modbks -l user [-H ] [-u uid] [-g gid] [-r name] [-h home directory] [-s shell] [-P user class]
[-y distinguished name] [-A flags] [-D flags] [-L days] [-E valid_to] [-o timeout] [-j xrole:hhgrp]
[-J xrole:hhgrp] [-m secondary group] [-M secondary group] [-c concurrent_logins] [-tBU]
modbks -l user {-p hash [-p hash] ... | -p *no login* | -p -}
modbks -l user-f {password file | -}
modbks -l user -n new_login_name [-V] [-F]

(WINLOC)
modbks -l user [-H ] [-r name] [-K login script] [-O profile path] [-R description] [-P user class]
[-y distinguished name] [-L days] [-E valid_to] [-m local windows group] [-M local windows
group] [-tBU]
modbks -l user-f {password file | -}

(WINDOM)
modbks -l user [-H ] [-r name] [-S user SID] [-W windows domain] [-E valid_to] [-P user class]
[-y distinguished name] [-tBU]

(ALL)
modbks -l user [-H] {-d paramname | -e paramname=paramvalue} [-i LDAP domain]
modbks -l user -G new hostgroup [-ZkQV]

DESCRIPTION

BoKS user accounts can be modified with modbks. The three different account types, UNIX, Windows
local (WINLOC) and Windows domain (WINDOM) supports different sets of options which are described
below (see also mkbks(1B)).
The BoKS account name consists of a host prefix and a username part name part separated by a ’:’. The
host prefix can be modified with the -G option, and the username (login name) part can be modified with
the -n flag (UNIX users only).

COMMON OPTIONS

-l user
Specifies the full BoKS user account name including host prefix.

-r name
The users full name (comment field).

-H
Don’t run any hook program defined in $BOKS_etc/ssm_hook_config.

-E valid_to
Time when account expires (YYMMDD format).

-P user class
Set or change the primary user class the user belongs to.

-y distinguished name
Set or change the Distinguished Name for the user. The Distinguished Name should be unique. If
an empty string is entered as argument the Distinguished Name is removed from the user.

-t
Authorize new login tries for the user.

-i LDAP domain
Specify LDAP domain number for user imported from LDAP. The special number -2 is reserved
for users imported from Active Directory using the adsync command. This number is set by the
import commands, ldapusersync and adsync. There is normally no reason to change this.

-B
Block user. Both login and su prohibited.

-U
Unblock user.

-e paramname=paramvalue

-d paramname

The option -e enables the parameter given by paramname and sets it to paramvalue. The option
-d disables the parameter paramname.
Valid parameter names are:

Parameter nameDescriptionGiven as
loginvalidtime Account expires (UWw) YYMMDD
pswvalidtime Password Life Span (UW) Number of days
chpswtime Grace period for psw change (UW) Number of days
pswminlen Minimum psw length (UW) Number of characters
pswforce Password restrictions (UW) 0/1 (see below)
pswhistlen Psw history length (UW) Number
chpswfreq Min time between psw change (UW) Number of seconds
timeout Inactivity Timeout (U) Number of minutes
ttimeout Time dependent timeout (U) Number of minutes
tstart Start time for time dep. timeout (U) HHMM
tend End time for time dep. timeout (U) HHMM
tdays Weekdays for time dep. timeout (U) 1=Mon, 2=Tue, etc
retrymax Max number of failed logins (UWw) Number
concur_logins Max number of concurrent logins (U) Number (0 = no limit)
shell Login shell (U) String
udatacheck User attribute check enable/disable (U) 1/0
maxsshuserkeys Max number of ssh user public keys (U) Number
Not all parameters are valid for all account types. The letter code enclosed in parentheses in the description
field specifies valid account types for the parameter.
Account type codes:
U - UNIX
W - Windows local
w - Windows domain

pswforce values:
 
ValueDescription
0 no format restrictions
1 new/old password look-alike check
Examples:
To set the password life span to 90 days for user foo:tom and thus override the default value enter:
modbks -l foo:tom -e pswvalidtime=90
To disable the defined user specific user last login day for user foo:tim and thus enable the default one,
enter:
modbks -l foo:tim -d loginvalidtime

-G new host/hostgroup
Change the host prefix of a BoKS user account. See also -Z -Q and -k below. If the new host prefix
is an existing host the account type must match the host type. You cannot change the hostgroup
for a user imported from Active Directory. If checking for overlapping accounts is turned on, the
operation will fail if it would create overlapping accounts unless the -V option is used to skip this
check..

-Z
Used with the -G option to specify that the users access routes should not be changed. If -Z is not
specified, modbks will change all occurrences of the old hostgroup in the users access routes to the
new one.

-k
When used with the -G option modbks will not remove any local account information. Without
this option an attempt is made to remove the local user account from on those hosts where the user
is no longer defined. If the user is defined in NIS (i.e the old hostgroup of this user is defined in
BoKS nismap) no attempt is made to clean up those files.

-Q
When used with the -G option modbks will update any local account entries asynchronously. This
option is now obsolete as account entries are now always updated asynchronously.

-F
This flag is only useful with the -n flag to change the login name of a user. It will relax the rules
for characters allowed in the new login name. By default the allowed characters are:
letters (A-Z,a-z), digits (0-9), hyphen (-) and underscore (_). If -F is used, any characters except
control characters, white space, colon and comma are allowed. Fox Technologies recommends
not using this option unless needed by external constrains.

-V
The ENV variable OVERLAPPING_ACCOUNT_CHECK (See ENV.4) can be set to make BoKS
check for overlapping accounts. If checking is turned on, the -V switch can be used to skip this
check when modifying the host/host group for a user.

COMMON OPTIONS FOR UNIX AND WINDOWS LOCAL ACCOUNTS

-f {password file | - }
A user password can be set from a clear text password in a file. Setting password this way should
be avoided if possible since storing a password in clear text on disk is always a security risk.
Under normal BoKS administration passwords should be set using the passwd command. If the
filename argument is a hyphen "-", standard input is assumed.

-L days
Set password last change date back days days.

UNIX ACCOUNT OPTIONS

-g gid
Primary group. The group can be specified as a number, in which case a group with that number
must already exist, or as a name, in which case a group must be uniquely defined by that name in
the BoKS database.
-u uid
User id.
-s shell
User login shell.

-h home directory
Users home directory.

-o timeout
Inactivity timeout for user.

-c concurrent logins
Number of allowed logins with the same name. Default is no restriction but the licensed number of
logged in users.

-D flags
flags is a comma separated list of flags to set for the user. The flags are tlock, cpu_timeout,
tty_input_timeout, tty_output_timeout, everything, unixgroups. When a new user is created all
flags are cleared. See above for the meaning of the flags.

-A flags
flags is a comma separated list of flags to clear for the user. The flags are tlock, cpu_timeout,
tty_input_timeout, tty_output_timeout, everything, unixgroups.
The following defines the action if a flag is set for the user:
tlock means user terminal is locked by tlock on inactivity instead of logged out (only if the system
supports tlock).
cpu_timeout means inactivity check does not test if the user is using cpu cycles.
tty_input_timeout means inactivity check does not test if the user is doing terminal input.
tty_output_timeout means inactivity check does not test if the user is doing terminal output.
unixgroups means that BoKS keeps the /etc/group file updated with the user’s secondary groups.

-j xrole:host/hostgroup
Assign user to a xRole at host or hostgroup. Multiple -j options can be given. The xRole and
host/hostgroup must already be defined. If this is the first assignment between the user and the
xRole a generic access route for role change using password authentication will be created.

-J xrole:host/hostgroup
Unassign user from xRole at host or hostgroup. Multiple -J options can be given. If this is the last
assignment between the user and the xRole the generic access route for role change will be
deleted, see option -j.

-m secondary group
Add user to secondary group. Multiple -m options can be given. The secondary group can be
specified as a number, in which case a group with that number must already exist, or as a name, in
which case a group must be uniquely defined by that name.

-M secondary group
Remove user from secondary group. Multiple -M options can be given. The secondary group can
be specified as a number, or as a name, in which case a group must be uniquely defined by that
name.

-n new_login_name
Change the login name of a user. This can only be done for UNIX users. See Rename Operation
in NOTES below for details. If checking for overlapping accounts is turned on, the operation will
fail if it would create overlapping accounts unless the -V option is used to skip this check. You
cannot change the loginname for a user imported from Active Directory.

-p hash [-p hash] ... | -p *no login* | -p -
A user password can be set directly as a password hash in any of the password hash formats supported
by BoKS. This option may be used to import already existing local accounts to BoKS.
Under normal BoKS administration passwords should be set using the passwd command.
This option may be used multiple times to import the password in multiple hash formats.
If the argument is a hyphen "-" instead of a password hash, the passwords will be read from standard-
input one password hash per line.
The users password may be invalidated by entering an invalid password hash. E.g. passing the text
string *no login* will effectively invalidate the users password.
See also -f under Common Options above.

WINDOWS LOCAL ACCOUNT OPTIONS

-K login script
Windows login script.
-O profile path
Profile path.
-R description
Account description.
-m local windows group
Assign user as member of a local Windows group. Multiple -m options can be given. The group
can be given either as a group name or as a group SID. Only groups from BoKS built-in list of
predefined Windows groups can be used (groupadm -L to display list).
-M local windows group
Remove assignment of local Windows group. Multiple -M options can be given. The same argument
restriction as for option -m apply.

WINDOWS DOMAIN ACCOUNT OPTIONS

-S user SID
Windows Security Identifier (SID) for the domain user. This attribute is needed if the account
should support SSH login to BoKS Client for Windows hosts. The SID value can be either in text
format or base64 encoded binary format.

-W windows domain
Name of the Windows domain the user belong to.

NOTES

Windows domain accounts are normally not modified manually in BoKS but rather imported using the
BoKS LDAP synchronization function.
Unless the -H option is given, any MODUSER program defined in $BOKS_etc/ssm_hook_config will be
executed after a successful user modification.

Rename Operation: The rename operation will change the login name for the user in all database tables
with the exception that the home directory for the user is not changed.
The old user will be removed from the /etc/passwd file on all machines in the users Host Group, and the
new name will be added.
The old user will be removed from any RBAC role mappings stored on machines in the users Host Group,
and the new user will be added.

FILES

/etc/passwd, /etc/shadow, $BOKS_etc/ssm_hook_config

SEE ALSO

mkbks(1B), bksdef(1B), groupadm(1B), groupimport(1B), roleadm (1B).

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: November 15, 2019