passwd(1)




NAME

     passwd - change login password and password attributes


SYNOPSIS

     passwd [-r files | -r ldap | -r nis | -r nisplus]  [name]

     passwd [ -r files] [-egh] [name]

     passwd [ -r files] -s [-a]

     passwd [ -r files] -s [name]

     passwd [ -r files] [-d | -l]   [-f]  [-n min]  [-w warn]  [-
     x max] name

     passwd  -r ldap [-egh] [name]

     passwd  -r nis [-egh] [name]

     passwd  -r nisplus [-egh] [-D domainname] [name]

     passwd  -r nisplus -s [-a]

     passwd  -r nisplus [-D domainname] -s [name]

     passwd  -r nisplus [-l] [-f] [-n min] [-w warn] [-x max]  [-
     D domainname] name


DESCRIPTION

     The passwd command changes the password  or  lists  password
     attributes  associated with the user's login name. Addition-
     ally, privileged users may use passwd to install  or  change
     passwords and attributes associated with any login name.

     When used to change a password, passwd prompts everyone  for
     their  old  password,  if  any.  It then prompts for the new
     password twice. When the old  password  is  entered,  passwd
     checks  to  see if it has "aged" sufficiently. If "aging" is
     insufficient,  passwd  terminates;  see  pwconv(1M),   nist-
     bladm(1), and shadow(4) for additional information.

     When LDAP, NIS, or NIS+ is in effect  on  a  system,  passwd
     changes  the  NIS or NIS+ database. The NIS or NIS+ password
     may be different from the password on the local machine.  If
     NIS  or  NIS+  is  running, use passwd -r to change password
     information on the local machine.

     The pwconv command  creates  and  updates  /etc/shadow  with
     information  from  /etc/passwd.  pwconv  relies on a special
     value of 'x' in the  password  field  of  /etc/passwd.  This
     value  of  'x'  indicates  that the password for the user is
     already in /etc/shadow and should not be modified.
     If aging is sufficient, a check is made to ensure  that  the
     new  password  meets construction requirements. When the new
     password is entered a second time, the two copies of the new
     password  are compared. If the two copies are not identical,
     the cycle of prompting for the new password is repeated for,
     at most, two more times.

     Passwords must be constructed to meet the following require-
     ments:

        o  Each password must have PASSLENGTH  characters,  where
           PASSLENGTH  is  defined  in /etc/default/passwd and is
           set to 6. Only the first eight characters are signifi-
           cant.

        o  Each password must contain  at  least  two  alphabetic
           characters and at least one numeric or special charac-
           ter. In this case, "alphabetic" refers to all upper or
           lower case letters.

        o  Each password must differ from the user's  login  name
           and  any reverse or circular shift of that login name.
           For comparison purposes, an upper case letter and  its
           corresponding lower case letter are equivalent.

        o  New passwords must differ from the  old  by  at  least
           three  characters.  For  comparison purposes, an upper
           case letter and its corresponding  lower  case  letter
           are equivalent.

     If all requirements are met, by default, the passwd  command
     will  consult /etc/nsswitch.conf to determine in which repo-
     sitories to perform password update. It searches the  passwd
     and  passwd_compat entries. The sources (repositories) asso-
     ciated with these entries  will  be  updated.  However,  the
     password  update configurations supported are limited to the
     following cases. Failure to comply with  the  configurations
     will  prevent  users from logging onto the system. The pass-
     word update configurations are:

        o  passwd: files

        o  passwd: files ldap

        o  passwd: files nis

        o  passwd: files nisplus

        o  passwd: compat (==> files nis)

        o  passwd: compat (==> files ldap)

     passwd_compat: ldap

        o  passwd: compat (==> files nisplus)

     passwd_compat: nisplus

     Network administrators, who own the NIS+ password table, may
     change any password attributes.

     In the files  case,  super-users  (for  instance,  real  and
     effective  uid equal to 0, see id(1M) and su(1M)) may change
     any password. Hence, passwd does not prompt privileged users
     for  the  old  password.  Privileged users are not forced to
     comply  with  password  aging  and   password   construction
     requirements.  A  privileged user can create a null password
     by entering a carriage return in response to the prompt  for
     a  new  password.  (This  differs from passwd -d because the
     "password" prompt will still be displayed.)  If  NIS  is  in
     effect, superuser on the root master can change any password
     without being prompted for the old NIS passwd,  and  is  not
     forced to comply with password construction requirements.

     Normally, passwd entered with no arguments will  change  the
     password  of  the current user. When a user logs in and then
     invokes su(1M) to become super-user or another user,  passwd
     will  change  the original user's password, not the password
     of the super-user or the new user.

     Any user may use the -s option to show  password  attributes
     for  his  or her own login name, provided they are using the
     -r nisplus argument. Otherwise,  the  -s  argument  is  res-
     tricted to the superuser.

     The format of the display will be:

     name status mm/dd/yy min max warn

     or, if password aging information is not present,

     name status

     where

     name  The login ID of the user.

     status
           The password status of name: PS stands for  passworded
           or  locked, LK stands for locked, and NP stands for no
           password.

     mm/dd/yy
           The date password was last changed  for  name.  Notice
           that  all  password  aging  dates are determined using
           Greenwich Mean Time (Universal Time) and therefore may
           differ by as much as a day in other time zones.

     min   The minimum number of days required  between  password
           changes    for    name.    MINWEEKS    is   found   in
           /etc/default/passwd and is set to NULL.

     max   The maximum number of days the password is  valid  for
           name.  MAXWEEKS is found in /etc/default/passwd and is
           set to NULL.

     warn  The number of days relative to max before the password
           expires and the name will be warned.

  Security
     passwd uses pam(3PAM) for password management. The PAM  con-
     figuration  policy,  listed through /etc/pam.conf, specifies
     the password modules to be used for passwd. Here is  a  par-
     tial pam.conf file with entries for the passwd command using
     the passwd-auth module:

     passwd  auth required     pam_passwd_auth.so.1

     If there are no entries for the  passwd  service,  then  the
     entries  for  the  "other" service will be used. If multiple
     password modules are listed, then the user may  be  prompted
     for multiple passwords.


OPTIONS

     The following options are supported:

     -a    Shows password attributes for all  entries.  Use  only
           with the -s option. name must not be provided. For the
           nisplus repository, this will show only the entries in
           the  NIS+  password table in the local domain that the
           invoker is authorized to "read". For the files reposi-
           tory, this is restricted to the superuser.

     -D domainname
           Consults the passwd.org_dir table  in  domainname.  If
           this  option  is not specified, the default domainname
           returned by nis_local_directory(3NSL)  will  be  used.
           This  domain  name  is  the  same  as that returned by
           domainname(1M).

     -e    Changes the login shell.  For  the  files  repository,
           this  only  works for the super-user. Normal users may
           change the ldap, nis,  or  nisplus  repositories.  The
           choice  of  shell  is  limited  by the requirements of
           getusershell(3C).  If the user currently has  a  shell
           that  is  not  allowed  by getusershell, only root may
           change it.

     -g    Changes the gecos (finger) information. For the  files
           repository,  this only works for the superuser. Normal
           users may change the ldap,  nis,  or  nisplus  reposi-
           tories.

     -h    Changes the home directory.

     -r    Specifies the repository  to  which  an  operation  is
           applied.  The  supported repositories are files, ldap,
           nis, or nisplus.

     -s name
           Shows password attributes for the login name. For  the
           nisplus  repository,  this works for everyone. However
           for the files repository,  this  only  works  for  the
           superuser. It does not work at all for the nis reposi-
           tory which does not support password aging.

  Privileged User Options
     Only a privileged user can use the following options:

     -d    Deletes password for name and unlocks the account. The
           login  name  will  not be prompted for password. It is
           only applicable to the files repository.

     -f    Forces the user to change password at the  next  login
           by expiring the password for name.

     -l    Locks password entry for name. See the -d  option  for
           unlocking the account.

     -n min
           Sets minimum field for name. The  min  field  contains
           the  minimum  number  of days between password changes
           for name. If min is greater than max, the user may not
           change  the  password. Always use this option with the
           -x option, unless max is set to -1 (aging turned off).
           In that case, min need not be set.

     -w warn
           Sets warn field for name. The warn field contains  the
           number  of  days  before  the password expires and the
           user is warned. This option is not valid  if  password
           aging is disabled.

     -x max
           Sets maximum field for name. The  max  field  contains
           the  number  of  days  that  the password is valid for
           name.  The  aging  for  name  will   be   turned   off
           immediately  if  max  is set to -1. If it is set to 0,
           then the user is forced to change the password at  the
           next login session and aging is turned off.


OPERANDS

     The following operand is supported:

     name  User login name.


ENVIRONMENT VARIABLES

     If  any  of  the  LC_*   variables,   that   is,   LC_CTYPE,
     LC_MESSAGES,    LC_TIME,    LC_COLLATE,    LC_NUMERIC,   and
     LC_MONETARY (see environ(5)), are not set  in  the  environ-
     ment,   the   operational   behavior   of  passwd  for  each
     corresponding locale category is determined by the value  of
     the  LANG  environment  variable. If LC_ALL is set, its con-
     tents are used to override both the LANG and the other  LC_*
     variables.  If  none  of  the  above variables is set in the
     environment, the "C"  (U.S.  style)  locale  determines  how
     passwd behaves.

     LC_CTYPE
           Determines  how  passwd   handles   characters.   When
           LC_CTYPE  is  set to a valid value, passwd can display
           and handle text and filenames containing valid charac-
           ters  for  that  locale. passwd can display and handle
           Extended Unix Code (EUC) characters where any  indivi-
           dual  character  can  be 1, 2, or 3 bytes wide. passwd
           can also handle EUC characters of 1, 2, or more column
           widths.  In  the  "C" locale, only characters from ISO
           8859-1 are valid.

     LC_MESSAGES
           Determines how diagnostic and informative messages are
           presented. This includes the language and style of the
           messages, and the  correct  form  of  affirmative  and
           negative  responses.  In  the "C" locale, the messages
           are presented in the default form found in the program
           itself (in most cases, U.S. English).


EXIT STATUS

     The passwd command exits with one of the following values:

     0     Success.

     1     Permission denied.

     2     Invalid combination of options.

     3     Unexpected failure. Password file unchanged.

     4     Unexpected failure. Password file(s) missing.
     5     Password file(s) busy. Try again later.

     6     Invalid argument to option.

     7     Aging option is disabled.

     8     No memory.

     9     System error.

     10    Account expired.


FILES

     /etc/oshadow

     /etc/shells

     /etc/passwd
           Password file.

     /etc/shadow
           Shadow password file.

     /etc/default/passwd
           Default values can be set for the following  flags  in
           /etc/default/passwd. For example: MAXWEEKS=26

           MAXWEEKS
                 Maximum time period that password is valid.

           MINWEEKS
                 Minimum time period before the password  can  be
                 changed.

           PASSLENGTH
                 Minimum length of password, in characters.

           WARNWEEKS
                 Time period until warning of date of  password's
                 ensuing expiration.


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|
    | CSI                         | Enabled                     |
    |_____________________________|_____________________________|


SEE ALSO

     finger(1),    login(1),    nistbladm(1),     domainname(1M),
     eeprom(1M),   id(1M),   passmgmt(1M),   pwconv(1M),  su(1M),
     useradd(1M),    userdel(1M),     usermod(1M),     crypt(3C),
     getpwnam(3C),         getspnam(3C),        getusershell(3C),
     nis_local_directory(3NSL),      pam(3PAM),      loginlog(4),
     nsswitch.conf(4),  pam.conf(4), passwd(4), shadow(4), attri-
     butes(5),         environ(5),          pam_authtok_check(5),
     pam_authtok_get(5),   pam_authtok_store(5),   pam_dhkeys(5),
     pam_ldap(5),        pam_unix(5),        pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5)


NOTES

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_unix_account(5), pam_unix_auth(5),  pam_unix_session(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5), pam_dhkeys(5), and pam_passwd_auth(5).

     The nispasswd  and  ypasswd  commands  are  wrappers  around
     passwd.  Use  of  nispasswd  and ypasswd is discouraged. Use
     passwd -r repository_name instead.

     NIS+ might not  be  supported  in  future  releases  of  the
     SolarisTM  Operating Environment. Tools to aid the migration
     from NIS+ to LDAP are available in the Solaris  9  operating
     environment.      For      more      information,      visit
     http://www.sun.com/directory/nisplus/transition.html.


Man(1) output converted with man2html