passwd(1)
NAME
passwd - change login password and password attributes
SYNOPSIS
passwd [-r files | -r ldap | -r nis | -r nisplus] [name]
passwd [ -r files] [-egh] [name]
passwd [ -r files] -s [-a]
passwd [ -r files] -s [name]
passwd [ -r files] [-d | -l] [-f] [-n min] [-w warn] [-
x max] name
passwd -r ldap [-egh] [name]
passwd -r nis [-egh] [name]
passwd -r nisplus [-egh] [-D domainname] [name]
passwd -r nisplus -s [-a]
passwd -r nisplus [-D domainname] -s [name]
passwd -r nisplus [-l] [-f] [-n min] [-w warn] [-x max] [-
D domainname] name
DESCRIPTION
The passwd command changes the password or lists password
attributes associated with the user's login name. Addition-
ally, privileged users may use passwd to install or change
passwords and attributes associated with any login name.
When used to change a password, passwd prompts everyone for
their old password, if any. It then prompts for the new
password twice. When the old password is entered, passwd
checks to see if it has "aged" sufficiently. If "aging" is
insufficient, passwd terminates; see pwconv(1M), nist-
bladm(1), and shadow(4) for additional information.
When LDAP, NIS, or NIS+ is in effect on a system, passwd
changes the NIS or NIS+ database. The NIS or NIS+ password
may be different from the password on the local machine. If
NIS or NIS+ is running, use passwd -r to change password
information on the local machine.
The pwconv command creates and updates /etc/shadow with
information from /etc/passwd. pwconv relies on a special
value of 'x' in the password field of /etc/passwd. This
value of 'x' indicates that the password for the user is
already in /etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the
new password meets construction requirements. When the new
password is entered a second time, the two copies of the new
password are compared. If the two copies are not identical,
the cycle of prompting for the new password is repeated for,
at most, two more times.
Passwords must be constructed to meet the following require-
ments:
o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is
set to 6. Only the first eight characters are signifi-
cant.
o Each password must contain at least two alphabetic
characters and at least one numeric or special charac-
ter. In this case, "alphabetic" refers to all upper or
lower case letters.
o Each password must differ from the user's login name
and any reverse or circular shift of that login name.
For comparison purposes, an upper case letter and its
corresponding lower case letter are equivalent.
o New passwords must differ from the old by at least
three characters. For comparison purposes, an upper
case letter and its corresponding lower case letter
are equivalent.
If all requirements are met, by default, the passwd command
will consult /etc/nsswitch.conf to determine in which repo-
sitories to perform password update. It searches the passwd
and passwd_compat entries. The sources (repositories) asso-
ciated with these entries will be updated. However, the
password update configurations supported are limited to the
following cases. Failure to comply with the configurations
will prevent users from logging onto the system. The pass-
word update configurations are:
o passwd: files
o passwd: files ldap
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files ldap)
passwd_compat: ldap
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
Network administrators, who own the NIS+ password table, may
change any password attributes.
In the files case, super-users (for instance, real and
effective uid equal to 0, see id(1M) and su(1M)) may change
any password. Hence, passwd does not prompt privileged users
for the old password. Privileged users are not forced to
comply with password aging and password construction
requirements. A privileged user can create a null password
by entering a carriage return in response to the prompt for
a new password. (This differs from passwd -d because the
"password" prompt will still be displayed.) If NIS is in
effect, superuser on the root master can change any password
without being prompted for the old NIS passwd, and is not
forced to comply with password construction requirements.
Normally, passwd entered with no arguments will change the
password of the current user. When a user logs in and then
invokes su(1M) to become super-user or another user, passwd
will change the original user's password, not the password
of the super-user or the new user.
Any user may use the -s option to show password attributes
for his or her own login name, provided they are using the
-r nisplus argument. Otherwise, the -s argument is res-
tricted to the superuser.
The format of the display will be:
name status mm/dd/yy min max warn
or, if password aging information is not present,
name status
where
name The login ID of the user.
status
The password status of name: PS stands for passworded
or locked, LK stands for locked, and NP stands for no
password.
mm/dd/yy
The date password was last changed for name. Notice
that all password aging dates are determined using
Greenwich Mean Time (Universal Time) and therefore may
differ by as much as a day in other time zones.
min The minimum number of days required between password
changes for name. MINWEEKS is found in
/etc/default/passwd and is set to NULL.
max The maximum number of days the password is valid for
name. MAXWEEKS is found in /etc/default/passwd and is
set to NULL.
warn The number of days relative to max before the password
expires and the name will be warned.
Security
passwd uses pam(3PAM) for password management. The PAM con-
figuration policy, listed through /etc/pam.conf, specifies
the password modules to be used for passwd. Here is a par-
tial pam.conf file with entries for the passwd command using
the passwd-auth module:
passwd auth required pam_passwd_auth.so.1
If there are no entries for the passwd service, then the
entries for the "other" service will be used. If multiple
password modules are listed, then the user may be prompted
for multiple passwords.
OPTIONS
The following options are supported:
-a Shows password attributes for all entries. Use only
with the -s option. name must not be provided. For the
nisplus repository, this will show only the entries in
the NIS+ password table in the local domain that the
invoker is authorized to "read". For the files reposi-
tory, this is restricted to the superuser.
-D domainname
Consults the passwd.org_dir table in domainname. If
this option is not specified, the default domainname
returned by nis_local_directory(3NSL) will be used.
This domain name is the same as that returned by
domainname(1M).
-e Changes the login shell. For the files repository,
this only works for the super-user. Normal users may
change the ldap, nis, or nisplus repositories. The
choice of shell is limited by the requirements of
getusershell(3C). If the user currently has a shell
that is not allowed by getusershell, only root may
change it.
-g Changes the gecos (finger) information. For the files
repository, this only works for the superuser. Normal
users may change the ldap, nis, or nisplus reposi-
tories.
-h Changes the home directory.
-r Specifies the repository to which an operation is
applied. The supported repositories are files, ldap,
nis, or nisplus.
-s name
Shows password attributes for the login name. For the
nisplus repository, this works for everyone. However
for the files repository, this only works for the
superuser. It does not work at all for the nis reposi-
tory which does not support password aging.
Privileged User Options
Only a privileged user can use the following options:
-d Deletes password for name and unlocks the account. The
login name will not be prompted for password. It is
only applicable to the files repository.
-f Forces the user to change password at the next login
by expiring the password for name.
-l Locks password entry for name. See the -d option for
unlocking the account.
-n min
Sets minimum field for name. The min field contains
the minimum number of days between password changes
for name. If min is greater than max, the user may not
change the password. Always use this option with the
-x option, unless max is set to -1 (aging turned off).
In that case, min need not be set.
-w warn
Sets warn field for name. The warn field contains the
number of days before the password expires and the
user is warned. This option is not valid if password
aging is disabled.
-x max
Sets maximum field for name. The max field contains
the number of days that the password is valid for
name. The aging for name will be turned off
immediately if max is set to -1. If it is set to 0,
then the user is forced to change the password at the
next login session and aging is turned off.
OPERANDS
The following operand is supported:
name User login name.
ENVIRONMENT VARIABLES
If any of the LC_* variables, that is, LC_CTYPE,
LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and
LC_MONETARY (see environ(5)), are not set in the environ-
ment, the operational behavior of passwd for each
corresponding locale category is determined by the value of
the LANG environment variable. If LC_ALL is set, its con-
tents are used to override both the LANG and the other LC_*
variables. If none of the above variables is set in the
environment, the "C" (U.S. style) locale determines how
passwd behaves.
LC_CTYPE
Determines how passwd handles characters. When
LC_CTYPE is set to a valid value, passwd can display
and handle text and filenames containing valid charac-
ters for that locale. passwd can display and handle
Extended Unix Code (EUC) characters where any indivi-
dual character can be 1, 2, or 3 bytes wide. passwd
can also handle EUC characters of 1, 2, or more column
widths. In the "C" locale, only characters from ISO
8859-1 are valid.
LC_MESSAGES
Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and
negative responses. In the "C" locale, the messages
are presented in the default form found in the program
itself (in most cases, U.S. English).
EXIT STATUS
The passwd command exits with one of the following values:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
7 Aging option is disabled.
8 No memory.
9 System error.
10 Account expired.
FILES
/etc/oshadow
/etc/shells
/etc/passwd
Password file.
/etc/shadow
Shadow password file.
/etc/default/passwd
Default values can be set for the following flags in
/etc/default/passwd. For example: MAXWEEKS=26
MAXWEEKS
Maximum time period that password is valid.
MINWEEKS
Minimum time period before the password can be
changed.
PASSLENGTH
Minimum length of password, in characters.
WARNWEEKS
Time period until warning of date of password's
ensuing expiration.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| CSI | Enabled |
|_____________________________|_____________________________|
SEE ALSO
finger(1), login(1), nistbladm(1), domainname(1M),
eeprom(1M), id(1M), passmgmt(1M), pwconv(1M), su(1M),
useradd(1M), userdel(1M), usermod(1M), crypt(3C),
getpwnam(3C), getspnam(3C), getusershell(3C),
nis_local_directory(3NSL), pam(3PAM), loginlog(4),
nsswitch.conf(4), pam.conf(4), passwd(4), shadow(4), attri-
butes(5), environ(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_ldap(5), pam_unix(5), pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5)
NOTES
The pam_unix(5) module might not be supported in a future
release. Similar functionality is provided by
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), and pam_passwd_auth(5).
The nispasswd and ypasswd commands are wrappers around
passwd. Use of nispasswd and ypasswd is discouraged. Use
passwd -r repository_name instead.
NIS+ might not be supported in future releases of the
SolarisTM Operating Environment. Tools to aid the migration
from NIS+ to LDAP are available in the Solaris 9 operating
environment. For more information, visit
http://www.sun.com/directory/nisplus/transition.html.
Man(1) output converted with
man2html