User Commands passwd(1)
NAME
passwd - change login password and password attributes
SYNOPSIS
passwd [-r files -r ldap -r nis -r nisplus] [name]
passwd [-r files] [-egh] [name]
passwd [-r files] -s [-a]
passwd [-r files] -s [name]
passwd [-r files] [-d -l -u -N] [-f] [-n min]
[-w warn] [-x max] name
passwd -r ldap [-egh] [name]
passwd [-r ldap ] -s [-a]
passwd [-r ldap ] -s [name]
passwd -r ldap [-d -l -u -N] [-f] [-n min] [-w warn] [-x max] name
passwd -r nis [-egh] [name]
passwd -r nisplus [-egh] [-D domainname] [name]
passwd -r nisplus -s [-a]
passwd -r nisplus [-D domainname] -s [name]
passwd -r nisplus [-l -u -N] [-f] [-n min] [-w warn]
[-x max] [-D domainname] name
DESCRIPTION
The passwd command changes the password or lists password
attributes associated with the user's login name. Addition-
ally, privileged users can use passwd to install or change
SunOS 5.11 Last change: 25 Feb 2009 1
User Commands passwd(1)
passwords and attributes associated with any login name.
When used to change a password, passwd prompts everyone for
their old password, if any. It then prompts for the new
password twice. When the old password is entered, passwd
checks to see if it has aged sufficiently. If aging is
insufficient, passwd terminates; see pwconv(1M), nist-
bladm(1), and shadow(4) for additional information.
The pwconv command creates and updates /etc/shadow with
information from /etc/passwd. pwconv relies on a special
value of x in the password field of /etc/passwd. This value
of xindicates that the password for the user is already in
/etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the
new password meets construction requirements. When the new
password is entered a second time, the two copies of the new
password are compared. If the two copies are not identical,
the cycle of prompting for the new password is repeated for,
at most, two more times.
Passwords must be constructed to meet the following require-
ments:
o Each password must have PASLENGTH characters,
where PASLENGTH is defined in /etc/default/passwd
and is set to 6. Setting PASLENGTH to more than
eight characters requires configuring
policy.conf(4) with an algorithm that supports
greater than eight characters.
o Each password must meet the configured complexity
constraints specified in /etc/default/passwd.
o Each password must not be a member of the config-
ured dictionary as specified in
/etc/default/passwd.
o For accounts in name services which support pass-
word history checking, if prior password history is
defined, new passwords must not be contained in the
prior password history.
If all requirements are met, by default, the passwd command
consults /etc/nsswitch.conf to determine in which reposi-
tories to perform password update. It searches the passwd
SunOS 5.11 Last change: 25 Feb 2009 2
User Commands passwd(1)
and passwdcompat entries. The sources (repositories) asso-
ciated with these entries are updated. However, the password
update configurations supported are limited to the following
cases. Failure to comply with the configurations prevents
users from logging onto the system. The password update con-
figurations are:
o passwd: files
o passwd: files ldap
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files ldap)
passwdcompat: ldap
o passwd: compat (==> files nisplus)
passwdcompat: nisplus
You can add the ad keyword to any of the passwd configura-
tions in the above list. However, you cannot use the passwd
command to change the password of an Active Directory (AD)
user. If the ad keyword is found in the passwd entry during
a password update operation, it is ignored. To update the
password of an AD user, use the kpasswd(1) command.
Network administrators, who own the NIS] password table, can
change any password attributes. The administrator cofigured
for updating LDAP shadow information, can also change any
password attributes. See ldapclient(1M).
When a user has a password stored in one of the name ser-
vices as well as a local files entry, the passwd command
updates both. It is possible to have different passwords in
the name service and local files entry. Use passwd -r to
change a specific password repository.
In the files case, super-users (for instance, real and
effective uid equal to 0, see id(1M) and su(1M)) can change
any password. Hence, passwd does not prompt privileged users
for the old password. Privileged users are not forced to
comply with password aging and password construction
SunOS 5.11 Last change: 25 Feb 2009 3
User Commands passwd(1)
requirements. A privileged user can create a null password
by entering a carriage return in response to the prompt for
a new password. (This differs from passwd -d because the
password prompt is still displayed.) If NIS is in effect,
superuser on the root master can change any password without
being prompted for the old NIS passwd, and is not forced to
comply with password construction requirements.
If LDAP is in effect, superuser on any Native LDAP client
system can change any password without being prompted for
the old LDAP passwd, and is not forced to comply with pass-
word construction requirements.
Normally, passwd entered with no arguments changes the pass-
word of the current user. When a user logs in and then
invokes su(1M) to become superuser or another user, passwd
changes the original user's password, not the password of
the superuser or the new user.
Any user can use the -s option to show password attributes
for his or her own login name, provided they are using the
-r nisplus argument. Otherwise, the -s argument is res-
tricted to the superuser.
The format of the display is:
name status mm/dd/yy min max warn
or, if password aging information is not present,
name status
where
name The login ID of the user.
status The password status of name.
The status field can take the following values:
SunOS 5.11 Last change: 25 Feb 2009 4
User Commands passwd(1)
LK This account is locked account. See Secu-
rity.
NL This account is a no login account. See
Security.
NP This account has no password and is there-
fore open without authentication.
PS This account has a password.
mm/dd/yy The date password was last changed for name. All
password aging dates are determined using
Greenwich Mean Time (Universal Time) and there-
fore can differ by as much as a day in other
time zones.
min The minimum number of days required between
password changes for name. MINWEKS is found in
/etc/default/passwd and is set to NUL.
max The maximum number of days the password is valid
for name. MAXWEKS is found in
/etc/default/passwd and is set to NUL.
warn The number of days relative to max before the
password expires and the name are warned.
Security
passwd uses pam(3PAM) for password change. It calls PAM with
a service name passwd and uses service module type auth for
authentication and password for password change.
Locking an account (-l option) does not allow its use for
password based login or delayed execution (such as at(1),
batch(1), or cron(1M)). The -N option can be used to disal-
low password based login, while continuing to allow delayed
execution.
OPTIONS
The following options are supported:
SunOS 5.11 Last change: 25 Feb 2009 5
User Commands passwd(1)
-a Shows password attributes for all entries.
Use only with the -s option. name must not
be provided. For the nisplus repository,
this shows only the entries in the NIS]
password table in the local domain that the
invoker is authorized to read. For the
files and ldap repositories, this is res-
tricted to the superuser.
-D domainname Consults the passwd.orgdir table in
domainname. If this option is not speci-
fied, the default domainname returned by
nislocaldirectory(3NSL) are used. This
domain name is the same as that returned by
domainname(1M).
-e Changes the login shell. For the files
repository, this only works for the
superuser. Normal users can change the
ldap, nis, or nisplus repositories. The
choice of shell is limited by the require-
ments of getusershell(3C). If the user
currently has a shell that is not allowed
by getusershell, only root can change it.
-g Changes the gecos (finger) information. For
the files repository, this only works for
the superuser. Normal users can change the
ldap, nis, or nisplus repositories.
-h Changes the home directory.
-r Specifies the repository to which an opera-
tion is applied. The supported repositories
are files, ldap, nis, or nisplus.
-s name Shows password attributes for the login
name. For the nisplus repository, this
works for everyone. However for the files
and ldap repositories, this only works for
the superuser. It does not work at all for
the nis repository which does not support
password aging.
The output of this option, and only this
option is Stable and parsable. The format
SunOS 5.11 Last change: 25 Feb 2009 6
User Commands passwd(1)
is username followed by white space fol-
lowed by one of the following codes.
New codes might be added in the future so
code that parses this must be flexible in
the face of unknown codes. While all exist-
ing codes are two characters in length that
might not always be the case.
The following are the current status codes:
LK Account is locked for UNIX authenit-
cation. passwd -l was run or the
authentication failed RETRIES times.
NL The account is a no login account.
passwd -N has been run.
NP Account has no password. passwd -d
was run.
PS The account probably has a valid
password.
UN The data in the password field is
unknown. It is not a recognizable
hashed password or any of the above
entries. See crypt(3C) for valid
password hashes.
Privileged User Options
Only a privileged user can use the following options:
-d Deletes password for name and unlocks the
account. The login name is not prompted for pass-
word. It is only applicable to the files and ldap
repositories.
If the login(1) option PASREQ=YES is configured,
the account is not able to login. PASREQ=YES is
the delivered default.
-f Forces the user to change password at the next
login by expiring the password for name.
SunOS 5.11 Last change: 25 Feb 2009 7
User Commands passwd(1)
-l Locks password entry for name. See the -d or -u
option for unlocking the account.
-N Makes the password entry for name a value that
cannot be used for login, but does not lock the
account. See the -d option for removing the
value, or to set a password to allow logins.
-n min Sets minimum field for name. The min field con-
tains the minimum number of days between password
changes for name. If min is greater than max, the
user can not change the password. Always use this
option with the -x option, unless max is set to
-1 (aging turned off). In that case, min need not
be set.
-u Unlocks a locked password for entry name. See the
-d option for removing the locked password, or to
set a password to allow logins.
-w warn Sets warn field for name. The warn field contains
the number of days before the password expires
and the user is warned. This option is not valid
if password aging is disabled.
-x max Sets maximum field for name. The max field con-
tains the number of days that the password is
valid for name. The aging for name is turned off
immediately if max is set to -1.
OPERANDS
The following operand is supported:
name User login name.
ENVIRONMENT VARIABLES
If any of the LC* variables, that is, LCTYPE,
LCMESAGES, LCTIME, LCOLATE, LCNUMERIC, and
LCMONETARY (see environ(5)), are not set in the environ-
ment, the operational behavior of passwd for each
corresponding locale category is determined by the value of
the LANG environment variable. If LCAL is set, its con-
tents are used to override both the LANG and the other LC*
variables. If none of the above variables is set in the
environment, the C (U.S. style) locale determines how passwd
SunOS 5.11 Last change: 25 Feb 2009 8
User Commands passwd(1)
behaves.
LCTYPE Determines how passwd handles characters.
When LCTYPE is set to a valid value, passwd
can display and handle text and filenames
containing valid characters for that locale.
passwd can display and handle Extended Unix
Code (EUC) characters where any individual
character can be 1, 2, or 3 bytes wide.
passwd can also handle EUC characters of 1,
2, or more column widths. In the C locale,
only characters from ISO 8859-1 are valid.
LCMESAGES Determines how diagnostic and informative
messages are presented. This includes the
language and style of the messages, and the
correct form of affirmative and negative
responses. In the C locale, the messages are
presented in the default form found in the
program itself (in most cases, U.S. English).
EXIT STATUS
The passwd command exits with one of the following values:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
7 Aging option is disabled.
8 No memory.
SunOS 5.11 Last change: 25 Feb 2009 9
User Commands passwd(1)
9 System error.
10 Account expired.
FILES
/etc/default/passwd Default values can be set for the
following flags in
/etc/default/passwd. For example:
MAXWEKS=26
DICTIONDBDIR The directory where
the generated dic-
tionary databases
reside. Defaults to
/var/passwd.
If neither DICTION-
LIST nor DICTIONDBDIR
is specified, the
system does not per-
form a dictionary
check.
DICTIONLIST DICTIONLIST can con-
tain list of comma
separated dictionary
files such as
DICTIONLIST=file1,
file2, file3. Each
dictionary file con-
tains multiple lines
and each line con-
sists of a word and a
NEWLINE character
(similar to
/usr/share/lib/dict/words.)
You must specify full
pathnames. The words
from these files are
merged into a data-
base that is used to
determine whether a
password is based on
a dictionary word.
If neither DICTION-
LIST nor DICTIONDBDIR
is specified, the
system does not
SunOS 5.11 Last change: 25 Feb 2009 10
User Commands passwd(1)
perform a dictionary
check.
To prebuild the dic-
tionary database, see
mkpwdict(1M).
HISTORY Maximum number of
prior password his-
tory to keep for a
user. Setting the
HISTORY value to zero
(0), or removing the
flag, causes the
prior password his-
tory of all users to
be discarded at the
next password change
by any user. The
default is not to
define the HISTORY
flag. The maximum
value is 26.
Currently, this func-
tionality is enforced
only for user
accounts defined in
the files name ser-
vice (local
passwd(4)/shadow(4)).
MAXREPEATS Maximum number of
allowable consecutive
repeating characters.
If MAXREPEATS is not
set or is zero (0),
the default is no
checks
MAXWEKS Maximum time period
that password is
valid.
MINALPHA Minimum number of
alpha character
required. If MINALPHA
is not set, the
default is 2.
SunOS 5.11 Last change: 25 Feb 2009 11
User Commands passwd(1)
MINDIF Minimum differences
required between an
old and a new pass-
word. If MINDIF is
not set, the default
is 3.
MINDIGIT Minimum number of
digits required. If
MINDIGIT is not set
or is set to zero
(0), the default is
no checks. You cannot
be specify MINDIGIT
if MINONALPHA is
also specified.
MINLOWER Minimum number of
lower case letters
required. If not set
or zero (0), the
default is no checks.
MINONALPHA Minimum number of
non-alpha (including
numeric and special)
required. If MIN-
NONALPHA is not set,
the default is 1. You
cannot specify MIN-
NONALPHA if MINDIGIT
or MINSPECIAL is also
specified.
MINWEKS Minimum time period
before the password
can be changed.
MINSPECIAL Minimum number of
special (non-alpha
and non-digit) char-
acters required. If
MINSPECIAL is not set
or is zero (0), the
default is no checks.
You cannot specify
MINSPECIAL if you
SunOS 5.11 Last change: 25 Feb 2009 12
User Commands passwd(1)
also specify MIN-
NONALPHA.
MINUPER Minimum number of
upper case letters
required. If MINUPER
is not set or is zero
(0), the default is
no checks.
NAMECHECK Enable/disable check-
ing or the login
name. The default is
to do login name
checking. A case
insensitive value of
no disables this
feature.
PASLENGTH Minimum length of
password, in charac-
ters.
WARNWEKS Time period until
warning of date of
password's ensuing
expiration.
WHITESPACE Determine if whi-
tespace characters
are allowed in pass-
words. Valid values
are YES and NO. If
WHITESPACE is not set
or is set to YES,
whitespace characters
are allowed.
/etc/oshadow Temporary file used by passwd,
passmgmt and pwconv to update the
real shadow file.
/etc/passwd Password file.
SunOS 5.11 Last change: 25 Feb 2009 13
User Commands passwd(1)
/etc/shadow Shadow password file.
/etc/shells Shell database.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
CSI Enabled
Interface Stability See below.
The human readable output is Uncommitted. The options are
Committed.
SEE ALSO
at(1), batch(1), finger(1), kpasswd(1), login(1), nist-
bladm(1), cron(1M), domainname(1M), eeprom(1M), id(1M),
ldapclient(1M), mkpwdict(1M), passmgmt(1M), pwconv(1M),
su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C),
getpwnam(3C), getspnam(3C), getusershell(3C),
nislocaldirectory(3NSL), pam(3PAM), loginlog(4),
nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4),
shadow(4), shells(4), attributes(5), environ(5),
pamauthtokcheck(5), pamauthtokget(5),
pamauthtokstore(5), pamdhkeys(5), pamldap(5),
pamunixaccount(5), pamunixauth(5), pamunixsession(5)
NOTES
The pamunix(5) module is no longer supported. Similar func-
tionality is provided by pamunixaccount(5),
pamunixauth(5), pamunixsession(5), pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5), and
pampasswdauth(5).
The nispasswd and ypasswd commands are wrappers around
passwd. Use of nispasswd and ypasswd is discouraged. Use
passwd -r repositoryname instead.
SunOS 5.11 Last change: 25 Feb 2009 14
User Commands passwd(1)
NIS] might not be supported in future releases of the
Solaris operating system. Tools to aid the migration from
NIS] to LDAP are available in the current Solaris release.
For more information, visit
http:/www.sun.com/directory/nisplus/transition.html.
Changing a password in the files and ldap repositories
clears the failed login count.
Changing a password reactivates an account deactivated for
inactivity for the length of the inactivity period.
Input terminal processing might interpret some key sequences
and not pass them to the passwd command.
An account with no password, status code NP, might not be
able to login. See the login(1) PASREQ option.
SunOS 5.11 Last change: 25 Feb 2009 15
|
