passwd(1) User Commands passwd(1)NAMEpasswd - change login password and password attributes
SYNOPSISpasswd [-r files | -r ldap | -r nis | -r nisplus]
[name]
passwd [-r files] [-egh] [name]
passwd [-r files] -s [-a]
passwd [-r files] -s [name]
passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]
[-w warn] [-x max] name
passwd-r ldap [-egh] [name]
passwd [-r ldap ] -s [-a]
passwd [-r ldap ] -s [name]
passwd-r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name
passwd-r nis [-egh] [name]
passwd-r nisplus [-egh] [-D domainname] [name]
passwd-r nisplus -s [-a]
passwd-r nisplus [-D domainname] -s [name]
passwd-r nisplus [-l | -u | -N] [-f] [-n min] [-w warn]
[-x max] [-D domainname] name
DESCRIPTION
The passwd command changes the password or lists password attributes
associated with the user's login name. Additionally, privileged users
can use passwd to install or change passwords and attributes associated
with any login name.
When used to change a password, passwd prompts everyone for their old
password, if any. It then prompts for the new password twice. When the
old password is entered, passwd checks to see if it has aged suffi‐
ciently. If aging is insufficient, passwd terminates; see pwconv(1M),
nistbladm(1), and shadow(4) for additional information.
The pwconv command creates and updates /etc/shadow with information
from /etc/passwd. pwconv relies on a special value of 'x' in the pass‐
word field of /etc/passwd. This value of 'x' indicates that the pass‐
word for the user is already in /etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the new password
meets construction requirements. When the new password is entered a
second time, the two copies of the new password are compared. If the
two copies are not identical, the cycle of prompting for the new pass‐
word is repeated for, at most, two more times.
Passwords must be constructed to meet the following requirements:
o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is set to
6. Setting PASSLENGTH to more than eight characters requires
configuring policy.conf(4) with an algorithm that supports
greater than eight characters.
o Each password must meet the configured complexity con‐
straints specified in /etc/default/passwd.
o Each password must not be a member of the configured dictio‐
nary as specified in /etc/default/passwd.
o For accounts in name services which support password history
checking, if prior password history is defined, new pass‐
words must not be contained in the prior password history.
If all requirements are met, by default, the passwd command consults
/etc/nsswitch.conf to determine in which repositories to perform pass‐
word update. It searches the passwd and passwd_compat entries. The
sources (repositories) associated with these entries are updated. How‐
ever, the password update configurations supported are limited to the
following cases. Failure to comply with the configurations prevents
users from logging onto the system. The password update configurations
are:
o passwd: files
o passwd: files ldap
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files ldap)
passwd_compat: ldap
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
Network administrators, who own the NIS+ password table, can change any
password attributes. The administrator configured for updating LDAP
shadow information can also change any password attributes. See ldap‐
client(1M).
When a user has a password stored in one of the name services as well
as a local files entry, the passwd command updates both. It is possible
to have different passwords in the name service and local files entry.
Use passwd-r to change a specific password repository.
The passwd command does not prompt authorized users for the old pass‐
word.
If LDAP is in effect, an authorized user on any Native LDAP client sys‐
tem can change any password without being prompted for the old LDAP
password.
By default, even users authorized to change the password of other users
must comply with the configured password policy. See pam_auth‐
tok_check(5).
Normally, passwd entered with no arguments changes the password of the
current user. When a user logs in and then invokes su(1M) to become
role or another user, passwd changes the original user's password, not
the password of the role or the new user.
Any user can use the -s option to show password attributes for his or
her own login name, provided they are using the -r nisplus argument.
See the -s option.
Security
passwd uses pam(3PAM) for password change. It calls PAM with a service
name passwd and uses service module type auth for authentication and
password for password change.
Locking an account (-l option) does not allow its use for password
based login or delayed execution (such as at(1), batch(1), or
cron(1M)). The -N option can be used to disallow password based login,
while continuing to allow delayed execution.
By default, locked accounts that have never had a password and no login
accounts cannot have their status changed directly to an active pass‐
word. See -d. Changing a password on a locked account that had a pass‐
word prior to being locked, changes the password without unlocking the
account. See -u to unlock the account. An authorized administrator can
activate an account in the not yet activated state by giving it a pass‐
word.
If RESTRICTIVE_LOCKING=NO in policy.conf, then no login accounts and
accounts marked with UP can be directly locked using passwd-l.
OPTIONS
The following options are supported:
-a Shows password attributes for all entries. Use only
with the -s option. name must not be provided. For
the nisplus repository, this shows only the entries
in the NIS+ password table in the local domain that
the invoker is authorized to read. For the files
and ldap repository, this is restricted to the
superuser.
-D domainname Consults the passwd.org_dir table in domainname. If
this option is not specified, the default domain‐
name returned by nis_local_directory(3NSL) are
used. This domain name is the same as that returned
by domainname(1M).
-e Changes the login shell. For the files repository,
this only works for the superuser. Normal users can
change the ldap, nis, or nisplus repositories. The
choice of shell is limited by the requirements of
getusershell(3C). If the user currently has a shell
that is not allowed by getusershell, only root can
change it.
-g Changes the gecos (finger) information. For the
files repository, this only works for the supe‐
ruser. Normal users can change the ldap, nis, or
nisplus repositories.
-h Changes the home directory.
-r Specifies the repository to which an operation is
applied. The supported repositories are files,
ldap, nis, or nisplus.
-s name Shows password attributes for the login name.
The output of this option, and only this option, is
Committed and parsable.
New codes might be added in the future so code that
parses this must be flexible in the face of unknown
codes. While all existing codes are two characters
in length that might not always be the case.
For nisplus, any user can use the -s option to show
password attributes for his or her own login name,
provided they are using the -r nisplus argument.
This argument does not work at all with the nis
repository. With files and ldap, the -s argument
is restricted to the superuser.
The format of the display is:
name status mm/dd/yy min max warn
or, if password aging information is not present:
name status
The following are the current status codes:
LK
Account is locked for UNIX account checking,
see pam_unix_account(5). passwd-l was run suc‐
cessfully or the authentication failed RETRIES
times with LOCK_AFTER_RETRIES=YES in pol‐
icy.conf(4) and there was not a
lock_after_retries=no in the user's
user_attr(4) entry.
NL
The account is a no login account. passwd-N
has been run.
NP
Account has no password. passwd-d was run.
PS
The account probably has a valid password.
UN
The data in the password field is unknown. It
is not a recognizable hashed password or any of
the above entries. See crypt(3C) for valid
password hashes.
If RESTRICTIVE_LOCKING is set to NO in pol‐
icy.conf, an account with UP in the password
field is reported as unknown.
UP
This account has not yet been activated by the
administrator and cannot be used. See Security.
If RESTRICTIVE_LOCKING is set to NO in pol‐
icy.conf, UP accounts is not created by account
creation tools, and if UP is found in the pass‐
word field, the account is treated as a no
login account.
Privileged User Options
Only a privileged user can use the following options:
-d Deletes password for name and unlocks the account.
The login name is not prompted for password. It is
only applicable to the files and ldap repositories.
If the login(1)option PASSREQ=YES is configured,
the account is not able to login. PASSREQ=YES is
the delivered default.
-f Forces the user to change password at the next
login by expiring the password for name.
-l Locks account for name unless it is already locked
or is a no login account. See the -d or -u option
for unlocking the account.
If RESTRICTIVE_LOCKING=NO in policy.conf, then this
also locks a no login account.
-N Makes the password entry for name a value that can‐
not be used for login, but does not lock the
account. See the -d option for removing the value,
or to set a password to allow logins.
-n min Sets minimum field for name. The min field contains
the minimum number of days between password changes
for name. If min is greater than max, the user can
not change the password. Always use this option
with the -x option, unless max is set to −1 (aging
turned off). In that case, min need not be set.
-u Unlocks a locked password for entry name. See the
-d option for removing the locked password, or to
set a password to allow logins.
-w warn Sets warn field for name. The warn field contains
the number of days before the password expires and
the user is warned. This option is not valid if
password aging is disabled.
-x max Sets maximum field for name. The max field contains
the number of days that the password is valid for
name. The aging for name is turned off immediately
if max is set to −1.
OPERANDS
The following operand is supported:
name User login name.
ENVIRONMENT VARIABLES
If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set
in the environment, the operational behavior of passwd for each corre‐
sponding locale category is determined by the value of the LANG envi‐
ronment variable. If LC_ALL is set, its contents are used to override
both the LANG and the other LC_* variables. If none of the above vari‐
ables is set in the environment, the C (U.S. style) locale determines
how passwd behaves.
LC_CTYPE Determines how passwd handles characters. When
LC_CTYPE is set to a valid value, passwd can dis‐
play and handle text and filenames containing valid
characters for that locale. passwd can display and
handle Extended Unix Code (EUC) characters where
any individual character can be 1, 2, or 3 bytes
wide. passwd can also handle EUC characters of 1,
2, or more column widths. In the C locale, only
characters from ISO 8859-1 are valid.
LC_MESSAGES Determines how diagnostic and informative messages
are presented. This includes the language and style
of the messages, and the correct form of affirma‐
tive and negative responses. In the C locale, the
messages are presented in the default form found in
the program itself (in most cases, U.S. English).
EXIT STATUS
The passwd command exits with one of the following values:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
7 Aging option is disabled.
8 No memory.
9 System error.
10 Account expired.
11 Password information unchanged.
FILES
/etc/default/passwd
Default values can be set for the following flags in
/etc/default/passwd. For example: MAXWEEKS=26
DICTIONDBDIR The directory where the generated dictionary
databases reside. Defaults to /var/passwd.
If neither DICTIONLIST nor DICTIONDBDIR is
specified, the system does not perform a dic‐
tionary check.
DICTIONLIST DICTIONLIST can contain list of comma separated
dictionary files such as DICTIONLIST=file1,
file2, file3. Each dictionary file contains
multiple lines and each line consists of a word
and a NEWLINE character (similar to
/usr/share/lib/dict/words.) You must specify
full path names. The words from these files are
merged into a database that is used to deter‐
mine whether a password is based on a dictio‐
nary word.
If neither DICTIONLIST nor DICTIONDBDIR is
specified, the system does not perform a dic‐
tionary check.
To pre-build the dictionary database, see mkpw‐
dict(1M).
HISTORY Maximum number of prior password history to
keep for a user. Setting the HISTORY value to
zero (0), or removing the flag, causes the
prior password history of all users to be dis‐
carded at the next password change by any user.
The default is not to define the HISTORY flag.
The maximum value is 26. Currently, this func‐
tionality is enforced only for user accounts
defined in the files name service (local
passwd(4)/shadow(4)).
MAXREPEATS Maximum number of allowable consecutive repeat‐
ing characters. If MAXREPEATS is not set or is
zero (0), the default is no checks
MAXWEEKS Maximum time period that password is valid.
MINALPHA Minimum number of alpha character required. If
MINALPHA is not set, the default is 2.
MINDIFF Minimum differences required between an old and
a new password. If MINDIFF is not set, the
default is 3.
MINDIGIT Minimum number of digits required. If MINDIGIT
is not set or is set to zero (0), the default
is no checks. You cannot be specify MINDIGIT if
MINNONALPHA is also specified.
MINLOWER Minimum number of lower case letters required.
If not set or zero (0), the default is no
checks.
MINNONALPHA Minimum number of non-alpha (including numeric
and special) required. If MINNONALPHA is not
set, the default is 1. You cannot specify MIN‐
NONALPHA if MINDIGIT or MINSPECIAL is also
specified.
MINWEEKS Minimum time period before the password can be
changed.
MINSPECIAL Minimum number of special (non-alpha and non-
digit) characters required. If MINSPECIAL is
not set or is zero (0), the default is no
checks. You cannot specify MINSPECIAL if you
also specify MINNONALPHA.
MINUPPER Minimum number of upper case letters required.
If MINUPPER is not set or is zero (0), the
default is no checks.
NAMECHECK Enable/disable checking or the login name. The
default is to do login name checking. A case
insensitive value of no disables this feature.
PASSLENGTH Minimum length of password, in characters.
WARNWEEKS Time period until warning of date of password's
ensuing expiration.
WHITESPACE Determine if white space characters are allowed
in passwords. Valid values are YES and NO. If
WHITESPACE is not set or is set to YES, white
space characters are allowed.
/etc/oshadow
Temporary file used by passwd, passmgmt and pwconv to update the
real shadow file.
/etc/passwd
Password file.
/etc/security/policy.conf
Configuration file for security policy.
/etc/shadow
Shadow password file.
/etc/shells
Shell database.
/etc/user_attr
Extended user attributes database.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcsu │
├─────────────────────────────┼─────────────────────────────┤
│CSI │Enabled │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │See below. │
└─────────────────────────────┴─────────────────────────────┘
The human readable output is Unstable. The options are Evolving. The
RESTRICTIVE_LOCKING option is Obsolete.
SEE ALSOat(1), batch(1), finger(1), login(1), nistbladm(1), cron(1M), domain‐
name(1M), eeprom(1M), id(1M), mkpwdict(1M), passmgmt(1M), pwconv(1M),
su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C),
getspnam(3C), getusershell(3C), nis_local_directory(3NSL), pam(3PAM),
loginlog(4), nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4),
shadow(4), shells(4), user_attr(4), attributes(5), environ(5),
pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), pam_ldap(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)NOTES
The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), and pam_passwd_auth(5).
The RESTRICTIVE_LOCKING option is Obsolete and has been removed from a
newer release. See attributes(5).
The nispasswd and yppasswd commands are wrappers around passwd. Use of
nispasswd and yppasswd is discouraged. Use passwd-r repository_name
instead.
NIS+ might not be supported in future releases of the Oracle Solaris
operating system. Tools to aid the migration from NIS+ to LDAP are
available in the current Oracle Solaris release.
Changing a password in the files and ldap repositories clear the failed
login count.
Changing a password reactivates an account deactivated for inactivity
for the length of the inactivity period.
Input terminal processing might interpret some key sequences and not
pass them to the passwd command.
An account with no password, status code NP, might not be able to
login. See the login(1) PASSREQ option.
SunOS 5.10 16 Feb 2012 passwd(1)