|
| passwd - change login password and password attributes |
SYNOPSIS
| passwd [ -r files | -r ldap | -r nis | -r nisplus] [name] |
| passwd [ -r files] [-egh] [name] |
| passwd [ -r files] -s [-a] |
| passwd [ -r files] -s [name] |
| passwd [ -r files] [ -d | -l] [-f] [-n min] [-w warn] [-x max] name |
| passwd -r ldap [-egh] [name] |
| passwd -r nis [-egh] [name] |
| passwd -r nisplus [-egh] [-D domainname] [name] |
| passwd -r nisplus -s [-a] |
| passwd -r nisplus [-D domainname] -s [name] |
| passwd -r nisplus [-l] [-f] [-n min] [-w warn] [-x max] [-D domainname] name |
|
The passwd command changes the password or lists password attributes associated with the user's login name. Additionally, privileged users may use passwd to install or change passwords and attributes associated with any
login name.
When used to change a password, passwd prompts everyone for their old password, if any. It then prompts for the new password twice. When the old password is entered, passwd checks to see if it has "aged" sufficiently. If "aging" is insufficient, passwd terminates; see pwconv(1M), nistbladm(1),
and shadow(4) for additional information.
When LDAP, NIS, or NIS+ is in effect on a system, passwd changes the NIS or NIS+ database. The NIS or NIS+ password may be different from the password on the local machine. If NIS or NIS+ is running, use passwd -r to change password information
on the local machine.
The pwconv command creates and updates /etc/shadow with information from /etc/passwd. pwconv relies on a special value of 'x' in the password field of /etc/passwd. This value of 'x' indicates that
the password for the user is already in /etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical, the cycle of prompting for the new password is repeated for,
at most, two more times.
Passwords must be constructed to meet the following requirements:
- Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Only the first eight characters are significant.
- Each password must contain at least two alphabetic characters and at least one numeric or special character. In this case, "alphabetic" refers to all upper or lower case letters.
- Each password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
- New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
If all requirements are met, by default, the passwd command will consult /etc/nsswitch.conf to determine in which repositories to perform password update. It searches the passwd and passwd_compat entries. The sources (repositories)
associated with these entries will be updated. However, the password update configurations supported are limited to the following cases. Failure to comply with the configurations will prevent users from logging onto the system. The password update configurations are:
-
passwd: files
-
passwd: files ldap
-
passwd: files nis
-
passwd: files nisplus
-
passwd: compat (==> files nis)
-
passwd: compat (==> files ldap)
passwd_compat: ldap
-
passwd: compat (==> files nisplus)
passwd_compat: nisplus
Network administrators, who own the NIS+ password table, may change any password attributes.
In the files case, super-users (for instance, real and effective uid equal to 0, see id(1M) and su(1M)) may change any password. Hence, passwd does not prompt privileged users for the old password. Privileged users are not forced to comply with password aging and password
construction requirements. A privileged user can create a null password by entering a carriage return in response to the prompt for a new password. (This differs from passwd -d because the "password" prompt will still be displayed.) If NIS is in effect, superuser on
the root master can change any password without being prompted for the old NIS passwd, and is not forced to comply with password construction requirements.
Normally, passwd entered with no arguments will change the password of the current user. When a user logs in and then invokes su(1M) to become
super-user or another user, passwd will change the original user's password, not the password of the super-user or the new user.
Any user may use the -s option to show password attributes for his or her own login name, provided they are using the -r nisplus argument. Otherwise, the -s argument is restricted to the superuser.
The format of the display will be:
|
name status mm/dd/yy min max warn
|
or, if password aging information is not present,
where
-
name
- The login ID of the user.
-
status
- The password status of name: PS stands for passworded or locked, LK stands for locked, and NP stands for no password.
-
mm/dd/yy
- The date password was last changed for name. Notice that all password aging dates are determined using Greenwich Mean Time (Universal Time) and therefore may differ by as much as a day in other time
zones.
-
min
- The minimum number of days required between password changes for name. MINWEEKS is found in /etc/default/passwd and is set to NULL.
-
max
- The maximum number of days the password is valid for name. MAXWEEKS is found in /etc/default/passwd and is set to NULL.
-
warn
- The number of days relative to max before the password expires and the name will be warned.
Security
|
passwd uses pam(3PAM) for password management. The PAM configuration policy, listed through /etc/pam.conf, specifies the password modules to be used for passwd. Here is a partial pam.conf file with entries for the passwd command using the passwd-auth module:
|
passwd auth required pam_passwd_auth.so.1
|
If there are no entries for the passwd service, then the entries for the "other" service will be used. If multiple password modules are listed, then the user may be prompted for multiple passwords.
|
|
|
The following options are supported:
- -a
- Shows password attributes for all entries. Use only with the -s option. name must not be provided. For the nisplus repository, this will show only the entries in the NIS+ password table in the local domain that the invoker is authorized to "read". For the files repository, this is restricted to the superuser.
- -D domainname
- Consults the passwd.org_dir table in domainname. If this option is not specified, the default domainname returned by nis_local_directory(3NSL) will be used. This domain name is the same as that returned by domainname(1M).
- -e
- Changes the login shell. For the files repository, this only works for the super-user. Normal users may change the ldap, nis, or nisplus repositories. The choice of
shell is limited by the requirements of getusershell(3C). If the user currently has a shell that is not allowed by getusershell, only root
may change it.
- -g
- Changes the gecos (finger) information. For the files repository, this only works for the superuser. Normal users may change the ldap, nis, or nisplus repositories.
- -h
- Changes the home directory.
- -r
- Specifies the repository to which an operation is applied. The supported repositories are files, ldap, nis, or nisplus.
- -s name
- Shows password attributes for the login name. For the nisplus repository, this works for everyone. However for the files repository, this only
works for the superuser. It does not work at all for the nis repository which does not support password aging.
Privileged User Options
|
Only a privileged user can use the following options:
- -d
- Deletes password for name. The login name will not be prompted for password. It is only applicable to the files repository.
- -f
- Forces the user to change password at the next login by expiring the password for name.
- -l
- Locks password entry for name.
- -n min
- Sets minimum field for name. The min field contains the minimum number of days between password changes for name. If min is greater than max, the user may not change the password. Always use this option with the -x option, unless max is set to -1 (aging turned off). In that case, min
need not be set.
- -w warn
- Sets warn field for name. The warn field contains the number of days before the password expires and the user is warned. This option is not valid if password
aging is disabled.
- -x max
- Sets maximum field for name. The max field contains the number of days that the password is valid for name. The aging for name will be turned off immediately if max is set to -1. If it is set to 0, then the user is forced to change the password at the next login session and aging is turned off.
|
|
|
The following operand is supported:
-
name
- User login name.
|
|
If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set in the environment, the operational behavior of passwd for each corresponding locale category is determined by the value of the LANG environment variable. If LC_ALL is
set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables is set in the environment, the "C" (U.S. style) locale determines how passwd behaves.
-
LC_CTYPE
- Determines how passwd handles characters. When LC_CTYPE is set to a valid value, passwd can display and handle text and filenames containing valid characters for that locale. passwd can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. passwd can also handle EUC characters of 1, 2, or more column widths. In the "C" locale, only
characters from ISO 8859-1 are valid.
-
LC_MESSAGES
- Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the "C" locale, the messages are presented in the
default form found in the program itself (in most cases, U.S. English).
|
|
The passwd command exits with one of the following values:
-
0
- Success.
-
1
- Permission denied.
-
2
- Invalid combination of options.
-
3
- Unexpected failure. Password file unchanged.
-
4
- Unexpected failure. Password file(s) missing.
-
5
- Password file(s) busy. Try again later.
-
6
- Invalid argument to option.
-
7
- Aging option is disabled.
-
8
- No memory.
-
9
- System error.
-
10
- Account expired.
|
|
-
/etc/oshadow
-
-
/etc/shells
-
-
/etc/passwd
- Password file.
-
/etc/shadow
- Shadow password file.
-
/etc/default/passwd
- Default values can be set for the following flags in /etc/default/passwd. For example: MAXWEEKS=26
-
MAXWEEKS
- Maximum time period that password is valid.
-
MINWEEKS
- Minimum time period before the password can be changed.
-
PASSLENGTH
- Minimum length of password, in characters.
-
WARNWEEKS
- Time period until warning of date of password's ensuing expiration.
|
|
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Availability | SUNWcsu |
CSI | Enabled |
|
|
finger(1), login(1), nistbladm(1), domainname(1M), eeprom(1M), id(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C), getusershell(3C), nis_local_directory(3NSL), pam(3PAM), loginlog(4), nsswitch.conf(4), pam.conf(4), passwd(4), shadow(4), attributes(5), environ(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5), pam_unix(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)
|
| |