1 PASSWD(1) User Commands PASSWD(1) 2 3 4 5 NAME 6 passwd - change login password and password attributes 7 8 SYNOPSIS 9 passwd [-r files | -r ldap | -r nis | -r nisplus] [name] 10 11 12 passwd [-r files] [-egh] [name] 13 14 15 passwd [-r files] -s [-a] 16 17 18 passwd [-r files] -s [name] 19 20 21 passwd [-r files] [-d | -l | -u | -N] [-f] [-n min] 22 [-w warn] [-x max] name 23 24 25 passwd -r ldap [-egh] [name] 26 27 28 passwd [-r ldap ] -s [-a] 29 30 31 passwd [-r ldap ] -s [name] 32 33 34 passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name 35 36 37 passwd -r nis [-egh] [name] 38 39 40 passwd -r nisplus [-egh] [-D domainname] [name] 41 42 43 passwd -r nisplus -s [-a] 44 45 46 passwd -r nisplus [-D domainname] -s [name] 47 48 49 passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn] 50 [-x max] [-D domainname] name 51 52 53 passwd -S [name] 54 55 56 DESCRIPTION 57 The passwd command changes the password or lists password attributes 58 associated with the user's login name. Additionally, privileged users 59 can use passwd to install or change passwords and attributes associated 60 with any login name. 61 62 63 When used to change a password, passwd prompts everyone for their old 64 password, if any. It then prompts for the new password twice. When the 65 old password is entered, passwd checks to see if it has aged 66 sufficiently. If aging is insufficient, passwd terminates; see 67 pwconv(1M), nistbladm(1), and shadow(4) for additional information. 68 69 70 The pwconv command creates and updates /etc/shadow with information 71 from /etc/passwd. pwconv relies on a special value of x in the password 72 field of /etc/passwd. This value of xindicates that the password for 73 the user is already in /etc/shadow and should not be modified. 74 75 76 If aging is sufficient, a check is made to ensure that the new password 77 meets construction requirements. When the new password is entered a 78 second time, the two copies of the new password are compared. If the 79 two copies are not identical, the cycle of prompting for the new 80 password is repeated for, at most, two more times. 81 82 83 Passwords must be constructed to meet the following requirements: 84 85 o Each password must have PASSLENGTH characters, where 86 PASSLENGTH is defined in /etc/default/passwd and is set to 87 6. Setting PASSLENGTH to more than eight characters requires 88 configuring policy.conf(4) with an algorithm that supports 89 greater than eight characters. 90 91 o Each password must meet the configured complexity 92 constraints specified in /etc/default/passwd. 93 94 o Each password must not be a member of the configured 95 dictionary as specified in /etc/default/passwd. 96 97 o For accounts in name services which support password history 98 checking, if prior password history is defined, new 99 passwords must not be contained in the prior password 100 history. 101 102 103 If all requirements are met, by default, the passwd command consults 104 /etc/nsswitch.conf to determine in which repositories to perform 105 password update. It searches the passwd and passwd_compat entries. The 106 sources (repositories) associated with these entries are updated. 107 However, the password update configurations supported are limited to 108 the following cases. Failure to comply with the configurations 109 prevents users from logging onto the system. The password update 110 configurations are: 111 112 o passwd: files 113 114 o passwd: files ldap 115 116 o passwd: files nis 117 118 o passwd: files nisplus 119 120 o passwd: compat (==> files nis) 121 122 o passwd: compat (==> files ldap) 123 124 passwd_compat: ldap 125 126 o passwd: compat (==> files nisplus) 127 128 passwd_compat: nisplus 129 130 131 You can add the ad keyword to any of the passwd configurations in the 132 above list. However, you cannot use the passwd command to change the 133 password of an Active Directory (AD) user. If the ad keyword is found 134 in the passwd entry during a password update operation, it is ignored. 135 To update the password of an AD user, use the kpasswd(1) command. 136 137 138 Network administrators, who own the NIS+ password table, can change any 139 password attributes. The administrator configured for updating LDAP 140 shadow information can also change any password attributes. See 141 ldapclient(1M). 142 143 144 When a user has a password stored in one of the name services as well 145 as a local files entry, the passwd command updates both. It is possible 146 to have different passwords in the name service and local files entry. 147 Use passwd -r to change a specific password repository. 148 149 150 In the files case, super-users (for instance, real and effective uid 151 equal to 0, see id(1M) and su(1M)) can change any password. Hence, 152 passwd does not prompt privileged users for the old password. 153 Privileged users are not forced to comply with password aging and 154 password construction requirements. A privileged user can create a null 155 password by entering a carriage return in response to the prompt for a 156 new password. (This differs from passwd -d because the password prompt 157 is still displayed.) If NIS is in effect, superuser on the root master 158 can change any password without being prompted for the old NIS passwd, 159 and is not forced to comply with password construction requirements. 160 161 162 If LDAP is in effect, superuser on any Native LDAP client system can 163 change any password without being prompted for the old LDAP passwd, and 164 is not forced to comply with password construction requirements. 165 166 167 Normally, passwd entered with no arguments changes the password of the 168 current user. When a user logs in and then invokes su(1M) to become 169 superuser or another user, passwd changes the original user's password, 170 not the password of the superuser or the new user. 171 172 173 Any user can use the -s option to show password attributes for his or 174 her own login name, provided they are using the -r nisplus argument. 175 Otherwise, the -s argument is restricted to the superuser. 176 177 178 The format of the display is: 179 180 name status mm/dd/yy min max warn 181 182 183 184 185 or, if password aging information is not present, 186 187 name status 188 189 190 191 192 where 193 194 name 195 The login ID of the user. 196 197 198 status 199 The password status of name. 200 201 The status field can take the following values: 202 203 LK 204 This account is locked account. See Security. 205 206 207 NL 208 This account is a no login account. See Security. 209 210 211 NP 212 This account has no password and is therefore open 213 without authentication. 214 215 216 PS 217 This account has a password. 218 219 220 221 mm/dd/yy 222 The date password was last changed for name. All password 223 aging dates are determined using Greenwich Mean Time 224 (Universal Time) and therefore can differ by as much as a 225 day in other time zones. 226 227 228 min 229 The minimum number of days required between password 230 changes for name. MINWEEKS is found in /etc/default/passwd 231 and is set to NULL. 232 233 234 max 235 The maximum number of days the password is valid for name. 236 MAXWEEKS is found in /etc/default/passwd and is set to 237 NULL. 238 239 240 warn 241 The number of days relative to max before the password 242 expires and the name are warned. 243 244 245 Security 246 passwd uses pam(3PAM) for password change. It calls PAM with a service 247 name passwd and uses service module type auth for authentication and 248 password for password change. 249 250 251 Locking an account (-l option) does not allow its use for password based 252 login or delayed execution (such as at(1), batch(1), or cron(1M)). The 253 -N option can be used to disallow password based login, while continuing 254 to allow delayed execution. 255 256 OPTIONS 257 The following options are supported: 258 259 -a 260 Shows password attributes for all entries. Use only 261 with the -s option. name must not be provided. For the 262 nisplus repository, this shows only the entries in the 263 NIS+ password table in the local domain that the 264 invoker is authorized to read. For the files and ldap 265 repositories, this is restricted to the superuser. 266 267 268 -D domainname 269 Consults the passwd.org_dir table in domainname. If 270 this option is not specified, the default domainname 271 returned by nis_local_directory(3NSL) are used. This 272 domain name is the same as that returned by 273 domainname(1M). 274 275 276 -e 277 Changes the login shell. The choice of shell is 278 limited by the requirements of getusershell(3C). If 279 the user currently has a shell that is not allowed by 280 getusershell, only root can change it. 281 282 283 -g 284 Changes the gecos (finger) information. For the files 285 repository, this only works for the superuser. Normal 286 users can change the ldap, nis, or nisplus 287 repositories. 288 289 290 -h 291 Changes the home directory. 292 293 294 -r 295 Specifies the repository to which an operation is 296 applied. The supported repositories are files, ldap, 297 nis, or nisplus. 298 299 300 -s name 301 Shows password attributes for the login name. For the 302 nisplus repository, this works for everyone. However 303 for the files and ldap repositories, this only works 304 for the superuser. It does not work at all for the nis 305 repository which does not support password aging. 306 307 The output of this option, and only this option is 308 Stable and parsable. The format is username followed 309 by white space followed by one of the following codes. 310 311 New codes might be added in the future so code that 312 parses this must be flexible in the face of unknown 313 codes. While all existing codes are two characters in 314 length that might not always be the case. 315 316 The following are the current status codes: 317 318 LK 319 Account is locked for UNIX authentication. 320 passwd -l was run or the authentication failed 321 RETRIES times. 322 323 324 NL 325 The account is a no login account. passwd -N has 326 been run. 327 328 329 NP 330 Account has no password. passwd -d was run. 331 332 333 PS 334 The account probably has a valid password. 335 336 337 UN 338 The data in the password field is unknown. It is 339 not a recognizable hashed password or any of the 340 above entries. See crypt(3C) for valid password 341 hashes. 342 343 344 345 Privileged User Options 346 Only a privileged user can use the following options: 347 348 -d 349 Deletes password for name and unlocks the account. The login 350 name is not prompted for password. It is only applicable to 351 the files and ldap repositories. 352 353 If the login(1) option PASSREQ=YES is configured, the 354 account is not able to login. PASSREQ=YES is the delivered 355 default. 356 357 358 -f 359 Forces the user to change password at the next login by 360 expiring the password for name. 361 362 363 -l 364 Locks password entry for name. See the -d or -u option for 365 unlocking the account. 366 367 368 -N 369 Makes the password entry for name a value that cannot be 370 used for login, but does not lock the account. See the -d 371 option for removing the value, or to set a password to allow 372 logins. 373 374 375 -n min 376 Sets minimum field for name. The min field contains the 377 minimum number of days between password changes for name. If 378 min is greater than max, the user can not change the 379 password. Always use this option with the -x option, unless 380 max is set to1 (aging turned off). In that case, min need 381 not be set. 382 383 384 -u 385 Unlocks a locked password for entry name. See the -d option 386 for removing the locked password, or to set a password to 387 allow logins. 388 389 390 -w warn 391 Sets warn field for name. The warn field contains the number 392 of days before the password expires and the user is warned. 393 This option is not valid if password aging is disabled. 394 395 396 -x max 397 Sets maximum field for name. The max field contains the 398 number of days that the password is valid for name. The 399 aging for name is turned off immediately if max is set to1. 400 401 402 -S 403 Read the password from standard input (pipe). 404 405 406 OPERANDS 407 The following operand is supported: 408 409 name 410 User login name. 411 412 413 ENVIRONMENT VARIABLES 414 If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME, 415 LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set 416 in the environment, the operational behavior of passwd for each 417 corresponding locale category is determined by the value of the LANG 418 environment variable. If LC_ALL is set, its contents are used to 419 override both the LANG and the other LC_* variables. If none of the 420 above variables is set in the environment, the C (U.S. style) locale 421 determines how passwd behaves. 422 423 LC_CTYPE 424 Determines how passwd handles characters. When LC_CTYPE 425 is set to a valid value, passwd can display and handle 426 text and filenames containing valid characters for that 427 locale. passwd can display and handle Extended Unix Code 428 (EUC) characters where any individual character can be 429 1, 2, or 3 bytes wide. passwd can also handle EUC 430 characters of 1, 2, or more column widths. In the C 431 locale, only characters from ISO 8859-1 are valid. 432 433 434 LC_MESSAGES 435 Determines how diagnostic and informative messages are 436 presented. This includes the language and style of the 437 messages, and the correct form of affirmative and 438 negative responses. In the C locale, the messages are 439 presented in the default form found in the program 440 itself (in most cases, U.S. English). 441 442 443 EXIT STATUS 444 The passwd command exits with one of the following values: 445 446 0 447 Success. 448 449 450 1 451 Permission denied. 452 453 454 2 455 Invalid combination of options. 456 457 458 3 459 Unexpected failure. Password file unchanged. 460 461 462 4 463 Unexpected failure. Password file(s) missing. 464 465 466 5 467 Password file(s) busy. Try again later. 468 469 470 6 471 Invalid argument to option. 472 473 474 7 475 Aging option is disabled. 476 477 478 8 479 No memory. 480 481 482 9 483 System error. 484 485 486 10 487 Account expired. 488 489 490 FILES 491 /etc/default/passwd 492 Default values can be set for the following 493 flags in /etc/default/passwd. For example: 494 MAXWEEKS=26 495 496 DICTIONDBDIR 497 The directory where the 498 generated dictionary databases 499 reside. Defaults to /var/passwd. 500 501 If neither DICTIONLIST nor 502 DICTIONDBDIR is specified, the 503 system does not perform a 504 dictionary check. 505 506 507 DICTIONLIST 508 DICTIONLIST can contain list of 509 comma separated dictionary files 510 such as DICTIONLIST=file1, 511 file2, file3. Each dictionary 512 file contains multiple lines and 513 each line consists of a word and 514 a NEWLINE character (similar to 515 /usr/share/lib/dict/words.) You 516 must specify full pathnames. The 517 words from these files are 518 merged into a database that is 519 used to determine whether a 520 password is based on a 521 dictionary word. 522 523 If neither DICTIONLIST nor 524 DICTIONDBDIR is specified, the 525 system does not perform a 526 dictionary check. 527 528 To pre-build the dictionary 529 database, see mkpwdict(1M). 530 531 532 HISTORY 533 Maximum number of prior password 534 history to keep for a user. 535 Setting the HISTORY value to 536 zero (0), or removing the flag, 537 causes the prior password 538 history of all users to be 539 discarded at the next password 540 change by any user. The default 541 is not to define the HISTORY 542 flag. The maximum value is 26. 543 Currently, this functionality is 544 enforced only for user accounts 545 defined in the files name 546 service (local 547 passwd(4)/shadow(4)). 548 549 550 MAXREPEATS 551 Maximum number of allowable 552 consecutive repeating 553 characters. If MAXREPEATS is not 554 set or is zero (0), the default 555 is no checks 556 557 558 MAXWEEKS 559 Maximum time period that 560 password is valid. 561 562 563 MINALPHA 564 Minimum number of alpha 565 character required. If MINALPHA 566 is not set, the default is 2. 567 568 569 MINDIFF 570 Minimum differences required 571 between an old and a new 572 password. If MINDIFF is not set, 573 the default is 3. 574 575 576 MINDIGIT 577 Minimum number of digits 578 required. If MINDIGIT is not set 579 or is set to zero (0), the 580 default is no checks. You cannot 581 be specify MINDIGIT if 582 MINNONALPHA is also specified. 583 584 585 MINLOWER 586 Minimum number of lower case 587 letters required. If not set or 588 zero (0), the default is no 589 checks. 590 591 592 MINNONALPHA 593 Minimum number of non-alpha 594 (including numeric and special) 595 required. If MINNONALPHA is not 596 set, the default is 1. You 597 cannot specify MINNONALPHA if 598 MINDIGIT or MINSPECIAL is also 599 specified. 600 601 602 MINWEEKS 603 Minimum time period before the 604 password can be changed. 605 606 607 MINSPECIAL 608 Minimum number of special (non- 609 alpha and non-digit) characters 610 required. If MINSPECIAL is not 611 set or is zero (0), the default 612 is no checks. You cannot specify 613 MINSPECIAL if you also specify 614 MINNONALPHA. 615 616 617 MINUPPER 618 Minimum number of upper case 619 letters required. If MINUPPER is 620 not set or is zero (0), the 621 default is no checks. 622 623 624 NAMECHECK 625 Enable/disable checking or the 626 login name. The default is to do 627 login name checking. A case 628 insensitive value of no disables 629 this feature. 630 631 632 PASSLENGTH 633 Minimum length of password, in 634 characters. 635 636 637 WARNWEEKS 638 Time period until warning of 639 date of password's ensuing 640 expiration. 641 642 643 WHITESPACE 644 Determine if white space 645 characters are allowed in 646 passwords. Valid values are YES 647 and NO. If WHITESPACE is not set 648 or is set to YES, white space 649 characters are allowed. 650 651 652 653 /etc/oshadow 654 Temporary file used by passwd, passmgmt and 655 pwconv to update the real shadow file. 656 657 658 /etc/passwd 659 Password file. 660 661 662 /etc/shadow 663 Shadow password file. 664 665 666 /etc/shells 667 Shell database. 668 669 670 ATTRIBUTES 671 See attributes(5) for descriptions of the following attributes: 672 673 674 675 676 +--------------------+-----------------+ 677 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 678 +--------------------+-----------------+ 679 |CSI | Enabled | 680 +--------------------+-----------------+ 681 |Interface Stability | See below. | 682 +--------------------+-----------------+ 683 684 685 The human readable output is Uncommitted. The options are Committed. 686 687 SEE ALSO 688 at(1), batch(1), finger(1), kpasswd(1), login(1), nistbladm(1), 689 cron(1M), domainname(1M), eeprom(1M), id(1M), ldapclient(1M), 690 mkpwdict(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M), 691 userdel(1M), usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C), 692 getusershell(3C), nis_local_directory(3NSL), pam(3PAM), loginlog(4), 693 nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), shadow(4), 694 shells(4), attributes(5), environ(5), pam_authtok_check(5), 695 pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5), 696 pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5) 697 698 NOTES 699 The pam_unix(5) module is no longer supported. Similar functionality is 700 provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5), 701 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), 702 pam_dhkeys(5), and pam_passwd_auth(5). 703 704 The nispasswd and ypasswd commands are wrappers around passwd. Use of 705 nispasswd and ypasswd is discouraged. Use passwd -r repository_name 706 instead. 707 708 709 NIS+ might not be supported in future releases of the Solaris operating 710 system. Tools to aid the migration from NIS+ to LDAP are available in 711 the current Solaris release. For more information, visit 712 http://www.sun.com/directory/nisplus/transition.html. 713 714 715 Changing a password in the files and ldap repositories clears the 716 failed login count. 717 718 719 Changing a password reactivates an account deactivated for inactivity 720 for the length of the inactivity period. 721 722 723 If /etc/shells is present, and is corrupted, it may provide an attack 724 vector that would compromise the system. The getusershell(3c) library 725 call has a pre-vetted list of shells, so /etc/shells should be used with 726 caution. 727 728 729 Input terminal processing might interpret some key sequences and not 730 pass them to the passwd command. 731 732 733 An account with no password, status code NP, might not be able to 734 login. See the login(1) PASSREQ option. 735 736 737 738 June 18, 2015 PASSWD(1)