Print this page
4107 Add passwd option to read passwords from stdin
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/passwd.1.man.txt
+++ new/usr/src/man/man1/passwd.1.man.txt
1 1 PASSWD(1) User Commands PASSWD(1)
2 2
3 3
4 4
5 5 NAME
6 6 passwd - change login password and password attributes
7 7
8 8 SYNOPSIS
9 9 passwd [-r files | -r ldap | -r nis | -r nisplus] [name]
10 10
11 11
12 12 passwd [-r files] [-egh] [name]
13 13
14 14
15 15 passwd [-r files] -s [-a]
16 16
17 17
18 18 passwd [-r files] -s [name]
19 19
20 20
21 21 passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]
22 22 [-w warn] [-x max] name
23 23
24 24
25 25 passwd -r ldap [-egh] [name]
26 26
27 27
28 28 passwd [-r ldap ] -s [-a]
29 29
30 30
31 31 passwd [-r ldap ] -s [name]
32 32
33 33
34 34 passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name
35 35
36 36
37 37 passwd -r nis [-egh] [name]
38 38
39 39
40 40 passwd -r nisplus [-egh] [-D domainname] [name]
41 41
42 42
|
↓ open down ↓ |
42 lines elided |
↑ open up ↑ |
43 43 passwd -r nisplus -s [-a]
44 44
45 45
46 46 passwd -r nisplus [-D domainname] -s [name]
47 47
48 48
49 49 passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn]
50 50 [-x max] [-D domainname] name
51 51
52 52
53 + passwd -S [name]
54 +
55 +
53 56 DESCRIPTION
54 57 The passwd command changes the password or lists password attributes
55 58 associated with the user's login name. Additionally, privileged users
56 59 can use passwd to install or change passwords and attributes associated
57 60 with any login name.
58 61
59 62
60 63 When used to change a password, passwd prompts everyone for their old
61 64 password, if any. It then prompts for the new password twice. When the
62 65 old password is entered, passwd checks to see if it has aged
63 66 sufficiently. If aging is insufficient, passwd terminates; see
64 67 pwconv(1M), nistbladm(1), and shadow(4) for additional information.
65 68
66 69
67 70 The pwconv command creates and updates /etc/shadow with information
68 71 from /etc/passwd. pwconv relies on a special value of x in the password
69 72 field of /etc/passwd. This value of xindicates that the password for
70 73 the user is already in /etc/shadow and should not be modified.
71 74
72 75
73 76 If aging is sufficient, a check is made to ensure that the new password
74 77 meets construction requirements. When the new password is entered a
75 78 second time, the two copies of the new password are compared. If the
76 79 two copies are not identical, the cycle of prompting for the new
77 80 password is repeated for, at most, two more times.
78 81
79 82
80 83 Passwords must be constructed to meet the following requirements:
81 84
82 85 o Each password must have PASSLENGTH characters, where
83 86 PASSLENGTH is defined in /etc/default/passwd and is set to
84 87 6. Setting PASSLENGTH to more than eight characters requires
85 88 configuring policy.conf(4) with an algorithm that supports
86 89 greater than eight characters.
87 90
88 91 o Each password must meet the configured complexity
89 92 constraints specified in /etc/default/passwd.
90 93
91 94 o Each password must not be a member of the configured
92 95 dictionary as specified in /etc/default/passwd.
93 96
94 97 o For accounts in name services which support password history
95 98 checking, if prior password history is defined, new
96 99 passwords must not be contained in the prior password
97 100 history.
98 101
99 102
100 103 If all requirements are met, by default, the passwd command consults
101 104 /etc/nsswitch.conf to determine in which repositories to perform
102 105 password update. It searches the passwd and passwd_compat entries. The
103 106 sources (repositories) associated with these entries are updated.
104 107 However, the password update configurations supported are limited to
105 108 the following cases. Failure to comply with the configurations
106 109 prevents users from logging onto the system. The password update
107 110 configurations are:
108 111
109 112 o passwd: files
110 113
111 114 o passwd: files ldap
112 115
113 116 o passwd: files nis
114 117
115 118 o passwd: files nisplus
116 119
117 120 o passwd: compat (==> files nis)
118 121
119 122 o passwd: compat (==> files ldap)
120 123
121 124 passwd_compat: ldap
122 125
123 126 o passwd: compat (==> files nisplus)
124 127
125 128 passwd_compat: nisplus
126 129
127 130
128 131 You can add the ad keyword to any of the passwd configurations in the
129 132 above list. However, you cannot use the passwd command to change the
130 133 password of an Active Directory (AD) user. If the ad keyword is found
131 134 in the passwd entry during a password update operation, it is ignored.
132 135 To update the password of an AD user, use the kpasswd(1) command.
133 136
134 137
135 138 Network administrators, who own the NIS+ password table, can change any
136 139 password attributes. The administrator configured for updating LDAP
137 140 shadow information can also change any password attributes. See
138 141 ldapclient(1M).
139 142
140 143
141 144 When a user has a password stored in one of the name services as well
142 145 as a local files entry, the passwd command updates both. It is possible
143 146 to have different passwords in the name service and local files entry.
144 147 Use passwd -r to change a specific password repository.
145 148
146 149
147 150 In the files case, super-users (for instance, real and effective uid
148 151 equal to 0, see id(1M) and su(1M)) can change any password. Hence,
149 152 passwd does not prompt privileged users for the old password.
150 153 Privileged users are not forced to comply with password aging and
151 154 password construction requirements. A privileged user can create a null
152 155 password by entering a carriage return in response to the prompt for a
153 156 new password. (This differs from passwd -d because the password prompt
154 157 is still displayed.) If NIS is in effect, superuser on the root master
155 158 can change any password without being prompted for the old NIS passwd,
156 159 and is not forced to comply with password construction requirements.
157 160
158 161
159 162 If LDAP is in effect, superuser on any Native LDAP client system can
160 163 change any password without being prompted for the old LDAP passwd, and
161 164 is not forced to comply with password construction requirements.
162 165
163 166
164 167 Normally, passwd entered with no arguments changes the password of the
165 168 current user. When a user logs in and then invokes su(1M) to become
166 169 superuser or another user, passwd changes the original user's password,
167 170 not the password of the superuser or the new user.
168 171
169 172
170 173 Any user can use the -s option to show password attributes for his or
171 174 her own login name, provided they are using the -r nisplus argument.
172 175 Otherwise, the -s argument is restricted to the superuser.
173 176
174 177
175 178 The format of the display is:
176 179
177 180 name status mm/dd/yy min max warn
178 181
179 182
180 183
181 184
182 185 or, if password aging information is not present,
183 186
184 187 name status
185 188
186 189
187 190
188 191
189 192 where
190 193
191 194 name
192 195 The login ID of the user.
193 196
194 197
195 198 status
196 199 The password status of name.
197 200
198 201 The status field can take the following values:
199 202
200 203 LK
201 204 This account is locked account. See Security.
202 205
203 206
204 207 NL
205 208 This account is a no login account. See Security.
206 209
207 210
208 211 NP
209 212 This account has no password and is therefore open
210 213 without authentication.
211 214
212 215
213 216 PS
214 217 This account has a password.
215 218
216 219
217 220
218 221 mm/dd/yy
219 222 The date password was last changed for name. All password
220 223 aging dates are determined using Greenwich Mean Time
221 224 (Universal Time) and therefore can differ by as much as a
222 225 day in other time zones.
223 226
224 227
225 228 min
226 229 The minimum number of days required between password
227 230 changes for name. MINWEEKS is found in /etc/default/passwd
228 231 and is set to NULL.
229 232
230 233
231 234 max
232 235 The maximum number of days the password is valid for name.
233 236 MAXWEEKS is found in /etc/default/passwd and is set to
234 237 NULL.
235 238
236 239
237 240 warn
238 241 The number of days relative to max before the password
239 242 expires and the name are warned.
240 243
241 244
242 245 Security
243 246 passwd uses pam(3PAM) for password change. It calls PAM with a service
244 247 name passwd and uses service module type auth for authentication and
245 248 password for password change.
246 249
247 250
248 251 Locking an account (-l option) does not allow its use for password based
249 252 login or delayed execution (such as at(1), batch(1), or cron(1M)). The
250 253 -N option can be used to disallow password based login, while continuing
251 254 to allow delayed execution.
252 255
253 256 OPTIONS
254 257 The following options are supported:
255 258
256 259 -a
257 260 Shows password attributes for all entries. Use only
258 261 with the -s option. name must not be provided. For the
259 262 nisplus repository, this shows only the entries in the
260 263 NIS+ password table in the local domain that the
261 264 invoker is authorized to read. For the files and ldap
262 265 repositories, this is restricted to the superuser.
263 266
264 267
265 268 -D domainname
266 269 Consults the passwd.org_dir table in domainname. If
267 270 this option is not specified, the default domainname
268 271 returned by nis_local_directory(3NSL) are used. This
269 272 domain name is the same as that returned by
270 273 domainname(1M).
271 274
272 275
273 276 -e
274 277 Changes the login shell. The choice of shell is
275 278 limited by the requirements of getusershell(3C). If
276 279 the user currently has a shell that is not allowed by
277 280 getusershell, only root can change it.
278 281
279 282
280 283 -g
281 284 Changes the gecos (finger) information. For the files
282 285 repository, this only works for the superuser. Normal
283 286 users can change the ldap, nis, or nisplus
284 287 repositories.
285 288
286 289
287 290 -h
288 291 Changes the home directory.
289 292
290 293
291 294 -r
292 295 Specifies the repository to which an operation is
293 296 applied. The supported repositories are files, ldap,
294 297 nis, or nisplus.
295 298
296 299
297 300 -s name
298 301 Shows password attributes for the login name. For the
299 302 nisplus repository, this works for everyone. However
300 303 for the files and ldap repositories, this only works
301 304 for the superuser. It does not work at all for the nis
302 305 repository which does not support password aging.
303 306
304 307 The output of this option, and only this option is
305 308 Stable and parsable. The format is username followed
306 309 by white space followed by one of the following codes.
307 310
308 311 New codes might be added in the future so code that
309 312 parses this must be flexible in the face of unknown
310 313 codes. While all existing codes are two characters in
311 314 length that might not always be the case.
312 315
313 316 The following are the current status codes:
314 317
315 318 LK
316 319 Account is locked for UNIX authentication.
317 320 passwd -l was run or the authentication failed
318 321 RETRIES times.
319 322
320 323
321 324 NL
322 325 The account is a no login account. passwd -N has
323 326 been run.
324 327
325 328
326 329 NP
327 330 Account has no password. passwd -d was run.
328 331
329 332
330 333 PS
331 334 The account probably has a valid password.
332 335
333 336
334 337 UN
335 338 The data in the password field is unknown. It is
336 339 not a recognizable hashed password or any of the
337 340 above entries. See crypt(3C) for valid password
338 341 hashes.
339 342
340 343
341 344
342 345 Privileged User Options
343 346 Only a privileged user can use the following options:
344 347
345 348 -d
346 349 Deletes password for name and unlocks the account. The login
347 350 name is not prompted for password. It is only applicable to
348 351 the files and ldap repositories.
349 352
350 353 If the login(1) option PASSREQ=YES is configured, the
351 354 account is not able to login. PASSREQ=YES is the delivered
352 355 default.
353 356
354 357
355 358 -f
356 359 Forces the user to change password at the next login by
357 360 expiring the password for name.
358 361
359 362
360 363 -l
361 364 Locks password entry for name. See the -d or -u option for
362 365 unlocking the account.
363 366
364 367
365 368 -N
366 369 Makes the password entry for name a value that cannot be
367 370 used for login, but does not lock the account. See the -d
368 371 option for removing the value, or to set a password to allow
369 372 logins.
370 373
371 374
372 375 -n min
373 376 Sets minimum field for name. The min field contains the
374 377 minimum number of days between password changes for name. If
375 378 min is greater than max, the user can not change the
376 379 password. Always use this option with the -x option, unless
377 380 max is set to1 (aging turned off). In that case, min need
378 381 not be set.
379 382
380 383
381 384 -u
382 385 Unlocks a locked password for entry name. See the -d option
383 386 for removing the locked password, or to set a password to
384 387 allow logins.
385 388
386 389
387 390 -w warn
388 391 Sets warn field for name. The warn field contains the number
|
↓ open down ↓ |
326 lines elided |
↑ open up ↑ |
389 392 of days before the password expires and the user is warned.
390 393 This option is not valid if password aging is disabled.
391 394
392 395
393 396 -x max
394 397 Sets maximum field for name. The max field contains the
395 398 number of days that the password is valid for name. The
396 399 aging for name is turned off immediately if max is set to1.
397 400
398 401
402 + -S
403 + Read the password from standard input (pipe).
404 +
405 +
399 406 OPERANDS
400 407 The following operand is supported:
401 408
402 409 name
403 410 User login name.
404 411
405 412
406 413 ENVIRONMENT VARIABLES
407 414 If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
408 415 LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set
409 416 in the environment, the operational behavior of passwd for each
410 417 corresponding locale category is determined by the value of the LANG
411 418 environment variable. If LC_ALL is set, its contents are used to
412 419 override both the LANG and the other LC_* variables. If none of the
413 420 above variables is set in the environment, the C (U.S. style) locale
414 421 determines how passwd behaves.
415 422
416 423 LC_CTYPE
417 424 Determines how passwd handles characters. When LC_CTYPE
418 425 is set to a valid value, passwd can display and handle
419 426 text and filenames containing valid characters for that
420 427 locale. passwd can display and handle Extended Unix Code
421 428 (EUC) characters where any individual character can be
422 429 1, 2, or 3 bytes wide. passwd can also handle EUC
423 430 characters of 1, 2, or more column widths. In the C
424 431 locale, only characters from ISO 8859-1 are valid.
425 432
426 433
427 434 LC_MESSAGES
428 435 Determines how diagnostic and informative messages are
429 436 presented. This includes the language and style of the
430 437 messages, and the correct form of affirmative and
431 438 negative responses. In the C locale, the messages are
432 439 presented in the default form found in the program
433 440 itself (in most cases, U.S. English).
434 441
435 442
436 443 EXIT STATUS
437 444 The passwd command exits with one of the following values:
438 445
439 446 0
440 447 Success.
441 448
442 449
443 450 1
444 451 Permission denied.
445 452
446 453
447 454 2
448 455 Invalid combination of options.
449 456
450 457
451 458 3
452 459 Unexpected failure. Password file unchanged.
453 460
454 461
455 462 4
456 463 Unexpected failure. Password file(s) missing.
457 464
458 465
459 466 5
460 467 Password file(s) busy. Try again later.
461 468
462 469
463 470 6
464 471 Invalid argument to option.
465 472
466 473
467 474 7
468 475 Aging option is disabled.
469 476
470 477
471 478 8
472 479 No memory.
473 480
474 481
475 482 9
476 483 System error.
477 484
478 485
479 486 10
480 487 Account expired.
481 488
482 489
483 490 FILES
484 491 /etc/default/passwd
485 492 Default values can be set for the following
486 493 flags in /etc/default/passwd. For example:
487 494 MAXWEEKS=26
488 495
489 496 DICTIONDBDIR
490 497 The directory where the
491 498 generated dictionary databases
492 499 reside. Defaults to /var/passwd.
493 500
494 501 If neither DICTIONLIST nor
495 502 DICTIONDBDIR is specified, the
496 503 system does not perform a
497 504 dictionary check.
498 505
499 506
500 507 DICTIONLIST
501 508 DICTIONLIST can contain list of
502 509 comma separated dictionary files
503 510 such as DICTIONLIST=file1,
504 511 file2, file3. Each dictionary
505 512 file contains multiple lines and
506 513 each line consists of a word and
507 514 a NEWLINE character (similar to
508 515 /usr/share/lib/dict/words.) You
509 516 must specify full pathnames. The
510 517 words from these files are
511 518 merged into a database that is
512 519 used to determine whether a
513 520 password is based on a
514 521 dictionary word.
515 522
516 523 If neither DICTIONLIST nor
517 524 DICTIONDBDIR is specified, the
518 525 system does not perform a
519 526 dictionary check.
520 527
521 528 To pre-build the dictionary
522 529 database, see mkpwdict(1M).
523 530
524 531
525 532 HISTORY
526 533 Maximum number of prior password
527 534 history to keep for a user.
528 535 Setting the HISTORY value to
529 536 zero (0), or removing the flag,
530 537 causes the prior password
531 538 history of all users to be
532 539 discarded at the next password
533 540 change by any user. The default
534 541 is not to define the HISTORY
535 542 flag. The maximum value is 26.
536 543 Currently, this functionality is
537 544 enforced only for user accounts
538 545 defined in the files name
539 546 service (local
540 547 passwd(4)/shadow(4)).
541 548
542 549
543 550 MAXREPEATS
544 551 Maximum number of allowable
545 552 consecutive repeating
546 553 characters. If MAXREPEATS is not
547 554 set or is zero (0), the default
548 555 is no checks
549 556
550 557
551 558 MAXWEEKS
552 559 Maximum time period that
553 560 password is valid.
554 561
555 562
556 563 MINALPHA
557 564 Minimum number of alpha
558 565 character required. If MINALPHA
559 566 is not set, the default is 2.
560 567
561 568
562 569 MINDIFF
563 570 Minimum differences required
564 571 between an old and a new
565 572 password. If MINDIFF is not set,
566 573 the default is 3.
567 574
568 575
569 576 MINDIGIT
570 577 Minimum number of digits
571 578 required. If MINDIGIT is not set
572 579 or is set to zero (0), the
573 580 default is no checks. You cannot
574 581 be specify MINDIGIT if
575 582 MINNONALPHA is also specified.
576 583
577 584
578 585 MINLOWER
579 586 Minimum number of lower case
580 587 letters required. If not set or
581 588 zero (0), the default is no
582 589 checks.
583 590
584 591
585 592 MINNONALPHA
586 593 Minimum number of non-alpha
587 594 (including numeric and special)
588 595 required. If MINNONALPHA is not
589 596 set, the default is 1. You
590 597 cannot specify MINNONALPHA if
591 598 MINDIGIT or MINSPECIAL is also
592 599 specified.
593 600
594 601
595 602 MINWEEKS
596 603 Minimum time period before the
597 604 password can be changed.
598 605
599 606
600 607 MINSPECIAL
601 608 Minimum number of special (non-
602 609 alpha and non-digit) characters
603 610 required. If MINSPECIAL is not
604 611 set or is zero (0), the default
605 612 is no checks. You cannot specify
606 613 MINSPECIAL if you also specify
607 614 MINNONALPHA.
608 615
609 616
610 617 MINUPPER
611 618 Minimum number of upper case
612 619 letters required. If MINUPPER is
613 620 not set or is zero (0), the
614 621 default is no checks.
615 622
616 623
617 624 NAMECHECK
618 625 Enable/disable checking or the
619 626 login name. The default is to do
620 627 login name checking. A case
621 628 insensitive value of no disables
622 629 this feature.
623 630
624 631
625 632 PASSLENGTH
626 633 Minimum length of password, in
627 634 characters.
628 635
629 636
630 637 WARNWEEKS
631 638 Time period until warning of
632 639 date of password's ensuing
633 640 expiration.
634 641
635 642
636 643 WHITESPACE
637 644 Determine if white space
638 645 characters are allowed in
639 646 passwords. Valid values are YES
640 647 and NO. If WHITESPACE is not set
641 648 or is set to YES, white space
642 649 characters are allowed.
643 650
644 651
645 652
646 653 /etc/oshadow
647 654 Temporary file used by passwd, passmgmt and
648 655 pwconv to update the real shadow file.
649 656
650 657
651 658 /etc/passwd
652 659 Password file.
653 660
654 661
655 662 /etc/shadow
656 663 Shadow password file.
657 664
658 665
659 666 /etc/shells
660 667 Shell database.
661 668
662 669
663 670 ATTRIBUTES
664 671 See attributes(5) for descriptions of the following attributes:
665 672
666 673
667 674
668 675
669 676 +--------------------+-----------------+
670 677 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
671 678 +--------------------+-----------------+
672 679 |CSI | Enabled |
673 680 +--------------------+-----------------+
674 681 |Interface Stability | See below. |
675 682 +--------------------+-----------------+
676 683
677 684
678 685 The human readable output is Uncommitted. The options are Committed.
679 686
680 687 SEE ALSO
681 688 at(1), batch(1), finger(1), kpasswd(1), login(1), nistbladm(1),
682 689 cron(1M), domainname(1M), eeprom(1M), id(1M), ldapclient(1M),
683 690 mkpwdict(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M),
684 691 userdel(1M), usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C),
685 692 getusershell(3C), nis_local_directory(3NSL), pam(3PAM), loginlog(4),
686 693 nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4), shadow(4),
|
↓ open down ↓ |
278 lines elided |
↑ open up ↑ |
687 694 shells(4), attributes(5), environ(5), pam_authtok_check(5),
688 695 pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5),
689 696 pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)
690 697
691 698 NOTES
692 699 The pam_unix(5) module is no longer supported. Similar functionality is
693 700 provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
694 701 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
695 702 pam_dhkeys(5), and pam_passwd_auth(5).
696 703
697 -
698 704 The nispasswd and ypasswd commands are wrappers around passwd. Use of
699 705 nispasswd and ypasswd is discouraged. Use passwd -r repository_name
700 706 instead.
701 707
702 708
703 709 NIS+ might not be supported in future releases of the Solaris operating
704 710 system. Tools to aid the migration from NIS+ to LDAP are available in
705 711 the current Solaris release. For more information, visit
706 712 http://www.sun.com/directory/nisplus/transition.html.
707 713
708 714
709 715 Changing a password in the files and ldap repositories clears the
710 716 failed login count.
711 717
712 718
713 719 Changing a password reactivates an account deactivated for inactivity
714 720 for the length of the inactivity period.
715 721
716 722
717 723 If /etc/shells is present, and is corrupted, it may provide an attack
718 724 vector that would compromise the system. The getusershell(3c) library
719 725 call has a pre-vetted list of shells, so /etc/shells should be used with
720 726 caution.
721 727
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
722 728
723 729 Input terminal processing might interpret some key sequences and not
724 730 pass them to the passwd command.
725 731
726 732
727 733 An account with no password, status code NP, might not be able to
728 734 login. See the login(1) PASSREQ option.
729 735
730 736
731 737
732 - May 31, 2013 PASSWD(1)
738 + June 18, 2015 PASSWD(1)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX