il-gate New usr/src/man/man1/passwd.1

   1 '\" te
   2 .\" Copyright 1989 AT&T
   3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   4 .\" Copyright 2015 Nexenta Systems, Inc. All rights reserved.
   5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   6 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   7 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   8 .TH PASSWD 1 "Jun 18, 2015"
   9 .SH NAME
  10 passwd \- change login password and password attributes
  11 .SH SYNOPSIS
  12 .LP
  13 .nf
  14 \fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis | \fB-r\fR nisplus] [\fIname\fR]
  15 .fi
  16 
  17 .LP
  18 .nf
  19 \fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR]
  20 .fi
  21 
  22 .LP
  23 .nf
  24 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR]
  25 .fi
  26 
  27 .LP
  28 .nf
  29 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR]
  30 .fi
  31 
  32 .LP
  33 .nf
  34 \fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR]
  35      [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
  36 .fi
  37 
  38 .LP
  39 .nf
  40 \fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR]
  41 .fi
  42 
  43 .LP
  44 .nf
  45 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR]
  46 .fi
  47 
  48 .LP
  49 .nf
  50 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR]
  51 .fi
  52 
  53 .LP
  54 .nf
  55 \fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
  56 .fi
  57 
  58 .LP
  59 .nf
  60 \fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR]
  61 .fi
  62 
  63 .LP
  64 .nf
  65 \fBpasswd\fR \fB-r\fR nisplus [\fB-egh\fR] [\fB-D\fR \fIdomainname\fR] [\fIname\fR]
  66 .fi
  67 
  68 .LP
  69 .nf
  70 \fBpasswd\fR \fB-r\fR nisplus \fB-s\fR [\fB-a\fR]
  71 .fi
  72 
  73 .LP
  74 .nf
  75 \fBpasswd\fR \fB-r\fR nisplus [\fB-D\fR \fIdomainname\fR] \fB-s\fR [\fIname\fR]
  76 .fi
  77 
  78 .LP
  79 .nf
  80 \fBpasswd\fR \fB-r\fR nisplus [\fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR]
  81      [\fB-x\fR \fImax\fR] [\fB-D\fR \fIdomainname\fR] \fIname\fR
  82 .fi
  83 
  84 .LP
  85 .nf
  86 \fBpasswd\fR \fB-S\fR [\fIname\fR]
  87 .fi
  88 
  89 .SH DESCRIPTION
  90 .LP
  91 The \fBpasswd\fR command changes the password or lists password attributes
  92 associated with the user's login \fIname\fR. Additionally, privileged users can
  93 use \fBpasswd\fR to install or change passwords and attributes associated with
  94 any login \fIname\fR.
  95 .sp
  96 .LP
  97 When used to change a password, \fBpasswd\fR prompts everyone for their old
  98 password, if any. It then prompts for the new password twice. When the old
  99 password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If
 100 \fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M),
 101 \fBnistbladm\fR(1), and \fBshadow\fR(4) for additional information.
 102 .sp
 103 .LP
 104 The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information
 105 from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in
 106 the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that
 107 the password for the user is already in \fB/etc/shadow\fR and should not be
 108 modified.
 109 .sp
 110 .LP
 111 If aging is sufficient, a check is made to ensure that the new password meets
 112 construction requirements. When the new password is entered a second time, the
 113 two copies of the new password are compared. If the two copies are not
 114 identical, the cycle of prompting for the new password is repeated for, at
 115 most, two more times.
 116 .sp
 117 .LP
 118 Passwords must be constructed to meet the following requirements:
 119 .RS +4
 120 .TP
 121 .ie t \(bu
 122 .el o
 123 Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is
 124 defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting
 125 \fBPASSLENGTH\fR to more than eight characters requires configuring
 126 \fBpolicy.conf\fR(4) with an algorithm that supports greater than eight
 127 characters.
 128 .RE
 129 .RS +4
 130 .TP
 131 .ie t \(bu
 132 .el o
 133 Each password must meet the configured complexity constraints specified in
 134 \fB/etc/default/passwd\fR.
 135 .RE
 136 .RS +4
 137 .TP
 138 .ie t \(bu
 139 .el o
 140 Each password must not be a member of the configured dictionary as specified in
 141 \fB/etc/default/passwd\fR.
 142 .RE
 143 .RS +4
 144 .TP
 145 .ie t \(bu
 146 .el o
 147 For accounts in name services which support password history checking, if prior
 148 password history is defined, new passwords must not be contained in the prior
 149 password history.
 150 .RE
 151 .sp
 152 .LP
 153 If all requirements are met, by default, the \fBpasswd\fR command consults
 154 \fB/etc/nsswitch.conf\fR to determine in which repositories to perform password
 155 update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The
 156 sources (repositories) associated with these entries are updated. However, the
 157 password update configurations supported are limited to the following cases.
 158 Failure to comply with the configurations prevents users from logging onto the
 159 system. The password update configurations are:
 160 .RS +4
 161 .TP
 162 .ie t \(bu
 163 .el o
 164 \fBpasswd: files\fR
 165 .RE
 166 .RS +4
 167 .TP
 168 .ie t \(bu
 169 .el o
 170 \fBpasswd: files ldap\fR
 171 .RE
 172 .RS +4
 173 .TP
 174 .ie t \(bu
 175 .el o
 176 \fBpasswd: files nis\fR
 177 .RE
 178 .RS +4
 179 .TP
 180 .ie t \(bu
 181 .el o
 182 \fBpasswd: files nisplus\fR
 183 .RE
 184 .RS +4
 185 .TP
 186 .ie t \(bu
 187 .el o
 188 \fBpasswd: compat\fR (==> files nis)
 189 .RE
 190 .RS +4
 191 .TP
 192 .ie t \(bu
 193 .el o
 194 \fBpasswd: compat\fR (==> files ldap)
 195 .sp
 196 \fBpasswd_compat: ldap\fR
 197 .RE
 198 .RS +4
 199 .TP
 200 .ie t \(bu
 201 .el o
 202 \fBpasswd: compat\fR (==> files nisplus)
 203 .sp
 204 \fBpasswd_compat: nisplus\fR
 205 .RE
 206 .sp
 207 .LP
 208 You can add the \fBad\fR keyword to any of the \fBpasswd\fR configurations in
 209 the above list. However, you cannot use the \fBpasswd\fR command to change the
 210 password of an Active Directory (AD) user. If the \fBad\fR keyword is found in
 211 the \fBpasswd\fR entry during a password update operation, it is ignored. To
 212 update the password of an AD user, use the \fBkpasswd\fR(1) command.
 213 .sp
 214 .LP
 215 Network administrators, who own the NIS+ password table, can change any
 216 password attributes. The administrator configured for updating LDAP shadow
 217 information can also change any password attributes. See \fBldapclient\fR(1M).
 218 .sp
 219 .LP
 220 When a user has a password stored in one of the name services as well as a
 221 local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible
 222 to have different passwords in the name service and local files entry. Use
 223 \fBpasswd\fR \fB-r\fR to change a specific password repository.
 224 .sp
 225 .LP
 226 In the \fBfiles\fR case, super-users (for instance, real and effective uid
 227 equal to \fB0\fR, see \fBid\fR(1M) and \fBsu\fR(1M)) can change any password.
 228 Hence, \fBpasswd\fR does not prompt privileged users for the old password.
 229 Privileged users are not forced to comply with password aging and password
 230 construction requirements. A privileged user can create a null password by
 231 entering a carriage return in response to the prompt for a new password. (This
 232 differs from \fBpasswd\fR \fB-d\fR because the \fBpassword\fR prompt is still
 233 displayed.) If NIS is in effect, superuser on the root master can change any
 234 password without being prompted for the old NIS \fBpasswd\fR, and is not forced
 235 to comply with password construction requirements.
 236 .sp
 237 .LP
 238 If LDAP is in effect, superuser on any Native LDAP client system can change any
 239 password without being prompted for the old LDAP passwd, and is not forced to
 240 comply with password construction requirements.
 241 .sp
 242 .LP
 243 Normally, \fBpasswd\fR entered with no arguments changes the password of the
 244 current user. When a user logs in and then invokes \fBsu\fR(1M) to become
 245 superuser or another user, \fBpasswd\fR changes the original user's password,
 246 not the password of the superuser or the new user.
 247 .sp
 248 .LP
 249 Any user can use the \fB-s\fR option to show password attributes for his or her
 250 own login \fIname\fR, provided they are using the \fB-r\fR \fBnisplus\fR
 251 argument. Otherwise, the \fB-s\fR argument is restricted to the superuser.
 252 .sp
 253 .LP
 254 The format of the display is:
 255 .sp
 256 .in +2
 257 .nf
 258 \fIname status mm/dd/yy min max warn\fR
 259 .fi
 260 .in -2
 261 .sp
 262 
 263 .sp
 264 .LP
 265 or, if password aging information is not present,
 266 .sp
 267 .in +2
 268 .nf
 269 \fIname status\fR
 270 .fi
 271 .in -2
 272 .sp
 273 
 274 .sp
 275 .LP
 276 where
 277 .sp
 278 .ne 2
 279 .na
 280 \fB\fIname\fR\fR
 281 .ad
 282 .RS 12n
 283 The login \fBID\fR of the user.
 284 .RE
 285 
 286 .sp
 287 .ne 2
 288 .na
 289 \fB\fIstatus\fR\fR
 290 .ad
 291 .RS 12n
 292 The password status of \fIname\fR.
 293 .sp
 294 The \fIstatus\fR field can take the following values:
 295 .sp
 296 .ne 2
 297 .na
 298 \fBLK\fR
 299 .ad
 300 .RS 6n
 301 This account is \fBlocked\fR account. See Security.
 302 .RE
 303 
 304 .sp
 305 .ne 2
 306 .na
 307 \fBNL\fR
 308 .ad
 309 .RS 6n
 310 This account is a \fBno login\fR account. See \fBSecurity\fR.
 311 .RE
 312 
 313 .sp
 314 .ne 2
 315 .na
 316 \fBNP\fR
 317 .ad
 318 .RS 6n
 319 This account has no password and is therefore open without authentication.
 320 .RE
 321 
 322 .sp
 323 .ne 2
 324 .na
 325 \fBPS\fR
 326 .ad
 327 .RS 6n
 328 This account has a password.
 329 .RE
 330 
 331 .RE
 332 
 333 .sp
 334 .ne 2
 335 .na
 336 \fB\fImm/dd/yy\fR\fR
 337 .ad
 338 .RS 12n
 339 The date password was last changed for \fIname\fR. All password aging dates are
 340 determined using Greenwich Mean Time (Universal Time) and therefore can differ
 341 by as much as a day in other time zones.
 342 .RE
 343 
 344 .sp
 345 .ne 2
 346 .na
 347 \fB\fImin\fR\fR
 348 .ad
 349 .RS 12n
 350 The minimum number of days required between password changes for \fIname\fR.
 351 \fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
 352 .RE
 353 
 354 .sp
 355 .ne 2
 356 .na
 357 \fB\fImax\fR\fR
 358 .ad
 359 .RS 12n
 360 The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR
 361 is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
 362 .RE
 363 
 364 .sp
 365 .ne 2
 366 .na
 367 \fB\fIwarn\fR\fR
 368 .ad
 369 .RS 12n
 370 The number of days relative to \fImax\fR before the password expires and the
 371 \fIname\fR are warned.
 372 .RE
 373 
 374 .SS "Security"
 375 .LP
 376 \fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a
 377 service name \fBpasswd\fR and uses service module type \fBauth\fR for
 378 authentication and password for password change.
 379 .sp
 380 .LP
 381 Locking an account (\fB-l\fR option) does not allow its use for password based
 382 login or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or
 383 \fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based
 384 login, while continuing to allow delayed execution.
 385 .SH OPTIONS
 386 .LP
 387 The following options are supported:
 388 .sp
 389 .ne 2
 390 .na
 391 \fB\fB-a\fR\fR
 392 .ad
 393 .RS 17n
 394 Shows password attributes for all entries. Use only with the \fB-s\fR option.
 395 \fIname\fR must not be provided. For the \fBnisplus\fR repository, this shows
 396 only the entries in the NIS+ password table in the local domain that the
 397 invoker is authorized to read. For the \fBfiles\fR and \fBldap\fR repositories,
 398 this is restricted to the superuser.
 399 .RE
 400 
 401 .sp
 402 .ne 2
 403 .na
 404 \fB\fB-D\fR \fIdomainname\fR\fR
 405 .ad
 406 .RS 17n
 407 Consults the \fBpasswd.org_dir\fR table in \fBdomainname\fR. If this option is
 408 not specified, the default \fBdomainname\fR returned by
 409 \fBnis_local_directory\fR(3NSL) are used. This domain name is the same as that
 410 returned by \fBdomainname\fR(1M).
 411 .RE
 412 
 413 .sp
 414 .ne 2
 415 .na
 416 \fB\fB-e\fR\fR
 417 .ad
 418 .RS 17n
 419 Changes the login shell. The choice of shell is limited by the requirements
 420 of \fBgetusershell\fR(3C). If the user currently has a shell that is not
 421 allowed by \fBgetusershell\fR, only root can change it.
 422 .RE
 423 
 424 .sp
 425 .ne 2
 426 .na
 427 \fB\fB-g\fR\fR
 428 .ad
 429 .RS 17n
 430 Changes the gecos (finger) information. For the \fBfiles\fR repository, this
 431 only works for the superuser. Normal users can change the \fBldap\fR,
 432 \fBnis\fR, or \fBnisplus\fR repositories.
 433 .RE
 434 
 435 .sp
 436 .ne 2
 437 .na
 438 \fB\fB-h\fR\fR
 439 .ad
 440 .RS 17n
 441 Changes the home directory.
 442 .RE
 443 
 444 .sp
 445 .ne 2
 446 .na
 447 \fB\fB-r\fR\fR
 448 .ad
 449 .RS 17n
 450 Specifies the repository to which an operation is applied. The supported
 451 repositories are \fBfiles\fR, \fBldap\fR, \fBnis\fR, or \fBnisplus\fR.
 452 .RE
 453 
 454 .sp
 455 .ne 2
 456 .na
 457 \fB\fB-s\fR \fIname\fR\fR
 458 .ad
 459 .RS 17n
 460 Shows password attributes for the login \fIname\fR. For the \fBnisplus\fR
 461 repository, this works for everyone. However for the \fBfiles\fR and \fBldap\fR
 462 repositories, this only works for the superuser. It does not work at all for
 463 the \fBnis\fR repository which does not support password aging.
 464 .sp
 465 The output of this option, and only this option is Stable and parsable. The
 466 format is \fIusername\fR followed by white space followed by one of the
 467 following codes.
 468 .sp
 469 New codes might be added in the future so code that parses this must be
 470 flexible in the face of unknown codes. While all existing codes are two
 471 characters in length that might not always be the case.
 472 .sp
 473 The following are the current status codes:
 474 .sp
 475 .ne 2
 476 .na
 477 \fB\fBLK\fR\fR
 478 .ad
 479 .RS 6n
 480 Account is locked for UNIX authentication. \fBpasswd -l\fR was run or the
 481 authentication failed \fBRETRIES\fR times.
 482 .RE
 483 
 484 .sp
 485 .ne 2
 486 .na
 487 \fB\fBNL\fR\fR
 488 .ad
 489 .RS 6n
 490 The account is a no login account. \fBpasswd -N\fR has been run.
 491 .RE
 492 
 493 .sp
 494 .ne 2
 495 .na
 496 \fB\fBNP\fR\fR
 497 .ad
 498 .RS 6n
 499 Account has no password. \fBpasswd -d\fR was run.
 500 .RE
 501 
 502 .sp
 503 .ne 2
 504 .na
 505 \fB\fBPS\fR\fR
 506 .ad
 507 .RS 6n
 508 The account probably has a valid password.
 509 .RE
 510 
 511 .sp
 512 .ne 2
 513 .na
 514 \fB\fBUN\fR\fR
 515 .ad
 516 .RS 6n
 517 The data in the password field is unknown. It is not a recognizable hashed
 518 password or any of the above entries. See \fBcrypt\fR(3C) for valid password
 519 hashes.
 520 .RE
 521 
 522 .RE
 523 
 524 .SS "Privileged User Options"
 525 .LP
 526 Only a privileged user can use the following options:
 527 .sp
 528 .ne 2
 529 .na
 530 \fB\fB-d\fR\fR
 531 .ad
 532 .RS 11n
 533 Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR
 534 is not prompted for password. It is only applicable to the \fBfiles\fR and
 535 \fBldap\fR repositories.
 536 .sp
 537 If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is
 538 not able to login. \fBPASSREQ=YES\fR is the delivered default.
 539 .RE
 540 
 541 .sp
 542 .ne 2
 543 .na
 544 \fB\fB-f\fR\fR
 545 .ad
 546 .RS 11n
 547 Forces the user to change password at the next login by expiring the password
 548 for \fIname\fR.
 549 .RE
 550 
 551 .sp
 552 .ne 2
 553 .na
 554 \fB\fB-l\fR\fR
 555 .ad
 556 .RS 11n
 557 Locks password entry for \fIname\fR. See the \fB-d\fR or \fB-u\fR option for
 558 unlocking the account.
 559 .RE
 560 
 561 .sp
 562 .ne 2
 563 .na
 564 \fB\fB-N\fR\fR
 565 .ad
 566 .RS 11n
 567 Makes the password entry for name a value that cannot be used for login, but
 568 does not lock the account. See the \fB-d\fR option for removing the value, or
 569 to set a password to allow logins.
 570 .RE
 571 
 572 .sp
 573 .ne 2
 574 .na
 575 \fB\fB-n\fR \fImin\fR\fR
 576 .ad
 577 .RS 11n
 578 Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum
 579 number of days between password changes for \fIname\fR. If \fImin\fR is greater
 580 than \fImax\fR, the user can not change the password. Always use this option
 581 with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned
 582 off). In that case, \fImin\fR need not be set.
 583 .RE
 584 
 585 .sp
 586 .ne 2
 587 .na
 588 \fB\fB-u\fR\fR
 589 .ad
 590 .RS 11n
 591 Unlocks a locked password for entry name. See the \fB-d\fR option for removing
 592 the locked password, or to set a password to allow logins.
 593 .RE
 594 
 595 .sp
 596 .ne 2
 597 .na
 598 \fB\fB-w\fR \fIwarn\fR\fR
 599 .ad
 600 .RS 11n
 601 Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of
 602 days before the password expires and the user is warned. This option is not
 603 valid if password aging is disabled.
 604 .RE
 605 
 606 .sp
 607 .ne 2
 608 .na
 609 \fB\fB-x\fR \fImax\fR\fR
 610 .ad
 611 .RS 11n
 612 Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of
 613 days that the password is valid for \fIname\fR. The aging for \fIname\fR is
 614 turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&.
 615 .RE
 616 
 617 .sp
 618 .ne 2
 619 .na
 620 \fB\fB-S\fR\fR
 621 .ad
 622 .RS 11n
 623 Read the password from standard input (pipe).
 624 .RE
 625 
 626 .SH OPERANDS
 627 .LP
 628 The following operand is supported:
 629 .sp
 630 .ne 2
 631 .na
 632 \fB\fIname\fR\fR
 633 .ad
 634 .RS 8n
 635 User login name.
 636 .RE
 637 
 638 .SH ENVIRONMENT VARIABLES
 639 .LP
 640 If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR,
 641 \fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see
 642 \fBenviron\fR(5)), are not set in the environment, the operational behavior of
 643 \fBpasswd\fR for each corresponding locale category is determined by the value
 644 of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents
 645 are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If
 646 none of the above variables is set in the environment, the \fBC\fR (U.S. style)
 647 locale determines how \fBpasswd\fR behaves.
 648 .sp
 649 .ne 2
 650 .na
 651 \fB\fBLC_CTYPE\fR\fR
 652 .ad
 653 .RS 15n
 654 Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a
 655 valid value, \fBpasswd\fR can display and handle text and filenames containing
 656 valid characters for that locale. \fBpasswd\fR can display and handle Extended
 657 Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or
 658 3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or
 659 more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are
 660 valid.
 661 .RE
 662 
 663 .sp
 664 .ne 2
 665 .na
 666 \fB\fBLC_MESSAGES\fR\fR
 667 .ad
 668 .RS 15n
 669 Determines how diagnostic and informative messages are presented. This includes
 670 the language and style of the messages, and the correct form of affirmative and
 671 negative responses. In the \fBC\fR locale, the messages are presented in the
 672 default form found in the program itself (in most cases, U.S. English).
 673 .RE
 674 
 675 .SH EXIT STATUS
 676 .LP
 677 The \fBpasswd\fR command exits with one of the following values:
 678 .sp
 679 .ne 2
 680 .na
 681 \fB\fB0\fR\fR
 682 .ad
 683 .RS 6n
 684 Success.
 685 .RE
 686 
 687 .sp
 688 .ne 2
 689 .na
 690 \fB\fB1\fR\fR
 691 .ad
 692 .RS 6n
 693 Permission denied.
 694 .RE
 695 
 696 .sp
 697 .ne 2
 698 .na
 699 \fB\fB2\fR\fR
 700 .ad
 701 .RS 6n
 702 Invalid combination of options.
 703 .RE
 704 
 705 .sp
 706 .ne 2
 707 .na
 708 \fB\fB3\fR\fR
 709 .ad
 710 .RS 6n
 711 Unexpected failure. Password file unchanged.
 712 .RE
 713 
 714 .sp
 715 .ne 2
 716 .na
 717 \fB\fB4\fR\fR
 718 .ad
 719 .RS 6n
 720 Unexpected failure. Password file(s) missing.
 721 .RE
 722 
 723 .sp
 724 .ne 2
 725 .na
 726 \fB\fB5\fR\fR
 727 .ad
 728 .RS 6n
 729 Password file(s) busy. Try again later.
 730 .RE
 731 
 732 .sp
 733 .ne 2
 734 .na
 735 \fB\fB6\fR\fR
 736 .ad
 737 .RS 6n
 738 Invalid argument to option.
 739 .RE
 740 
 741 .sp
 742 .ne 2
 743 .na
 744 \fB\fB7\fR\fR
 745 .ad
 746 .RS 6n
 747 Aging option is disabled.
 748 .RE
 749 
 750 .sp
 751 .ne 2
 752 .na
 753 \fB\fB8\fR\fR
 754 .ad
 755 .RS 6n
 756 No memory.
 757 .RE
 758 
 759 .sp
 760 .ne 2
 761 .na
 762 \fB\fB9\fR\fR
 763 .ad
 764 .RS 6n
 765 System error.
 766 .RE
 767 
 768 .sp
 769 .ne 2
 770 .na
 771 \fB\fB10\fR\fR
 772 .ad
 773 .RS 6n
 774 Account expired.
 775 .RE
 776 
 777 .SH FILES
 778 .ne 2
 779 .na
 780 \fB\fB/etc/default/passwd\fR\fR
 781 .ad
 782 .RS 23n
 783 Default values can be set for the following flags in \fB/etc/default/passwd\fR.
 784 For example: \fBMAXWEEKS=26\fR
 785 .sp
 786 .ne 2
 787 .na
 788 \fB\fBDICTIONDBDIR\fR\fR
 789 .ad
 790 .RS 16n
 791 The directory where the generated dictionary databases reside. Defaults to
 792 \fB/var/passwd\fR.
 793 .sp
 794 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
 795 does not perform a dictionary check.
 796 .RE
 797 
 798 .sp
 799 .ne 2
 800 .na
 801 \fB\fBDICTIONLIST\fR\fR
 802 .ad
 803 .RS 16n
 804 DICTIONLIST can contain list of comma separated dictionary files such as
 805 \fBDICTIONLIST=\fR\fIfile1\fR, \fIfile2\fR, \fIfile3\fR. Each dictionary file
 806 contains multiple lines and each line consists of a word and a NEWLINE
 807 character (similar to \fB/usr/share/lib/dict/words\fR.) You must specify full
 808 pathnames. The words from these files are merged into a database that is used
 809 to determine whether a password is based on a dictionary word.
 810 .sp
 811 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
 812 does not perform a dictionary check.
 813 .sp
 814 To pre-build the dictionary database, see \fBmkpwdict\fR(1M).
 815 .RE
 816 
 817 .sp
 818 .ne 2
 819 .na
 820 \fB\fBHISTORY\fR\fR
 821 .ad
 822 .RS 16n
 823 Maximum number of prior password history to keep for a user. Setting the
 824 \fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior
 825 password history of all users to be discarded at the next password change by
 826 any user. The default is not to define the \fBHISTORY\fR flag. The maximum
 827 value is \fB26.\fR Currently, this functionality is enforced only for user
 828 accounts defined in the \fBfiles\fR name service (local
 829 \fBpasswd\fR(4)/\fBshadow\fR(4)).
 830 .RE
 831 
 832 .sp
 833 .ne 2
 834 .na
 835 \fB\fBMAXREPEATS\fR\fR
 836 .ad
 837 .RS 16n
 838 Maximum number of allowable consecutive repeating characters. If
 839 \fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks
 840 .RE
 841 
 842 .sp
 843 .ne 2
 844 .na
 845 \fB\fBMAXWEEKS\fR\fR
 846 .ad
 847 .RS 16n
 848 Maximum time period that password is valid.
 849 .RE
 850 
 851 .sp
 852 .ne 2
 853 .na
 854 \fB\fBMINALPHA\fR\fR
 855 .ad
 856 .RS 16n
 857 Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the
 858 default is \fB2\fR.
 859 .RE
 860 
 861 .sp
 862 .ne 2
 863 .na
 864 \fB\fBMINDIFF\fR\fR
 865 .ad
 866 .RS 16n
 867 Minimum differences required between an old and a new password. If
 868 \fBMINDIFF\fR is not set, the default is \fB3\fR.
 869 .RE
 870 
 871 .sp
 872 .ne 2
 873 .na
 874 \fB\fBMINDIGIT\fR\fR
 875 .ad
 876 .RS 16n
 877 Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to
 878 zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR
 879 if \fBMINNONALPHA\fR is also specified.
 880 .RE
 881 
 882 .sp
 883 .ne 2
 884 .na
 885 \fB\fBMINLOWER\fR\fR
 886 .ad
 887 .RS 16n
 888 Minimum number of lower case letters required. If not set or zero (0), the
 889 default is no checks.
 890 .RE
 891 
 892 .sp
 893 .ne 2
 894 .na
 895 \fB\fBMINNONALPHA\fR\fR
 896 .ad
 897 .RS 16n
 898 Minimum number of non-alpha (including numeric and special) required. If
 899 \fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify
 900 \fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified.
 901 .RE
 902 
 903 .sp
 904 .ne 2
 905 .na
 906 \fB\fBMINWEEKS\fR\fR
 907 .ad
 908 .RS 16n
 909 Minimum time period before the password can be changed.
 910 .RE
 911 
 912 .sp
 913 .ne 2
 914 .na
 915 \fB\fBMINSPECIAL\fR\fR
 916 .ad
 917 .RS 16n
 918 Minimum number of special (non-alpha and non-digit) characters required. If
 919 \fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You
 920 cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR.
 921 .RE
 922 
 923 .sp
 924 .ne 2
 925 .na
 926 \fB\fBMINUPPER\fR\fR
 927 .ad
 928 .RS 16n
 929 Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or
 930 is zero (\fB0\fR), the default is no checks.
 931 .RE
 932 
 933 .sp
 934 .ne 2
 935 .na
 936 \fB\fBNAMECHECK\fR\fR
 937 .ad
 938 .RS 16n
 939 Enable/disable checking or the login name. The default is to do login name
 940 checking. A case insensitive value of \fBno\fR disables this feature.
 941 .RE
 942 
 943 .sp
 944 .ne 2
 945 .na
 946 \fB\fBPASSLENGTH\fR\fR
 947 .ad
 948 .RS 16n
 949 Minimum length of password, in characters.
 950 .RE
 951 
 952 .sp
 953 .ne 2
 954 .na
 955 \fB\fBWARNWEEKS\fR\fR
 956 .ad
 957 .RS 16n
 958 Time period until warning of date of password's ensuing expiration.
 959 .RE
 960 
 961 .sp
 962 .ne 2
 963 .na
 964 \fB\fBWHITESPACE\fR\fR
 965 .ad
 966 .RS 16n
 967 Determine if white space characters are allowed in passwords. Valid values are
 968 \fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR,
 969 white space characters are allowed.
 970 .RE
 971 
 972 .RE
 973 
 974 .sp
 975 .ne 2
 976 .na
 977 \fB\fB/etc/oshadow\fR\fR
 978 .ad
 979 .RS 23n
 980 Temporary file used by \fBpasswd\fR, \fBpassmgmt\fR and \fBpwconv\fR to update
 981 the real shadow file.
 982 .RE
 983 
 984 .sp
 985 .ne 2
 986 .na
 987 \fB\fB/etc/passwd\fR\fR
 988 .ad
 989 .RS 23n
 990 Password file.
 991 .RE
 992 
 993 .sp
 994 .ne 2
 995 .na
 996 \fB\fB/etc/shadow\fR\fR
 997 .ad
 998 .RS 23n
 999 Shadow password file.
1000 .RE
1001 
1002 .sp
1003 .ne 2
1004 .na
1005 \fB\fB/etc/shells\fR\fR
1006 .ad
1007 .RS 23n
1008 Shell database.
1009 .RE
1010 
1011 .SH ATTRIBUTES
1012 .LP
1013 See \fBattributes\fR(5) for descriptions of the following attributes:
1014 .sp
1015 
1016 .sp
1017 .TS
1018 box;
1019 c | c
1020 l | l .
1021 ATTRIBUTE TYPE  ATTRIBUTE VALUE
1022 _
1023 CSI     Enabled
1024 _
1025 Interface Stability     See below.
1026 .TE
1027 
1028 .sp
1029 .LP
1030 The human readable output is Uncommitted. The options are Committed.
1031 .SH SEE ALSO
1032 .LP
1033 \fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBkpasswd\fR(1), \fBlogin\fR(1),
1034 \fBnistbladm\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M),
1035 \fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpassmgmt\fR(1M),
1036 \fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M),
1037 \fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C),
1038 \fBgetusershell\fR(3C), \fBnis_local_directory\fR(3NSL), \fBpam\fR(3PAM),
1039 \fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4),
1040 \fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBattributes\fR(5),
1041 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
1042 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5),
1043 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5)
1044 .SH NOTES
1045 .LP
1046 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
1047 provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
1048 \fBpam_unix_session\fR(5), \fBpam_authtok_check\fR(5),
1049 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), and
1050 \fBpam_passwd_auth\fR(5).
1051 .LP
1052 The \fBnispasswd\fR and \fBypasswd\fR commands are wrappers around
1053 \fBpasswd\fR. Use of \fBnispasswd\fR and \fBypasswd\fR is discouraged. Use
1054 \fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead.
1055 .sp
1056 .LP
1057 NIS+ might not be supported in future releases of the Solaris operating system.
1058 Tools to aid the migration from NIS+ to LDAP are available in the current
1059 Solaris release. For more information, visit
1060 http://www.sun.com/directory/nisplus/transition.html.
1061 .sp
1062 .LP
1063 Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the
1064 failed login count.
1065 .sp
1066 .LP
1067 Changing a password reactivates an account deactivated for inactivity for the
1068 length of the inactivity period.
1069 .sp
1070 .LP
1071 If \fB/etc/shells\fR is present, and is corrupted, it may provide an attack
1072 vector that would compromise the system.  The \fBgetusershell\fR(3c) library
1073 call has a pre-vetted list of shells, so /etc/shells should be used with
1074 caution.
1075 .sp
1076 .LP
1077 Input terminal processing might interpret some key sequences and not pass them
1078 to the \fBpasswd\fR command.
1079 .sp
1080 .LP
1081 An account with no password, status code \fBNP\fR, might not be able to login.
1082 See the \fBlogin\fR(1) \fBPASSREQ\fR option.