Print this page
4107 Add passwd option to read passwords from stdin
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/passwd.1
+++ new/usr/src/man/man1/passwd.1
1 1 '\" te
2 2 .\" Copyright 1989 AT&T
3 3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
4 +.\" Copyright 2015 Nexenta Systems, Inc. All rights reserved.
4 5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 6 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
6 7 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH PASSWD 1 "May 31, 2013"
8 +.TH PASSWD 1 "Jun 18, 2015"
8 9 .SH NAME
9 10 passwd \- change login password and password attributes
10 11 .SH SYNOPSIS
11 12 .LP
12 13 .nf
13 14 \fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis | \fB-r\fR nisplus] [\fIname\fR]
14 15 .fi
15 16
16 17 .LP
17 18 .nf
18 19 \fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR]
19 20 .fi
20 21
21 22 .LP
22 23 .nf
23 24 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR]
24 25 .fi
25 26
26 27 .LP
27 28 .nf
28 29 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR]
29 30 .fi
30 31
31 32 .LP
32 33 .nf
33 34 \fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR]
34 35 [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
35 36 .fi
36 37
37 38 .LP
38 39 .nf
39 40 \fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR]
40 41 .fi
41 42
42 43 .LP
43 44 .nf
44 45 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR]
45 46 .fi
46 47
47 48 .LP
48 49 .nf
49 50 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR]
50 51 .fi
51 52
52 53 .LP
53 54 .nf
54 55 \fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
55 56 .fi
56 57
57 58 .LP
58 59 .nf
59 60 \fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR]
60 61 .fi
61 62
62 63 .LP
63 64 .nf
64 65 \fBpasswd\fR \fB-r\fR nisplus [\fB-egh\fR] [\fB-D\fR \fIdomainname\fR] [\fIname\fR]
65 66 .fi
66 67
67 68 .LP
68 69 .nf
69 70 \fBpasswd\fR \fB-r\fR nisplus \fB-s\fR [\fB-a\fR]
70 71 .fi
71 72
72 73 .LP
|
↓ open down ↓ |
55 lines elided |
↑ open up ↑ |
73 74 .nf
74 75 \fBpasswd\fR \fB-r\fR nisplus [\fB-D\fR \fIdomainname\fR] \fB-s\fR [\fIname\fR]
75 76 .fi
76 77
77 78 .LP
78 79 .nf
79 80 \fBpasswd\fR \fB-r\fR nisplus [\fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR]
80 81 [\fB-x\fR \fImax\fR] [\fB-D\fR \fIdomainname\fR] \fIname\fR
81 82 .fi
82 83
84 +.LP
85 +.nf
86 +\fBpasswd\fR \fB-S\fR [\fIname\fR]
87 +.fi
88 +
83 89 .SH DESCRIPTION
84 -.sp
85 90 .LP
86 91 The \fBpasswd\fR command changes the password or lists password attributes
87 92 associated with the user's login \fIname\fR. Additionally, privileged users can
88 93 use \fBpasswd\fR to install or change passwords and attributes associated with
89 94 any login \fIname\fR.
90 95 .sp
91 96 .LP
92 97 When used to change a password, \fBpasswd\fR prompts everyone for their old
93 98 password, if any. It then prompts for the new password twice. When the old
94 99 password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If
95 100 \fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M),
96 101 \fBnistbladm\fR(1), and \fBshadow\fR(4) for additional information.
97 102 .sp
98 103 .LP
99 104 The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information
100 105 from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in
101 106 the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that
102 107 the password for the user is already in \fB/etc/shadow\fR and should not be
103 108 modified.
104 109 .sp
105 110 .LP
106 111 If aging is sufficient, a check is made to ensure that the new password meets
107 112 construction requirements. When the new password is entered a second time, the
108 113 two copies of the new password are compared. If the two copies are not
109 114 identical, the cycle of prompting for the new password is repeated for, at
110 115 most, two more times.
111 116 .sp
112 117 .LP
113 118 Passwords must be constructed to meet the following requirements:
114 119 .RS +4
115 120 .TP
116 121 .ie t \(bu
117 122 .el o
118 123 Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is
119 124 defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting
120 125 \fBPASSLENGTH\fR to more than eight characters requires configuring
121 126 \fBpolicy.conf\fR(4) with an algorithm that supports greater than eight
122 127 characters.
123 128 .RE
124 129 .RS +4
125 130 .TP
126 131 .ie t \(bu
127 132 .el o
128 133 Each password must meet the configured complexity constraints specified in
129 134 \fB/etc/default/passwd\fR.
130 135 .RE
131 136 .RS +4
132 137 .TP
133 138 .ie t \(bu
134 139 .el o
135 140 Each password must not be a member of the configured dictionary as specified in
136 141 \fB/etc/default/passwd\fR.
137 142 .RE
138 143 .RS +4
139 144 .TP
140 145 .ie t \(bu
141 146 .el o
142 147 For accounts in name services which support password history checking, if prior
143 148 password history is defined, new passwords must not be contained in the prior
144 149 password history.
145 150 .RE
146 151 .sp
147 152 .LP
148 153 If all requirements are met, by default, the \fBpasswd\fR command consults
149 154 \fB/etc/nsswitch.conf\fR to determine in which repositories to perform password
150 155 update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The
151 156 sources (repositories) associated with these entries are updated. However, the
152 157 password update configurations supported are limited to the following cases.
153 158 Failure to comply with the configurations prevents users from logging onto the
154 159 system. The password update configurations are:
155 160 .RS +4
156 161 .TP
157 162 .ie t \(bu
158 163 .el o
159 164 \fBpasswd: files\fR
160 165 .RE
161 166 .RS +4
162 167 .TP
163 168 .ie t \(bu
164 169 .el o
165 170 \fBpasswd: files ldap\fR
166 171 .RE
167 172 .RS +4
168 173 .TP
169 174 .ie t \(bu
170 175 .el o
171 176 \fBpasswd: files nis\fR
172 177 .RE
173 178 .RS +4
174 179 .TP
175 180 .ie t \(bu
176 181 .el o
177 182 \fBpasswd: files nisplus\fR
178 183 .RE
179 184 .RS +4
180 185 .TP
181 186 .ie t \(bu
182 187 .el o
183 188 \fBpasswd: compat\fR (==> files nis)
184 189 .RE
185 190 .RS +4
186 191 .TP
187 192 .ie t \(bu
188 193 .el o
189 194 \fBpasswd: compat\fR (==> files ldap)
190 195 .sp
191 196 \fBpasswd_compat: ldap\fR
192 197 .RE
193 198 .RS +4
194 199 .TP
195 200 .ie t \(bu
196 201 .el o
197 202 \fBpasswd: compat\fR (==> files nisplus)
198 203 .sp
199 204 \fBpasswd_compat: nisplus\fR
200 205 .RE
201 206 .sp
202 207 .LP
203 208 You can add the \fBad\fR keyword to any of the \fBpasswd\fR configurations in
204 209 the above list. However, you cannot use the \fBpasswd\fR command to change the
205 210 password of an Active Directory (AD) user. If the \fBad\fR keyword is found in
206 211 the \fBpasswd\fR entry during a password update operation, it is ignored. To
207 212 update the password of an AD user, use the \fBkpasswd\fR(1) command.
208 213 .sp
209 214 .LP
210 215 Network administrators, who own the NIS+ password table, can change any
211 216 password attributes. The administrator configured for updating LDAP shadow
212 217 information can also change any password attributes. See \fBldapclient\fR(1M).
213 218 .sp
214 219 .LP
215 220 When a user has a password stored in one of the name services as well as a
216 221 local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible
217 222 to have different passwords in the name service and local files entry. Use
218 223 \fBpasswd\fR \fB-r\fR to change a specific password repository.
219 224 .sp
220 225 .LP
221 226 In the \fBfiles\fR case, super-users (for instance, real and effective uid
222 227 equal to \fB0\fR, see \fBid\fR(1M) and \fBsu\fR(1M)) can change any password.
223 228 Hence, \fBpasswd\fR does not prompt privileged users for the old password.
224 229 Privileged users are not forced to comply with password aging and password
225 230 construction requirements. A privileged user can create a null password by
226 231 entering a carriage return in response to the prompt for a new password. (This
227 232 differs from \fBpasswd\fR \fB-d\fR because the \fBpassword\fR prompt is still
228 233 displayed.) If NIS is in effect, superuser on the root master can change any
229 234 password without being prompted for the old NIS \fBpasswd\fR, and is not forced
230 235 to comply with password construction requirements.
231 236 .sp
232 237 .LP
233 238 If LDAP is in effect, superuser on any Native LDAP client system can change any
234 239 password without being prompted for the old LDAP passwd, and is not forced to
235 240 comply with password construction requirements.
236 241 .sp
237 242 .LP
238 243 Normally, \fBpasswd\fR entered with no arguments changes the password of the
239 244 current user. When a user logs in and then invokes \fBsu\fR(1M) to become
240 245 superuser or another user, \fBpasswd\fR changes the original user's password,
241 246 not the password of the superuser or the new user.
242 247 .sp
243 248 .LP
244 249 Any user can use the \fB-s\fR option to show password attributes for his or her
245 250 own login \fIname\fR, provided they are using the \fB-r\fR \fBnisplus\fR
246 251 argument. Otherwise, the \fB-s\fR argument is restricted to the superuser.
247 252 .sp
248 253 .LP
249 254 The format of the display is:
250 255 .sp
251 256 .in +2
252 257 .nf
253 258 \fIname status mm/dd/yy min max warn\fR
254 259 .fi
255 260 .in -2
256 261 .sp
257 262
258 263 .sp
259 264 .LP
260 265 or, if password aging information is not present,
261 266 .sp
262 267 .in +2
263 268 .nf
264 269 \fIname status\fR
265 270 .fi
266 271 .in -2
267 272 .sp
268 273
269 274 .sp
270 275 .LP
271 276 where
272 277 .sp
273 278 .ne 2
274 279 .na
275 280 \fB\fIname\fR\fR
276 281 .ad
277 282 .RS 12n
278 283 The login \fBID\fR of the user.
279 284 .RE
280 285
281 286 .sp
282 287 .ne 2
283 288 .na
284 289 \fB\fIstatus\fR\fR
285 290 .ad
286 291 .RS 12n
287 292 The password status of \fIname\fR.
288 293 .sp
289 294 The \fIstatus\fR field can take the following values:
290 295 .sp
291 296 .ne 2
292 297 .na
293 298 \fBLK\fR
294 299 .ad
295 300 .RS 6n
296 301 This account is \fBlocked\fR account. See Security.
297 302 .RE
298 303
299 304 .sp
300 305 .ne 2
301 306 .na
302 307 \fBNL\fR
303 308 .ad
304 309 .RS 6n
305 310 This account is a \fBno login\fR account. See \fBSecurity\fR.
306 311 .RE
307 312
308 313 .sp
309 314 .ne 2
310 315 .na
311 316 \fBNP\fR
312 317 .ad
313 318 .RS 6n
314 319 This account has no password and is therefore open without authentication.
315 320 .RE
316 321
317 322 .sp
318 323 .ne 2
319 324 .na
320 325 \fBPS\fR
321 326 .ad
322 327 .RS 6n
323 328 This account has a password.
324 329 .RE
325 330
326 331 .RE
327 332
328 333 .sp
329 334 .ne 2
330 335 .na
331 336 \fB\fImm/dd/yy\fR\fR
332 337 .ad
333 338 .RS 12n
334 339 The date password was last changed for \fIname\fR. All password aging dates are
335 340 determined using Greenwich Mean Time (Universal Time) and therefore can differ
336 341 by as much as a day in other time zones.
337 342 .RE
338 343
339 344 .sp
340 345 .ne 2
341 346 .na
342 347 \fB\fImin\fR\fR
343 348 .ad
344 349 .RS 12n
345 350 The minimum number of days required between password changes for \fIname\fR.
346 351 \fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
347 352 .RE
348 353
349 354 .sp
350 355 .ne 2
351 356 .na
352 357 \fB\fImax\fR\fR
353 358 .ad
354 359 .RS 12n
355 360 The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR
356 361 is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
357 362 .RE
358 363
359 364 .sp
|
↓ open down ↓ |
265 lines elided |
↑ open up ↑ |
360 365 .ne 2
361 366 .na
362 367 \fB\fIwarn\fR\fR
363 368 .ad
364 369 .RS 12n
365 370 The number of days relative to \fImax\fR before the password expires and the
366 371 \fIname\fR are warned.
367 372 .RE
368 373
369 374 .SS "Security"
370 -.sp
371 375 .LP
372 376 \fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a
373 377 service name \fBpasswd\fR and uses service module type \fBauth\fR for
374 378 authentication and password for password change.
375 379 .sp
376 380 .LP
377 381 Locking an account (\fB-l\fR option) does not allow its use for password based
378 382 login or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or
379 383 \fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based
380 384 login, while continuing to allow delayed execution.
381 385 .SH OPTIONS
382 -.sp
383 386 .LP
384 387 The following options are supported:
385 388 .sp
386 389 .ne 2
387 390 .na
388 391 \fB\fB-a\fR\fR
389 392 .ad
390 393 .RS 17n
391 394 Shows password attributes for all entries. Use only with the \fB-s\fR option.
392 395 \fIname\fR must not be provided. For the \fBnisplus\fR repository, this shows
393 396 only the entries in the NIS+ password table in the local domain that the
394 397 invoker is authorized to read. For the \fBfiles\fR and \fBldap\fR repositories,
395 398 this is restricted to the superuser.
396 399 .RE
397 400
398 401 .sp
399 402 .ne 2
400 403 .na
401 404 \fB\fB-D\fR \fIdomainname\fR\fR
402 405 .ad
403 406 .RS 17n
404 407 Consults the \fBpasswd.org_dir\fR table in \fBdomainname\fR. If this option is
405 408 not specified, the default \fBdomainname\fR returned by
406 409 \fBnis_local_directory\fR(3NSL) are used. This domain name is the same as that
407 410 returned by \fBdomainname\fR(1M).
408 411 .RE
409 412
410 413 .sp
411 414 .ne 2
412 415 .na
413 416 \fB\fB-e\fR\fR
414 417 .ad
415 418 .RS 17n
416 419 Changes the login shell. The choice of shell is limited by the requirements
417 420 of \fBgetusershell\fR(3C). If the user currently has a shell that is not
418 421 allowed by \fBgetusershell\fR, only root can change it.
419 422 .RE
420 423
421 424 .sp
422 425 .ne 2
423 426 .na
424 427 \fB\fB-g\fR\fR
425 428 .ad
426 429 .RS 17n
427 430 Changes the gecos (finger) information. For the \fBfiles\fR repository, this
428 431 only works for the superuser. Normal users can change the \fBldap\fR,
429 432 \fBnis\fR, or \fBnisplus\fR repositories.
430 433 .RE
431 434
432 435 .sp
433 436 .ne 2
434 437 .na
435 438 \fB\fB-h\fR\fR
436 439 .ad
437 440 .RS 17n
438 441 Changes the home directory.
439 442 .RE
440 443
441 444 .sp
442 445 .ne 2
443 446 .na
444 447 \fB\fB-r\fR\fR
445 448 .ad
446 449 .RS 17n
447 450 Specifies the repository to which an operation is applied. The supported
448 451 repositories are \fBfiles\fR, \fBldap\fR, \fBnis\fR, or \fBnisplus\fR.
449 452 .RE
450 453
451 454 .sp
452 455 .ne 2
453 456 .na
454 457 \fB\fB-s\fR \fIname\fR\fR
455 458 .ad
456 459 .RS 17n
457 460 Shows password attributes for the login \fIname\fR. For the \fBnisplus\fR
458 461 repository, this works for everyone. However for the \fBfiles\fR and \fBldap\fR
459 462 repositories, this only works for the superuser. It does not work at all for
460 463 the \fBnis\fR repository which does not support password aging.
461 464 .sp
462 465 The output of this option, and only this option is Stable and parsable. The
463 466 format is \fIusername\fR followed by white space followed by one of the
464 467 following codes.
465 468 .sp
466 469 New codes might be added in the future so code that parses this must be
467 470 flexible in the face of unknown codes. While all existing codes are two
468 471 characters in length that might not always be the case.
469 472 .sp
470 473 The following are the current status codes:
471 474 .sp
472 475 .ne 2
473 476 .na
474 477 \fB\fBLK\fR\fR
475 478 .ad
476 479 .RS 6n
477 480 Account is locked for UNIX authentication. \fBpasswd -l\fR was run or the
478 481 authentication failed \fBRETRIES\fR times.
479 482 .RE
480 483
481 484 .sp
482 485 .ne 2
483 486 .na
484 487 \fB\fBNL\fR\fR
485 488 .ad
486 489 .RS 6n
487 490 The account is a no login account. \fBpasswd -N\fR has been run.
488 491 .RE
489 492
490 493 .sp
491 494 .ne 2
492 495 .na
493 496 \fB\fBNP\fR\fR
494 497 .ad
495 498 .RS 6n
496 499 Account has no password. \fBpasswd -d\fR was run.
497 500 .RE
498 501
499 502 .sp
500 503 .ne 2
501 504 .na
502 505 \fB\fBPS\fR\fR
503 506 .ad
504 507 .RS 6n
505 508 The account probably has a valid password.
506 509 .RE
507 510
508 511 .sp
509 512 .ne 2
510 513 .na
511 514 \fB\fBUN\fR\fR
|
↓ open down ↓ |
119 lines elided |
↑ open up ↑ |
512 515 .ad
513 516 .RS 6n
514 517 The data in the password field is unknown. It is not a recognizable hashed
515 518 password or any of the above entries. See \fBcrypt\fR(3C) for valid password
516 519 hashes.
517 520 .RE
518 521
519 522 .RE
520 523
521 524 .SS "Privileged User Options"
522 -.sp
523 525 .LP
524 526 Only a privileged user can use the following options:
525 527 .sp
526 528 .ne 2
527 529 .na
528 530 \fB\fB-d\fR\fR
529 531 .ad
530 532 .RS 11n
531 533 Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR
532 534 is not prompted for password. It is only applicable to the \fBfiles\fR and
533 535 \fBldap\fR repositories.
534 536 .sp
535 537 If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is
536 538 not able to login. \fBPASSREQ=YES\fR is the delivered default.
537 539 .RE
538 540
539 541 .sp
540 542 .ne 2
541 543 .na
542 544 \fB\fB-f\fR\fR
543 545 .ad
544 546 .RS 11n
545 547 Forces the user to change password at the next login by expiring the password
546 548 for \fIname\fR.
547 549 .RE
548 550
549 551 .sp
550 552 .ne 2
551 553 .na
552 554 \fB\fB-l\fR\fR
553 555 .ad
554 556 .RS 11n
555 557 Locks password entry for \fIname\fR. See the \fB-d\fR or \fB-u\fR option for
556 558 unlocking the account.
557 559 .RE
558 560
559 561 .sp
560 562 .ne 2
561 563 .na
562 564 \fB\fB-N\fR\fR
563 565 .ad
564 566 .RS 11n
565 567 Makes the password entry for name a value that cannot be used for login, but
566 568 does not lock the account. See the \fB-d\fR option for removing the value, or
567 569 to set a password to allow logins.
568 570 .RE
569 571
570 572 .sp
571 573 .ne 2
572 574 .na
573 575 \fB\fB-n\fR \fImin\fR\fR
574 576 .ad
575 577 .RS 11n
576 578 Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum
577 579 number of days between password changes for \fIname\fR. If \fImin\fR is greater
578 580 than \fImax\fR, the user can not change the password. Always use this option
579 581 with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned
580 582 off). In that case, \fImin\fR need not be set.
581 583 .RE
582 584
583 585 .sp
584 586 .ne 2
585 587 .na
586 588 \fB\fB-u\fR\fR
587 589 .ad
588 590 .RS 11n
589 591 Unlocks a locked password for entry name. See the \fB-d\fR option for removing
590 592 the locked password, or to set a password to allow logins.
591 593 .RE
592 594
593 595 .sp
594 596 .ne 2
595 597 .na
596 598 \fB\fB-w\fR \fIwarn\fR\fR
597 599 .ad
598 600 .RS 11n
599 601 Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of
600 602 days before the password expires and the user is warned. This option is not
601 603 valid if password aging is disabled.
602 604 .RE
603 605
604 606 .sp
|
↓ open down ↓ |
72 lines elided |
↑ open up ↑ |
605 607 .ne 2
606 608 .na
607 609 \fB\fB-x\fR \fImax\fR\fR
608 610 .ad
609 611 .RS 11n
610 612 Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of
611 613 days that the password is valid for \fIname\fR. The aging for \fIname\fR is
612 614 turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&.
613 615 .RE
614 616
615 -.SH OPERANDS
616 617 .sp
618 +.ne 2
619 +.na
620 +\fB\fB-S\fR\fR
621 +.ad
622 +.RS 11n
623 +Read the password from standard input (pipe).
624 +.RE
625 +
626 +.SH OPERANDS
617 627 .LP
618 628 The following operand is supported:
619 629 .sp
620 630 .ne 2
621 631 .na
622 632 \fB\fIname\fR\fR
623 633 .ad
624 634 .RS 8n
625 635 User login name.
626 636 .RE
627 637
628 638 .SH ENVIRONMENT VARIABLES
629 -.sp
630 639 .LP
631 640 If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR,
632 641 \fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see
633 642 \fBenviron\fR(5)), are not set in the environment, the operational behavior of
634 643 \fBpasswd\fR for each corresponding locale category is determined by the value
635 644 of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents
636 645 are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If
637 646 none of the above variables is set in the environment, the \fBC\fR (U.S. style)
638 647 locale determines how \fBpasswd\fR behaves.
639 648 .sp
640 649 .ne 2
641 650 .na
642 651 \fB\fBLC_CTYPE\fR\fR
643 652 .ad
644 653 .RS 15n
645 654 Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a
646 655 valid value, \fBpasswd\fR can display and handle text and filenames containing
647 656 valid characters for that locale. \fBpasswd\fR can display and handle Extended
648 657 Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or
649 658 3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or
650 659 more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are
651 660 valid.
652 661 .RE
653 662
654 663 .sp
655 664 .ne 2
656 665 .na
|
↓ open down ↓ |
17 lines elided |
↑ open up ↑ |
657 666 \fB\fBLC_MESSAGES\fR\fR
658 667 .ad
659 668 .RS 15n
660 669 Determines how diagnostic and informative messages are presented. This includes
661 670 the language and style of the messages, and the correct form of affirmative and
662 671 negative responses. In the \fBC\fR locale, the messages are presented in the
663 672 default form found in the program itself (in most cases, U.S. English).
664 673 .RE
665 674
666 675 .SH EXIT STATUS
667 -.sp
668 676 .LP
669 677 The \fBpasswd\fR command exits with one of the following values:
670 678 .sp
671 679 .ne 2
672 680 .na
673 681 \fB\fB0\fR\fR
674 682 .ad
675 683 .RS 6n
676 684 Success.
677 685 .RE
678 686
679 687 .sp
680 688 .ne 2
681 689 .na
682 690 \fB\fB1\fR\fR
683 691 .ad
684 692 .RS 6n
685 693 Permission denied.
686 694 .RE
687 695
688 696 .sp
689 697 .ne 2
690 698 .na
691 699 \fB\fB2\fR\fR
692 700 .ad
693 701 .RS 6n
694 702 Invalid combination of options.
695 703 .RE
696 704
697 705 .sp
698 706 .ne 2
699 707 .na
700 708 \fB\fB3\fR\fR
701 709 .ad
702 710 .RS 6n
703 711 Unexpected failure. Password file unchanged.
704 712 .RE
705 713
706 714 .sp
707 715 .ne 2
708 716 .na
709 717 \fB\fB4\fR\fR
710 718 .ad
711 719 .RS 6n
712 720 Unexpected failure. Password file(s) missing.
713 721 .RE
714 722
715 723 .sp
716 724 .ne 2
717 725 .na
718 726 \fB\fB5\fR\fR
719 727 .ad
720 728 .RS 6n
721 729 Password file(s) busy. Try again later.
722 730 .RE
723 731
724 732 .sp
725 733 .ne 2
726 734 .na
727 735 \fB\fB6\fR\fR
728 736 .ad
729 737 .RS 6n
730 738 Invalid argument to option.
731 739 .RE
732 740
733 741 .sp
734 742 .ne 2
735 743 .na
736 744 \fB\fB7\fR\fR
737 745 .ad
738 746 .RS 6n
739 747 Aging option is disabled.
740 748 .RE
741 749
742 750 .sp
743 751 .ne 2
744 752 .na
745 753 \fB\fB8\fR\fR
746 754 .ad
747 755 .RS 6n
748 756 No memory.
749 757 .RE
750 758
751 759 .sp
752 760 .ne 2
753 761 .na
754 762 \fB\fB9\fR\fR
755 763 .ad
756 764 .RS 6n
757 765 System error.
758 766 .RE
759 767
|
↓ open down ↓ |
82 lines elided |
↑ open up ↑ |
760 768 .sp
761 769 .ne 2
762 770 .na
763 771 \fB\fB10\fR\fR
764 772 .ad
765 773 .RS 6n
766 774 Account expired.
767 775 .RE
768 776
769 777 .SH FILES
770 -.sp
771 778 .ne 2
772 779 .na
773 780 \fB\fB/etc/default/passwd\fR\fR
774 781 .ad
775 782 .RS 23n
776 783 Default values can be set for the following flags in \fB/etc/default/passwd\fR.
777 784 For example: \fBMAXWEEKS=26\fR
778 785 .sp
779 786 .ne 2
780 787 .na
781 788 \fB\fBDICTIONDBDIR\fR\fR
782 789 .ad
783 790 .RS 16n
784 791 The directory where the generated dictionary databases reside. Defaults to
785 792 \fB/var/passwd\fR.
786 793 .sp
787 794 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
788 795 does not perform a dictionary check.
789 796 .RE
790 797
791 798 .sp
792 799 .ne 2
793 800 .na
794 801 \fB\fBDICTIONLIST\fR\fR
795 802 .ad
796 803 .RS 16n
797 804 DICTIONLIST can contain list of comma separated dictionary files such as
798 805 \fBDICTIONLIST=\fR\fIfile1\fR, \fIfile2\fR, \fIfile3\fR. Each dictionary file
799 806 contains multiple lines and each line consists of a word and a NEWLINE
800 807 character (similar to \fB/usr/share/lib/dict/words\fR.) You must specify full
801 808 pathnames. The words from these files are merged into a database that is used
802 809 to determine whether a password is based on a dictionary word.
803 810 .sp
804 811 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
805 812 does not perform a dictionary check.
806 813 .sp
807 814 To pre-build the dictionary database, see \fBmkpwdict\fR(1M).
808 815 .RE
809 816
810 817 .sp
811 818 .ne 2
812 819 .na
813 820 \fB\fBHISTORY\fR\fR
814 821 .ad
815 822 .RS 16n
816 823 Maximum number of prior password history to keep for a user. Setting the
817 824 \fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior
818 825 password history of all users to be discarded at the next password change by
819 826 any user. The default is not to define the \fBHISTORY\fR flag. The maximum
820 827 value is \fB26.\fR Currently, this functionality is enforced only for user
821 828 accounts defined in the \fBfiles\fR name service (local
822 829 \fBpasswd\fR(4)/\fBshadow\fR(4)).
823 830 .RE
824 831
825 832 .sp
826 833 .ne 2
827 834 .na
828 835 \fB\fBMAXREPEATS\fR\fR
829 836 .ad
830 837 .RS 16n
831 838 Maximum number of allowable consecutive repeating characters. If
832 839 \fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks
833 840 .RE
834 841
835 842 .sp
836 843 .ne 2
837 844 .na
838 845 \fB\fBMAXWEEKS\fR\fR
839 846 .ad
840 847 .RS 16n
841 848 Maximum time period that password is valid.
842 849 .RE
843 850
844 851 .sp
845 852 .ne 2
846 853 .na
847 854 \fB\fBMINALPHA\fR\fR
848 855 .ad
849 856 .RS 16n
850 857 Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the
851 858 default is \fB2\fR.
852 859 .RE
853 860
854 861 .sp
855 862 .ne 2
856 863 .na
857 864 \fB\fBMINDIFF\fR\fR
858 865 .ad
859 866 .RS 16n
860 867 Minimum differences required between an old and a new password. If
861 868 \fBMINDIFF\fR is not set, the default is \fB3\fR.
862 869 .RE
863 870
864 871 .sp
865 872 .ne 2
866 873 .na
867 874 \fB\fBMINDIGIT\fR\fR
868 875 .ad
869 876 .RS 16n
870 877 Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to
871 878 zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR
872 879 if \fBMINNONALPHA\fR is also specified.
873 880 .RE
874 881
875 882 .sp
876 883 .ne 2
877 884 .na
878 885 \fB\fBMINLOWER\fR\fR
879 886 .ad
880 887 .RS 16n
881 888 Minimum number of lower case letters required. If not set or zero (0), the
882 889 default is no checks.
883 890 .RE
884 891
885 892 .sp
886 893 .ne 2
887 894 .na
888 895 \fB\fBMINNONALPHA\fR\fR
889 896 .ad
890 897 .RS 16n
891 898 Minimum number of non-alpha (including numeric and special) required. If
892 899 \fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify
893 900 \fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified.
894 901 .RE
895 902
896 903 .sp
897 904 .ne 2
898 905 .na
899 906 \fB\fBMINWEEKS\fR\fR
900 907 .ad
901 908 .RS 16n
902 909 Minimum time period before the password can be changed.
903 910 .RE
904 911
905 912 .sp
906 913 .ne 2
907 914 .na
908 915 \fB\fBMINSPECIAL\fR\fR
909 916 .ad
910 917 .RS 16n
911 918 Minimum number of special (non-alpha and non-digit) characters required. If
912 919 \fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You
913 920 cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR.
914 921 .RE
915 922
916 923 .sp
917 924 .ne 2
918 925 .na
919 926 \fB\fBMINUPPER\fR\fR
920 927 .ad
921 928 .RS 16n
922 929 Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or
923 930 is zero (\fB0\fR), the default is no checks.
924 931 .RE
925 932
926 933 .sp
927 934 .ne 2
928 935 .na
929 936 \fB\fBNAMECHECK\fR\fR
930 937 .ad
931 938 .RS 16n
932 939 Enable/disable checking or the login name. The default is to do login name
933 940 checking. A case insensitive value of \fBno\fR disables this feature.
934 941 .RE
935 942
936 943 .sp
937 944 .ne 2
938 945 .na
939 946 \fB\fBPASSLENGTH\fR\fR
940 947 .ad
941 948 .RS 16n
942 949 Minimum length of password, in characters.
943 950 .RE
944 951
945 952 .sp
946 953 .ne 2
947 954 .na
948 955 \fB\fBWARNWEEKS\fR\fR
949 956 .ad
950 957 .RS 16n
951 958 Time period until warning of date of password's ensuing expiration.
952 959 .RE
953 960
954 961 .sp
955 962 .ne 2
956 963 .na
957 964 \fB\fBWHITESPACE\fR\fR
958 965 .ad
959 966 .RS 16n
960 967 Determine if white space characters are allowed in passwords. Valid values are
961 968 \fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR,
962 969 white space characters are allowed.
963 970 .RE
964 971
965 972 .RE
966 973
967 974 .sp
968 975 .ne 2
969 976 .na
970 977 \fB\fB/etc/oshadow\fR\fR
971 978 .ad
972 979 .RS 23n
973 980 Temporary file used by \fBpasswd\fR, \fBpassmgmt\fR and \fBpwconv\fR to update
974 981 the real shadow file.
975 982 .RE
976 983
977 984 .sp
978 985 .ne 2
979 986 .na
980 987 \fB\fB/etc/passwd\fR\fR
981 988 .ad
982 989 .RS 23n
983 990 Password file.
984 991 .RE
985 992
986 993 .sp
987 994 .ne 2
988 995 .na
989 996 \fB\fB/etc/shadow\fR\fR
990 997 .ad
991 998 .RS 23n
992 999 Shadow password file.
993 1000 .RE
994 1001
|
↓ open down ↓ |
214 lines elided |
↑ open up ↑ |
995 1002 .sp
996 1003 .ne 2
997 1004 .na
998 1005 \fB\fB/etc/shells\fR\fR
999 1006 .ad
1000 1007 .RS 23n
1001 1008 Shell database.
1002 1009 .RE
1003 1010
1004 1011 .SH ATTRIBUTES
1005 -.sp
1006 1012 .LP
1007 1013 See \fBattributes\fR(5) for descriptions of the following attributes:
1008 1014 .sp
1009 1015
1010 1016 .sp
1011 1017 .TS
1012 1018 box;
1013 1019 c | c
1014 1020 l | l .
1015 1021 ATTRIBUTE TYPE ATTRIBUTE VALUE
1016 1022 _
1017 1023 CSI Enabled
1018 1024 _
1019 1025 Interface Stability See below.
1020 1026 .TE
1021 1027
1022 1028 .sp
1023 1029 .LP
1024 1030 The human readable output is Uncommitted. The options are Committed.
1025 1031 .SH SEE ALSO
1026 -.sp
1027 1032 .LP
1028 1033 \fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBkpasswd\fR(1), \fBlogin\fR(1),
1029 1034 \fBnistbladm\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M),
1030 1035 \fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpassmgmt\fR(1M),
1031 1036 \fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M),
1032 1037 \fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C),
1033 1038 \fBgetusershell\fR(3C), \fBnis_local_directory\fR(3NSL), \fBpam\fR(3PAM),
1034 1039 \fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4),
1035 1040 \fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBattributes\fR(5),
1036 1041 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
1037 1042 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5),
1038 1043 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5)
1039 1044 .SH NOTES
1040 -.sp
1041 1045 .LP
1042 1046 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
1043 1047 provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
1044 1048 \fBpam_unix_session\fR(5), \fBpam_authtok_check\fR(5),
1045 1049 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), and
1046 1050 \fBpam_passwd_auth\fR(5).
1047 -.sp
1048 1051 .LP
1049 1052 The \fBnispasswd\fR and \fBypasswd\fR commands are wrappers around
1050 1053 \fBpasswd\fR. Use of \fBnispasswd\fR and \fBypasswd\fR is discouraged. Use
1051 1054 \fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead.
1052 1055 .sp
1053 1056 .LP
1054 1057 NIS+ might not be supported in future releases of the Solaris operating system.
1055 1058 Tools to aid the migration from NIS+ to LDAP are available in the current
1056 1059 Solaris release. For more information, visit
1057 1060 http://www.sun.com/directory/nisplus/transition.html.
1058 1061 .sp
1059 1062 .LP
1060 1063 Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the
1061 1064 failed login count.
1062 1065 .sp
1063 1066 .LP
1064 1067 Changing a password reactivates an account deactivated for inactivity for the
1065 1068 length of the inactivity period.
1066 1069 .sp
1067 1070 .LP
1068 1071 If \fB/etc/shells\fR is present, and is corrupted, it may provide an attack
1069 1072 vector that would compromise the system. The \fBgetusershell\fR(3c) library
1070 1073 call has a pre-vetted list of shells, so /etc/shells should be used with
1071 1074 caution.
1072 1075 .sp
1073 1076 .LP
1074 1077 Input terminal processing might interpret some key sequences and not pass them
1075 1078 to the \fBpasswd\fR command.
1076 1079 .sp
1077 1080 .LP
1078 1081 An account with no password, status code \fBNP\fR, might not be able to login.
1079 1082 See the \fBlogin\fR(1) \fBPASSREQ\fR option.
|
↓ open down ↓ |
22 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX