1 '\" te 2 .\" Copyright 1989 AT&T 3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the 6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH PASSWD 1 "Feb 25, 2009" 8 .SH NAME 9 passwd \- change login password and password attributes 10 .SH SYNOPSIS 11 .LP 12 .nf 13 \fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis | \fB-r\fR nisplus] [\fIname\fR] 14 .fi 15 16 .LP 17 .nf 18 \fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR] 19 .fi 20 21 .LP 22 .nf 23 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR] 24 .fi 25 26 .LP 27 .nf 28 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR] 29 .fi 30 31 .LP 32 .nf 33 \fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] 34 [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR 35 .fi 36 37 .LP 38 .nf 39 \fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR] 40 .fi 41 42 .LP 43 .nf 44 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR] 45 .fi 46 47 .LP 48 .nf 49 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR] 50 .fi 51 52 .LP 53 .nf 54 \fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR 55 .fi 56 57 .LP 58 .nf 59 \fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR] 60 .fi 61 62 .LP 63 .nf 64 \fBpasswd\fR \fB-r\fR nisplus [\fB-egh\fR] [\fB-D\fR \fIdomainname\fR] [\fIname\fR] 65 .fi 66 67 .LP 68 .nf 69 \fBpasswd\fR \fB-r\fR nisplus \fB-s\fR [\fB-a\fR] 70 .fi 71 72 .LP 73 .nf 74 \fBpasswd\fR \fB-r\fR nisplus [\fB-D\fR \fIdomainname\fR] \fB-s\fR [\fIname\fR] 75 .fi 76 77 .LP 78 .nf 79 \fBpasswd\fR \fB-r\fR nisplus [\fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] 80 [\fB-x\fR \fImax\fR] [\fB-D\fR \fIdomainname\fR] \fIname\fR 81 .fi 82 83 .SH DESCRIPTION 84 .sp 85 .LP 86 The \fBpasswd\fR command changes the password or lists password attributes 87 associated with the user's login \fIname\fR. Additionally, privileged users can 88 use \fBpasswd\fR to install or change passwords and attributes associated with 89 any login \fIname\fR. 90 .sp 91 .LP 92 When used to change a password, \fBpasswd\fR prompts everyone for their old 93 password, if any. It then prompts for the new password twice. When the old 94 password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If 95 \fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M), 96 \fBnistbladm\fR(1), and \fBshadow\fR(4) for additional information. 97 .sp 98 .LP 99 The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information 100 from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in 101 the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that 102 the password for the user is already in \fB/etc/shadow\fR and should not be 103 modified. 104 .sp 105 .LP 106 If aging is sufficient, a check is made to ensure that the new password meets 107 construction requirements. When the new password is entered a second time, the 108 two copies of the new password are compared. If the two copies are not 109 identical, the cycle of prompting for the new password is repeated for, at 110 most, two more times. 111 .sp 112 .LP 113 Passwords must be constructed to meet the following requirements: 114 .RS +4 115 .TP 116 .ie t \(bu 117 .el o 118 Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is 119 defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting 120 \fBPASSLENGTH\fR to more than eight characters requires configuring 121 \fBpolicy.conf\fR(4) with an algorithm that supports greater than eight 122 characters. 123 .RE 124 .RS +4 125 .TP 126 .ie t \(bu 127 .el o 128 Each password must meet the configured complexity constraints specified in 129 \fB/etc/default/passwd\fR. 130 .RE 131 .RS +4 132 .TP 133 .ie t \(bu 134 .el o 135 Each password must not be a member of the configured dictionary as specified in 136 \fB/etc/default/passwd\fR. 137 .RE 138 .RS +4 139 .TP 140 .ie t \(bu 141 .el o 142 For accounts in name services which support password history checking, if prior 143 password history is defined, new passwords must not be contained in the prior 144 password history. 145 .RE 146 .sp 147 .LP 148 If all requirements are met, by default, the \fBpasswd\fR command consults 149 \fB/etc/nsswitch.conf\fR to determine in which repositories to perform password 150 update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The 151 sources (repositories) associated with these entries are updated. However, the 152 password update configurations supported are limited to the following cases. 153 Failure to comply with the configurations prevents users from logging onto the 154 system. The password update configurations are: 155 .RS +4 156 .TP 157 .ie t \(bu 158 .el o 159 \fBpasswd: files\fR 160 .RE 161 .RS +4 162 .TP 163 .ie t \(bu 164 .el o 165 \fBpasswd: files ldap\fR 166 .RE 167 .RS +4 168 .TP 169 .ie t \(bu 170 .el o 171 \fBpasswd: files nis\fR 172 .RE 173 .RS +4 174 .TP 175 .ie t \(bu 176 .el o 177 \fBpasswd: files nisplus\fR 178 .RE 179 .RS +4 180 .TP 181 .ie t \(bu 182 .el o 183 \fBpasswd: compat\fR (==> files nis) 184 .RE 185 .RS +4 186 .TP 187 .ie t \(bu 188 .el o 189 \fBpasswd: compat\fR (==> files ldap) 190 .sp 191 \fBpasswd_compat: ldap\fR 192 .RE 193 .RS +4 194 .TP 195 .ie t \(bu 196 .el o 197 \fBpasswd: compat\fR (==> files nisplus) 198 .sp 199 \fBpasswd_compat: nisplus\fR 200 .RE 201 .sp 202 .LP 203 You can add the \fBad\fR keyword to any of the \fBpasswd\fR configurations in 204 the above list. However, you cannot use the \fBpasswd\fR command to change the 205 password of an Active Directory (AD) user. If the \fBad\fR keyword is found in 206 the \fBpasswd\fR entry during a password update operation, it is ignored. To 207 update the password of an AD user, use the \fBkpasswd\fR(1) command. 208 .sp 209 .LP 210 Network administrators, who own the NIS+ password table, can change any 211 password attributes. The administrator configured for updating LDAP shadow 212 information can also change any password attributes. See \fBldapclient\fR(1M). 213 .sp 214 .LP 215 When a user has a password stored in one of the name services as well as a 216 local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible 217 to have different passwords in the name service and local files entry. Use 218 \fBpasswd\fR \fB-r\fR to change a specific password repository. 219 .sp 220 .LP 221 In the \fBfiles\fR case, super-users (for instance, real and effective uid 222 equal to \fB0\fR, see \fBid\fR(1M) and \fBsu\fR(1M)) can change any password. 223 Hence, \fBpasswd\fR does not prompt privileged users for the old password. 224 Privileged users are not forced to comply with password aging and password 225 construction requirements. A privileged user can create a null password by 226 entering a carriage return in response to the prompt for a new password. (This 227 differs from \fBpasswd\fR \fB-d\fR because the \fBpassword\fR prompt is still 228 displayed.) If NIS is in effect, superuser on the root master can change any 229 password without being prompted for the old NIS \fBpasswd\fR, and is not forced 230 to comply with password construction requirements. 231 .sp 232 .LP 233 If LDAP is in effect, superuser on any Native LDAP client system can change any 234 password without being prompted for the old LDAP passwd, and is not forced to 235 comply with password construction requirements. 236 .sp 237 .LP 238 Normally, \fBpasswd\fR entered with no arguments changes the password of the 239 current user. When a user logs in and then invokes \fBsu\fR(1M) to become 240 superuser or another user, \fBpasswd\fR changes the original user's password, 241 not the password of the superuser or the new user. 242 .sp 243 .LP 244 Any user can use the \fB-s\fR option to show password attributes for his or her 245 own login \fIname\fR, provided they are using the \fB-r\fR \fBnisplus\fR 246 argument. Otherwise, the \fB-s\fR argument is restricted to the superuser. 247 .sp 248 .LP 249 The format of the display is: 250 .sp 251 .in +2 252 .nf 253 \fIname status mm/dd/yy min max warn\fR 254 .fi 255 .in -2 256 .sp 257 258 .sp 259 .LP 260 or, if password aging information is not present, 261 .sp 262 .in +2 263 .nf 264 \fIname status\fR 265 .fi 266 .in -2 267 .sp 268 269 .sp 270 .LP 271 where 272 .sp 273 .ne 2 274 .na 275 \fB\fIname\fR\fR 276 .ad 277 .RS 12n 278 The login \fBID\fR of the user. 279 .RE 280 281 .sp 282 .ne 2 283 .na 284 \fB\fIstatus\fR\fR 285 .ad 286 .RS 12n 287 The password status of \fIname\fR. 288 .sp 289 The \fIstatus\fR field can take the following values: 290 .sp 291 .ne 2 292 .na 293 \fBLK\fR 294 .ad 295 .RS 6n 296 This account is \fBlocked\fR account. See Security. 297 .RE 298 299 .sp 300 .ne 2 301 .na 302 \fBNL\fR 303 .ad 304 .RS 6n 305 This account is a \fBno login\fR account. See \fBSecurity\fR. 306 .RE 307 308 .sp 309 .ne 2 310 .na 311 \fBNP\fR 312 .ad 313 .RS 6n 314 This account has no password and is therefore open without authentication. 315 .RE 316 317 .sp 318 .ne 2 319 .na 320 \fBPS\fR 321 .ad 322 .RS 6n 323 This account has a password. 324 .RE 325 326 .RE 327 328 .sp 329 .ne 2 330 .na 331 \fB\fImm/dd/yy\fR\fR 332 .ad 333 .RS 12n 334 The date password was last changed for \fIname\fR. All password aging dates are 335 determined using Greenwich Mean Time (Universal Time) and therefore can differ 336 by as much as a day in other time zones. 337 .RE 338 339 .sp 340 .ne 2 341 .na 342 \fB\fImin\fR\fR 343 .ad 344 .RS 12n 345 The minimum number of days required between password changes for \fIname\fR. 346 \fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR. 347 .RE 348 349 .sp 350 .ne 2 351 .na 352 \fB\fImax\fR\fR 353 .ad 354 .RS 12n 355 The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR 356 is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR. 357 .RE 358 359 .sp 360 .ne 2 361 .na 362 \fB\fIwarn\fR\fR 363 .ad 364 .RS 12n 365 The number of days relative to \fImax\fR before the password expires and the 366 \fIname\fR are warned. 367 .RE 368 369 .SS "Security" 370 .sp 371 .LP 372 \fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a 373 service name \fBpasswd\fR and uses service module type \fBauth\fR for 374 authentication and password for password change. 375 .sp 376 .LP 377 Locking an account (\fB-l\fR option) does not allow its use for password based 378 login or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or 379 \fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based 380 login, while continuing to allow delayed execution. 381 .SH OPTIONS 382 .sp 383 .LP 384 The following options are supported: 385 .sp 386 .ne 2 387 .na 388 \fB\fB-a\fR\fR 389 .ad 390 .RS 17n 391 Shows password attributes for all entries. Use only with the \fB-s\fR option. 392 \fIname\fR must not be provided. For the \fBnisplus\fR repository, this shows 393 only the entries in the NIS+ password table in the local domain that the 394 invoker is authorized to read. For the \fBfiles\fR and \fBldap\fR repositories, 395 this is restricted to the superuser. 396 .RE 397 398 .sp 399 .ne 2 400 .na 401 \fB\fB-D\fR \fIdomainname\fR\fR 402 .ad 403 .RS 17n 404 Consults the \fBpasswd.org_dir\fR table in \fBdomainname\fR. If this option is 405 not specified, the default \fBdomainname\fR returned by 406 \fBnis_local_directory\fR(3NSL) are used. This domain name is the same as that 407 returned by \fBdomainname\fR(1M). 408 .RE 409 410 .sp 411 .ne 2 412 .na 413 \fB\fB-e\fR\fR 414 .ad 415 .RS 17n 416 Changes the login shell. The choice of shell is limited by the requirements 417 of \fBgetusershell\fR(3C). If the user currently has a shell that is not 418 allowed by \fBgetusershell\fR, only root can change it. 419 .RE 420 421 .sp 422 .ne 2 423 .na 424 \fB\fB-g\fR\fR 425 .ad 426 .RS 17n 427 Changes the gecos (finger) information. For the \fBfiles\fR repository, this 428 only works for the superuser. Normal users can change the \fBldap\fR, 429 \fBnis\fR, or \fBnisplus\fR repositories. 430 .RE 431 432 .sp 433 .ne 2 434 .na 435 \fB\fB-h\fR\fR 436 .ad 437 .RS 17n 438 Changes the home directory. 439 .RE 440 441 .sp 442 .ne 2 443 .na 444 \fB\fB-r\fR\fR 445 .ad 446 .RS 17n 447 Specifies the repository to which an operation is applied. The supported 448 repositories are \fBfiles\fR, \fBldap\fR, \fBnis\fR, or \fBnisplus\fR. 449 .RE 450 451 .sp 452 .ne 2 453 .na 454 \fB\fB-s\fR \fIname\fR\fR 455 .ad 456 .RS 17n 457 Shows password attributes for the login \fIname\fR. For the \fBnisplus\fR 458 repository, this works for everyone. However for the \fBfiles\fR and \fBldap\fR 459 repositories, this only works for the superuser. It does not work at all for 460 the \fBnis\fR repository which does not support password aging. 461 .sp 462 The output of this option, and only this option is Stable and parsable. The 463 format is \fIusername\fR followed by white space followed by one of the 464 following codes. 465 .sp 466 New codes might be added in the future so code that parses this must be 467 flexible in the face of unknown codes. While all existing codes are two 468 characters in length that might not always be the case. 469 .sp 470 The following are the current status codes: 471 .sp 472 .ne 2 473 .na 474 \fB\fBLK\fR\fR 475 .ad 476 .RS 6n 477 Account is locked for UNIX authenitcation. \fBpasswd -l\fR was run or the 478 authentication failed \fBRETRIES\fR times. 479 .RE 480 481 .sp 482 .ne 2 483 .na 484 \fB\fBNL\fR\fR 485 .ad 486 .RS 6n 487 The account is a no login account. \fBpasswd -N\fR has been run. 488 .RE 489 490 .sp 491 .ne 2 492 .na 493 \fB\fBNP\fR\fR 494 .ad 495 .RS 6n 496 Account has no password. \fBpasswd -d\fR was run. 497 .RE 498 499 .sp 500 .ne 2 501 .na 502 \fB\fBPS\fR\fR 503 .ad 504 .RS 6n 505 The account probably has a valid password. 506 .RE 507 508 .sp 509 .ne 2 510 .na 511 \fB\fBUN\fR\fR 512 .ad 513 .RS 6n 514 The data in the password field is unknown. It is not a recognizable hashed 515 password or any of the above entries. See \fBcrypt\fR(3C) for valid password 516 hashes. 517 .RE 518 519 .RE 520 521 .SS "Privileged User Options" 522 .sp 523 .LP 524 Only a privileged user can use the following options: 525 .sp 526 .ne 2 527 .na 528 \fB\fB-d\fR\fR 529 .ad 530 .RS 11n 531 Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR 532 is not prompted for password. It is only applicable to the \fBfiles\fR and 533 \fBldap\fR repositories. 534 .sp 535 If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is 536 not able to login. \fBPASSREQ=YES\fR is the delivered default. 537 .RE 538 539 .sp 540 .ne 2 541 .na 542 \fB\fB-f\fR\fR 543 .ad 544 .RS 11n 545 Forces the user to change password at the next login by expiring the password 546 for \fIname\fR. 547 .RE 548 549 .sp 550 .ne 2 551 .na 552 \fB\fB-l\fR\fR 553 .ad 554 .RS 11n 555 Locks password entry for \fIname\fR. See the \fB-d\fR or \fB-u\fR option for 556 unlocking the account. 557 .RE 558 559 .sp 560 .ne 2 561 .na 562 \fB\fB-N\fR\fR 563 .ad 564 .RS 11n 565 Makes the password entry for name a value that cannot be used for login, but 566 does not lock the account. See the \fB-d\fR option for removing the value, or 567 to set a password to allow logins. 568 .RE 569 570 .sp 571 .ne 2 572 .na 573 \fB\fB-n\fR \fImin\fR\fR 574 .ad 575 .RS 11n 576 Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum 577 number of days between password changes for \fIname\fR. If \fImin\fR is greater 578 than \fImax\fR, the user can not change the password. Always use this option 579 with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned 580 off). In that case, \fImin\fR need not be set. 581 .RE 582 583 .sp 584 .ne 2 585 .na 586 \fB\fB-u\fR\fR 587 .ad 588 .RS 11n 589 Unlocks a locked password for entry name. See the \fB-d\fR option for removing 590 the locked password, or to set a password to allow logins. 591 .RE 592 593 .sp 594 .ne 2 595 .na 596 \fB\fB-w\fR \fIwarn\fR\fR 597 .ad 598 .RS 11n 599 Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of 600 days before the password expires and the user is warned. This option is not 601 valid if password aging is disabled. 602 .RE 603 604 .sp 605 .ne 2 606 .na 607 \fB\fB-x\fR \fImax\fR\fR 608 .ad 609 .RS 11n 610 Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of 611 days that the password is valid for \fIname\fR. The aging for \fIname\fR is 612 turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&. 613 .RE 614 615 .SH OPERANDS 616 .sp 617 .LP 618 The following operand is supported: 619 .sp 620 .ne 2 621 .na 622 \fB\fIname\fR\fR 623 .ad 624 .RS 8n 625 User login name. 626 .RE 627 628 .SH ENVIRONMENT VARIABLES 629 .sp 630 .LP 631 If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR, 632 \fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see 633 \fBenviron\fR(5)), are not set in the environment, the operational behavior of 634 \fBpasswd\fR for each corresponding locale category is determined by the value 635 of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents 636 are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If 637 none of the above variables is set in the environment, the \fBC\fR (U.S. style) 638 locale determines how \fBpasswd\fR behaves. 639 .sp 640 .ne 2 641 .na 642 \fB\fBLC_CTYPE\fR\fR 643 .ad 644 .RS 15n 645 Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a 646 valid value, \fBpasswd\fR can display and handle text and filenames containing 647 valid characters for that locale. \fBpasswd\fR can display and handle Extended 648 Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or 649 3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or 650 more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are 651 valid. 652 .RE 653 654 .sp 655 .ne 2 656 .na 657 \fB\fBLC_MESSAGES\fR\fR 658 .ad 659 .RS 15n 660 Determines how diagnostic and informative messages are presented. This includes 661 the language and style of the messages, and the correct form of affirmative and 662 negative responses. In the \fBC\fR locale, the messages are presented in the 663 default form found in the program itself (in most cases, U.S. English). 664 .RE 665 666 .SH EXIT STATUS 667 .sp 668 .LP 669 The \fBpasswd\fR command exits with one of the following values: 670 .sp 671 .ne 2 672 .na 673 \fB\fB0\fR\fR 674 .ad 675 .RS 6n 676 Success. 677 .RE 678 679 .sp 680 .ne 2 681 .na 682 \fB\fB1\fR\fR 683 .ad 684 .RS 6n 685 Permission denied. 686 .RE 687 688 .sp 689 .ne 2 690 .na 691 \fB\fB2\fR\fR 692 .ad 693 .RS 6n 694 Invalid combination of options. 695 .RE 696 697 .sp 698 .ne 2 699 .na 700 \fB\fB3\fR\fR 701 .ad 702 .RS 6n 703 Unexpected failure. Password file unchanged. 704 .RE 705 706 .sp 707 .ne 2 708 .na 709 \fB\fB4\fR\fR 710 .ad 711 .RS 6n 712 Unexpected failure. Password file(s) missing. 713 .RE 714 715 .sp 716 .ne 2 717 .na 718 \fB\fB5\fR\fR 719 .ad 720 .RS 6n 721 Password file(s) busy. Try again later. 722 .RE 723 724 .sp 725 .ne 2 726 .na 727 \fB\fB6\fR\fR 728 .ad 729 .RS 6n 730 Invalid argument to option. 731 .RE 732 733 .sp 734 .ne 2 735 .na 736 \fB\fB7\fR\fR 737 .ad 738 .RS 6n 739 Aging option is disabled. 740 .RE 741 742 .sp 743 .ne 2 744 .na 745 \fB\fB8\fR\fR 746 .ad 747 .RS 6n 748 No memory. 749 .RE 750 751 .sp 752 .ne 2 753 .na 754 \fB\fB9\fR\fR 755 .ad 756 .RS 6n 757 System error. 758 .RE 759 760 .sp 761 .ne 2 762 .na 763 \fB\fB10\fR\fR 764 .ad 765 .RS 6n 766 Account expired. 767 .RE 768 769 .SH FILES 770 .sp 771 .ne 2 772 .na 773 \fB\fB/etc/default/passwd\fR\fR 774 .ad 775 .RS 23n 776 Default values can be set for the following flags in \fB/etc/default/passwd\fR. 777 For example: \fBMAXWEEKS=26\fR 778 .sp 779 .ne 2 780 .na 781 \fB\fBDICTIONDBDIR\fR\fR 782 .ad 783 .RS 16n 784 The directory where the generated dictionary databases reside. Defaults to 785 \fB/var/passwd\fR. 786 .sp 787 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system 788 does not perform a dictionary check. 789 .RE 790 791 .sp 792 .ne 2 793 .na 794 \fB\fBDICTIONLIST\fR\fR 795 .ad 796 .RS 16n 797 DICTIONLIST can contain list of comma separated dictionary files such as 798 \fBDICTIONLIST=\fR\fIfile1\fR, \fIfile2\fR, \fIfile3\fR. Each dictionary file 799 contains multiple lines and each line consists of a word and a NEWLINE 800 character (similar to \fB/usr/share/lib/dict/words\fR.) You must specify full 801 pathnames. The words from these files are merged into a database that is used 802 to determine whether a password is based on a dictionary word. 803 .sp 804 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system 805 does not perform a dictionary check. 806 .sp 807 To pre-build the dictionary database, see \fBmkpwdict\fR(1M). 808 .RE 809 810 .sp 811 .ne 2 812 .na 813 \fB\fBHISTORY\fR\fR 814 .ad 815 .RS 16n 816 Maximum number of prior password history to keep for a user. Setting the 817 \fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior 818 password history of all users to be discarded at the next password change by 819 any user. The default is not to define the \fBHISTORY\fR flag. The maximum 820 value is \fB26.\fR Currently, this functionality is enforced only for user 821 accounts defined in the \fBfiles\fR name service (local 822 \fBpasswd\fR(4)/\fBshadow\fR(4)). 823 .RE 824 825 .sp 826 .ne 2 827 .na 828 \fB\fBMAXREPEATS\fR\fR 829 .ad 830 .RS 16n 831 Maximum number of allowable consecutive repeating characters. If 832 \fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks 833 .RE 834 835 .sp 836 .ne 2 837 .na 838 \fB\fBMAXWEEKS\fR\fR 839 .ad 840 .RS 16n 841 Maximum time period that password is valid. 842 .RE 843 844 .sp 845 .ne 2 846 .na 847 \fB\fBMINALPHA\fR\fR 848 .ad 849 .RS 16n 850 Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the 851 default is \fB2\fR. 852 .RE 853 854 .sp 855 .ne 2 856 .na 857 \fB\fBMINDIFF\fR\fR 858 .ad 859 .RS 16n 860 Minimum differences required between an old and a new password. If 861 \fBMINDIFF\fR is not set, the default is \fB3\fR. 862 .RE 863 864 .sp 865 .ne 2 866 .na 867 \fB\fBMINDIGIT\fR\fR 868 .ad 869 .RS 16n 870 Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to 871 zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR 872 if \fBMINNONALPHA\fR is also specified. 873 .RE 874 875 .sp 876 .ne 2 877 .na 878 \fB\fBMINLOWER\fR\fR 879 .ad 880 .RS 16n 881 Minimum number of lower case letters required. If not set or zero (0), the 882 default is no checks. 883 .RE 884 885 .sp 886 .ne 2 887 .na 888 \fB\fBMINNONALPHA\fR\fR 889 .ad 890 .RS 16n 891 Minimum number of non-alpha (including numeric and special) required. If 892 \fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify 893 \fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified. 894 .RE 895 896 .sp 897 .ne 2 898 .na 899 \fB\fBMINWEEKS\fR\fR 900 .ad 901 .RS 16n 902 Minimum time period before the password can be changed. 903 .RE 904 905 .sp 906 .ne 2 907 .na 908 \fB\fBMINSPECIAL\fR\fR 909 .ad 910 .RS 16n 911 Minimum number of special (non-alpha and non-digit) characters required. If 912 \fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You 913 cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR. 914 .RE 915 916 .sp 917 .ne 2 918 .na 919 \fB\fBMINUPPER\fR\fR 920 .ad 921 .RS 16n 922 Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or 923 is zero (\fB0\fR), the default is no checks. 924 .RE 925 926 .sp 927 .ne 2 928 .na 929 \fB\fBNAMECHECK\fR\fR 930 .ad 931 .RS 16n 932 Enable/disable checking or the login name. The default is to do login name 933 checking. A case insensitive value of \fBno\fR disables this feature. 934 .RE 935 936 .sp 937 .ne 2 938 .na 939 \fB\fBPASSLENGTH\fR\fR 940 .ad 941 .RS 16n 942 Minimum length of password, in characters. 943 .RE 944 945 .sp 946 .ne 2 947 .na 948 \fB\fBWARNWEEKS\fR\fR 949 .ad 950 .RS 16n 951 Time period until warning of date of password's ensuing expiration. 952 .RE 953 954 .sp 955 .ne 2 956 .na 957 \fB\fBWHITESPACE\fR\fR 958 .ad 959 .RS 16n 960 Determine if white space characters are allowed in passwords. Valid values are 961 \fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR, 962 white space characters are allowed. 963 .RE 964 965 .RE 966 967 .sp 968 .ne 2 969 .na 970 \fB\fB/etc/oshadow\fR\fR 971 .ad 972 .RS 23n 973 Temporary file used by \fBpasswd\fR, \fBpassmgmt\fR and \fBpwconv\fR to update 974 the real shadow file. 975 .RE 976 977 .sp 978 .ne 2 979 .na 980 \fB\fB/etc/passwd\fR\fR 981 .ad 982 .RS 23n 983 Password file. 984 .RE 985 986 .sp 987 .ne 2 988 .na 989 \fB\fB/etc/shadow\fR\fR 990 .ad 991 .RS 23n 992 Shadow password file. 993 .RE 994 995 .sp 996 .ne 2 997 .na 998 \fB\fB/etc/shells\fR\fR 999 .ad 1000 .RS 23n 1001 Shell database. 1002 .RE 1003 1004 .SH ATTRIBUTES 1005 .sp 1006 .LP 1007 See \fBattributes\fR(5) for descriptions of the following attributes: 1008 .sp 1009 1010 .sp 1011 .TS 1012 box; 1013 c | c 1014 l | l . 1015 ATTRIBUTE TYPE ATTRIBUTE VALUE 1016 _ 1017 CSI Enabled 1018 _ 1019 Interface Stability See below. 1020 .TE 1021 1022 .sp 1023 .LP 1024 The human readable output is Uncommitted. The options are Committed. 1025 .SH SEE ALSO 1026 .sp 1027 .LP 1028 \fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBkpasswd\fR(1), \fBlogin\fR(1), 1029 \fBnistbladm\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M), 1030 \fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpassmgmt\fR(1M), 1031 \fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M), 1032 \fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C), 1033 \fBgetusershell\fR(3C), \fBnis_local_directory\fR(3NSL), \fBpam\fR(3PAM), 1034 \fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4), 1035 \fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBattributes\fR(5), 1036 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), 1037 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5), 1038 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5) 1039 .SH NOTES 1040 .sp 1041 .LP 1042 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is 1043 provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), 1044 \fBpam_unix_session\fR(5), \fBpam_authtok_check\fR(5), 1045 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), and 1046 \fBpam_passwd_auth\fR(5). 1047 .sp 1048 .LP 1049 The \fBnispasswd\fR and \fBypasswd\fR commands are wrappers around 1050 \fBpasswd\fR. Use of \fBnispasswd\fR and \fBypasswd\fR is discouraged. Use 1051 \fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead. 1052 .sp 1053 .LP 1054 NIS+ might not be supported in future releases of the Solaris operating system. 1055 Tools to aid the migration from NIS+ to LDAP are available in the current 1056 Solaris release. For more information, visit 1057 http://www.sun.com/directory/nisplus/transition.html. 1058 .sp 1059 .LP 1060 Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the 1061 failed login count. 1062 .sp 1063 .LP 1064 Changing a password reactivates an account deactivated for inactivity for the 1065 length of the inactivity period. 1066 .sp 1067 .LP 1068 If \fB/etc/shells\fR is present, and is corrupted, it may provide an attack 1069 vector that would compromise the system. The \fBgetusershell\fR(3c) library 1070 call has a pre-vetted list of shells, so /etc/shells should be used with 1071 caution. 1072 .sp 1073 .LP 1074 Input terminal processing might interpret some key sequences and not pass them 1075 to the \fBpasswd\fR command. 1076 .sp 1077 .LP 1078 An account with no password, status code \fBNP\fR, might not be able to login. 1079 See the \fBlogin\fR(1) \fBPASSREQ\fR option.