1 '\" te
   2 .\" Copyright 1989 AT&T
   3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
   6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH PASSWD 1 "Feb 25, 2009"
   8 .SH NAME
   9 passwd \- change login password and password attributes
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis | \fB-r\fR nisplus] [\fIname\fR]
  14 .fi
  15 
  16 .LP
  17 .nf
  18 \fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR]
  19 .fi
  20 
  21 .LP
  22 .nf
  23 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR]
  24 .fi
  25 
  26 .LP
  27 .nf
  28 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR]
  29 .fi
  30 
  31 .LP
  32 .nf
  33 \fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR]
  34      [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
  35 .fi
  36 
  37 .LP
  38 .nf
  39 \fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR]
  40 .fi
  41 
  42 .LP
  43 .nf
  44 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR]
  45 .fi
  46 
  47 .LP
  48 .nf
  49 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR]
  50 .fi
  51 
  52 .LP
  53 .nf
  54 \fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
  55 .fi
  56 
  57 .LP
  58 .nf
  59 \fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR]
  60 .fi
  61 
  62 .LP
  63 .nf
  64 \fBpasswd\fR \fB-r\fR nisplus [\fB-egh\fR] [\fB-D\fR \fIdomainname\fR] [\fIname\fR]
  65 .fi
  66 
  67 .LP
  68 .nf
  69 \fBpasswd\fR \fB-r\fR nisplus \fB-s\fR [\fB-a\fR]
  70 .fi
  71 
  72 .LP
  73 .nf
  74 \fBpasswd\fR \fB-r\fR nisplus [\fB-D\fR \fIdomainname\fR] \fB-s\fR [\fIname\fR]
  75 .fi
  76 
  77 .LP
  78 .nf
  79 \fBpasswd\fR \fB-r\fR nisplus [\fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR]
  80      [\fB-x\fR \fImax\fR] [\fB-D\fR \fIdomainname\fR] \fIname\fR
  81 .fi
  82 
  83 .SH DESCRIPTION
  84 .sp
  85 .LP
  86 The \fBpasswd\fR command changes the password or lists password attributes
  87 associated with the user's login \fIname\fR. Additionally, privileged users can
  88 use \fBpasswd\fR to install or change passwords and attributes associated with
  89 any login \fIname\fR.
  90 .sp
  91 .LP
  92 When used to change a password, \fBpasswd\fR prompts everyone for their old
  93 password, if any. It then prompts for the new password twice. When the old
  94 password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If
  95 \fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M),
  96 \fBnistbladm\fR(1), and \fBshadow\fR(4) for additional information.
  97 .sp
  98 .LP
  99 The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information
 100 from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in
 101 the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that
 102 the password for the user is already in \fB/etc/shadow\fR and should not be
 103 modified.
 104 .sp
 105 .LP
 106 If aging is sufficient, a check is made to ensure that the new password meets
 107 construction requirements. When the new password is entered a second time, the
 108 two copies of the new password are compared. If the two copies are not
 109 identical, the cycle of prompting for the new password is repeated for, at
 110 most, two more times.
 111 .sp
 112 .LP
 113 Passwords must be constructed to meet the following requirements:
 114 .RS +4
 115 .TP
 116 .ie t \(bu
 117 .el o
 118 Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is
 119 defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting
 120 \fBPASSLENGTH\fR to more than eight characters requires configuring
 121 \fBpolicy.conf\fR(4) with an algorithm that supports greater than eight
 122 characters.
 123 .RE
 124 .RS +4
 125 .TP
 126 .ie t \(bu
 127 .el o
 128 Each password must meet the configured complexity constraints specified in
 129 \fB/etc/default/passwd\fR.
 130 .RE
 131 .RS +4
 132 .TP
 133 .ie t \(bu
 134 .el o
 135 Each password must not be a member of the configured dictionary as specified in
 136 \fB/etc/default/passwd\fR.
 137 .RE
 138 .RS +4
 139 .TP
 140 .ie t \(bu
 141 .el o
 142 For accounts in name services which support password history checking, if prior
 143 password history is defined, new passwords must not be contained in the prior
 144 password history.
 145 .RE
 146 .sp
 147 .LP
 148 If all requirements are met, by default, the \fBpasswd\fR command consults
 149 \fB/etc/nsswitch.conf\fR to determine in which repositories to perform password
 150 update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The
 151 sources (repositories) associated with these entries are updated. However, the
 152 password update configurations supported are limited to the following cases.
 153 Failure to comply with the configurations prevents users from logging onto the
 154 system. The password update configurations are:
 155 .RS +4
 156 .TP
 157 .ie t \(bu
 158 .el o
 159 \fBpasswd: files\fR
 160 .RE
 161 .RS +4
 162 .TP
 163 .ie t \(bu
 164 .el o
 165 \fBpasswd: files ldap\fR
 166 .RE
 167 .RS +4
 168 .TP
 169 .ie t \(bu
 170 .el o
 171 \fBpasswd: files nis\fR
 172 .RE
 173 .RS +4
 174 .TP
 175 .ie t \(bu
 176 .el o
 177 \fBpasswd: files nisplus\fR
 178 .RE
 179 .RS +4
 180 .TP
 181 .ie t \(bu
 182 .el o
 183 \fBpasswd: compat\fR (==> files nis)
 184 .RE
 185 .RS +4
 186 .TP
 187 .ie t \(bu
 188 .el o
 189 \fBpasswd: compat\fR (==> files ldap)
 190 .sp
 191 \fBpasswd_compat: ldap\fR
 192 .RE
 193 .RS +4
 194 .TP
 195 .ie t \(bu
 196 .el o
 197 \fBpasswd: compat\fR (==> files nisplus)
 198 .sp
 199 \fBpasswd_compat: nisplus\fR
 200 .RE
 201 .sp
 202 .LP
 203 You can add the \fBad\fR keyword to any of the \fBpasswd\fR configurations in
 204 the above list. However, you cannot use the \fBpasswd\fR command to change the
 205 password of an Active Directory (AD) user. If the \fBad\fR keyword is found in
 206 the \fBpasswd\fR entry during a password update operation, it is ignored. To
 207 update the password of an AD user, use the \fBkpasswd\fR(1) command.
 208 .sp
 209 .LP
 210 Network administrators, who own the NIS+ password table, can change any
 211 password attributes. The administrator configured for updating LDAP shadow
 212 information can also change any password attributes. See \fBldapclient\fR(1M).
 213 .sp
 214 .LP
 215 When a user has a password stored in one of the name services as well as a
 216 local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible
 217 to have different passwords in the name service and local files entry. Use
 218 \fBpasswd\fR \fB-r\fR to change a specific password repository.
 219 .sp
 220 .LP
 221 In the \fBfiles\fR case, super-users (for instance, real and effective uid
 222 equal to \fB0\fR, see \fBid\fR(1M) and \fBsu\fR(1M)) can change any password.
 223 Hence, \fBpasswd\fR does not prompt privileged users for the old password.
 224 Privileged users are not forced to comply with password aging and password
 225 construction requirements. A privileged user can create a null password by
 226 entering a carriage return in response to the prompt for a new password. (This
 227 differs from \fBpasswd\fR \fB-d\fR because the \fBpassword\fR prompt is still
 228 displayed.) If NIS is in effect, superuser on the root master can change any
 229 password without being prompted for the old NIS \fBpasswd\fR, and is not forced
 230 to comply with password construction requirements.
 231 .sp
 232 .LP
 233 If LDAP is in effect, superuser on any Native LDAP client system can change any
 234 password without being prompted for the old LDAP passwd, and is not forced to
 235 comply with password construction requirements.
 236 .sp
 237 .LP
 238 Normally, \fBpasswd\fR entered with no arguments changes the password of the
 239 current user. When a user logs in and then invokes \fBsu\fR(1M) to become
 240 superuser or another user, \fBpasswd\fR changes the original user's password,
 241 not the password of the superuser or the new user.
 242 .sp
 243 .LP
 244 Any user can use the \fB-s\fR option to show password attributes for his or her
 245 own login \fIname\fR, provided they are using the \fB-r\fR \fBnisplus\fR
 246 argument. Otherwise, the \fB-s\fR argument is restricted to the superuser.
 247 .sp
 248 .LP
 249 The format of the display is:
 250 .sp
 251 .in +2
 252 .nf
 253 \fIname status mm/dd/yy min max warn\fR
 254 .fi
 255 .in -2
 256 .sp
 257 
 258 .sp
 259 .LP
 260 or, if password aging information is not present,
 261 .sp
 262 .in +2
 263 .nf
 264 \fIname status\fR
 265 .fi
 266 .in -2
 267 .sp
 268 
 269 .sp
 270 .LP
 271 where
 272 .sp
 273 .ne 2
 274 .na
 275 \fB\fIname\fR\fR
 276 .ad
 277 .RS 12n
 278 The login \fBID\fR of the user.
 279 .RE
 280 
 281 .sp
 282 .ne 2
 283 .na
 284 \fB\fIstatus\fR\fR
 285 .ad
 286 .RS 12n
 287 The password status of \fIname\fR.
 288 .sp
 289 The \fIstatus\fR field can take the following values:
 290 .sp
 291 .ne 2
 292 .na
 293 \fBLK\fR
 294 .ad
 295 .RS 6n
 296 This account is \fBlocked\fR account. See Security.
 297 .RE
 298 
 299 .sp
 300 .ne 2
 301 .na
 302 \fBNL\fR
 303 .ad
 304 .RS 6n
 305 This account is a \fBno login\fR account. See \fBSecurity\fR.
 306 .RE
 307 
 308 .sp
 309 .ne 2
 310 .na
 311 \fBNP\fR
 312 .ad
 313 .RS 6n
 314 This account has no password and is therefore open without authentication.
 315 .RE
 316 
 317 .sp
 318 .ne 2
 319 .na
 320 \fBPS\fR
 321 .ad
 322 .RS 6n
 323 This account has a password.
 324 .RE
 325 
 326 .RE
 327 
 328 .sp
 329 .ne 2
 330 .na
 331 \fB\fImm/dd/yy\fR\fR
 332 .ad
 333 .RS 12n
 334 The date password was last changed for \fIname\fR. All password aging dates are
 335 determined using Greenwich Mean Time (Universal Time) and therefore can differ
 336 by as much as a day in other time zones.
 337 .RE
 338 
 339 .sp
 340 .ne 2
 341 .na
 342 \fB\fImin\fR\fR
 343 .ad
 344 .RS 12n
 345 The minimum number of days required between password changes for \fIname\fR.
 346 \fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
 347 .RE
 348 
 349 .sp
 350 .ne 2
 351 .na
 352 \fB\fImax\fR\fR
 353 .ad
 354 .RS 12n
 355 The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR
 356 is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
 357 .RE
 358 
 359 .sp
 360 .ne 2
 361 .na
 362 \fB\fIwarn\fR\fR
 363 .ad
 364 .RS 12n
 365 The number of days relative to \fImax\fR before the password expires and the
 366 \fIname\fR are warned.
 367 .RE
 368 
 369 .SS "Security"
 370 .sp
 371 .LP
 372 \fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a
 373 service name \fBpasswd\fR and uses service module type \fBauth\fR for
 374 authentication and password for password change.
 375 .sp
 376 .LP
 377 Locking an account (\fB-l\fR option) does not allow its use for password based
 378 login or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or
 379 \fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based
 380 login, while continuing to allow delayed execution.
 381 .SH OPTIONS
 382 .sp
 383 .LP
 384 The following options are supported:
 385 .sp
 386 .ne 2
 387 .na
 388 \fB\fB-a\fR\fR
 389 .ad
 390 .RS 17n
 391 Shows password attributes for all entries. Use only with the \fB-s\fR option.
 392 \fIname\fR must not be provided. For the \fBnisplus\fR repository, this shows
 393 only the entries in the NIS+ password table in the local domain that the
 394 invoker is authorized to read. For the \fBfiles\fR and \fBldap\fR repositories,
 395 this is restricted to the superuser.
 396 .RE
 397 
 398 .sp
 399 .ne 2
 400 .na
 401 \fB\fB-D\fR \fIdomainname\fR\fR
 402 .ad
 403 .RS 17n
 404 Consults the \fBpasswd.org_dir\fR table in \fBdomainname\fR. If this option is
 405 not specified, the default \fBdomainname\fR returned by
 406 \fBnis_local_directory\fR(3NSL) are used. This domain name is the same as that
 407 returned by \fBdomainname\fR(1M).
 408 .RE
 409 
 410 .sp
 411 .ne 2
 412 .na
 413 \fB\fB-e\fR\fR
 414 .ad
 415 .RS 17n
 416 Changes the login shell. The choice of shell is limited by the requirements
 417 of \fBgetusershell\fR(3C). If the user currently has a shell that is not
 418 allowed by \fBgetusershell\fR, only root can change it.
 419 .RE
 420 
 421 .sp
 422 .ne 2
 423 .na
 424 \fB\fB-g\fR\fR
 425 .ad
 426 .RS 17n
 427 Changes the gecos (finger) information. For the \fBfiles\fR repository, this
 428 only works for the superuser. Normal users can change the \fBldap\fR,
 429 \fBnis\fR, or \fBnisplus\fR repositories.
 430 .RE
 431 
 432 .sp
 433 .ne 2
 434 .na
 435 \fB\fB-h\fR\fR
 436 .ad
 437 .RS 17n
 438 Changes the home directory.
 439 .RE
 440 
 441 .sp
 442 .ne 2
 443 .na
 444 \fB\fB-r\fR\fR
 445 .ad
 446 .RS 17n
 447 Specifies the repository to which an operation is applied. The supported
 448 repositories are \fBfiles\fR, \fBldap\fR, \fBnis\fR, or \fBnisplus\fR.
 449 .RE
 450 
 451 .sp
 452 .ne 2
 453 .na
 454 \fB\fB-s\fR \fIname\fR\fR
 455 .ad
 456 .RS 17n
 457 Shows password attributes for the login \fIname\fR. For the \fBnisplus\fR
 458 repository, this works for everyone. However for the \fBfiles\fR and \fBldap\fR
 459 repositories, this only works for the superuser. It does not work at all for
 460 the \fBnis\fR repository which does not support password aging.
 461 .sp
 462 The output of this option, and only this option is Stable and parsable. The
 463 format is \fIusername\fR followed by white space followed by one of the
 464 following codes.
 465 .sp
 466 New codes might be added in the future so code that parses this must be
 467 flexible in the face of unknown codes. While all existing codes are two
 468 characters in length that might not always be the case.
 469 .sp
 470 The following are the current status codes:
 471 .sp
 472 .ne 2
 473 .na
 474 \fB\fBLK\fR\fR
 475 .ad
 476 .RS 6n
 477 Account is locked for UNIX authenitcation. \fBpasswd -l\fR was run or the
 478 authentication failed \fBRETRIES\fR times.
 479 .RE
 480 
 481 .sp
 482 .ne 2
 483 .na
 484 \fB\fBNL\fR\fR
 485 .ad
 486 .RS 6n
 487 The account is a no login account. \fBpasswd -N\fR has been run.
 488 .RE
 489 
 490 .sp
 491 .ne 2
 492 .na
 493 \fB\fBNP\fR\fR
 494 .ad
 495 .RS 6n
 496 Account has no password. \fBpasswd -d\fR was run.
 497 .RE
 498 
 499 .sp
 500 .ne 2
 501 .na
 502 \fB\fBPS\fR\fR
 503 .ad
 504 .RS 6n
 505 The account probably has a valid password.
 506 .RE
 507 
 508 .sp
 509 .ne 2
 510 .na
 511 \fB\fBUN\fR\fR
 512 .ad
 513 .RS 6n
 514 The data in the password field is unknown. It is not a recognizable hashed
 515 password or any of the above entries. See \fBcrypt\fR(3C) for valid password
 516 hashes.
 517 .RE
 518 
 519 .RE
 520 
 521 .SS "Privileged User Options"
 522 .sp
 523 .LP
 524 Only a privileged user can use the following options:
 525 .sp
 526 .ne 2
 527 .na
 528 \fB\fB-d\fR\fR
 529 .ad
 530 .RS 11n
 531 Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR
 532 is not prompted for password. It is only applicable to the \fBfiles\fR and
 533 \fBldap\fR repositories.
 534 .sp
 535 If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is
 536 not able to login. \fBPASSREQ=YES\fR is the delivered default.
 537 .RE
 538 
 539 .sp
 540 .ne 2
 541 .na
 542 \fB\fB-f\fR\fR
 543 .ad
 544 .RS 11n
 545 Forces the user to change password at the next login by expiring the password
 546 for \fIname\fR.
 547 .RE
 548 
 549 .sp
 550 .ne 2
 551 .na
 552 \fB\fB-l\fR\fR
 553 .ad
 554 .RS 11n
 555 Locks password entry for \fIname\fR. See the \fB-d\fR or \fB-u\fR option for
 556 unlocking the account.
 557 .RE
 558 
 559 .sp
 560 .ne 2
 561 .na
 562 \fB\fB-N\fR\fR
 563 .ad
 564 .RS 11n
 565 Makes the password entry for name a value that cannot be used for login, but
 566 does not lock the account. See the \fB-d\fR option for removing the value, or
 567 to set a password to allow logins.
 568 .RE
 569 
 570 .sp
 571 .ne 2
 572 .na
 573 \fB\fB-n\fR \fImin\fR\fR
 574 .ad
 575 .RS 11n
 576 Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum
 577 number of days between password changes for \fIname\fR. If \fImin\fR is greater
 578 than \fImax\fR, the user can not change the password. Always use this option
 579 with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned
 580 off). In that case, \fImin\fR need not be set.
 581 .RE
 582 
 583 .sp
 584 .ne 2
 585 .na
 586 \fB\fB-u\fR\fR
 587 .ad
 588 .RS 11n
 589 Unlocks a locked password for entry name. See the \fB-d\fR option for removing
 590 the locked password, or to set a password to allow logins.
 591 .RE
 592 
 593 .sp
 594 .ne 2
 595 .na
 596 \fB\fB-w\fR \fIwarn\fR\fR
 597 .ad
 598 .RS 11n
 599 Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of
 600 days before the password expires and the user is warned. This option is not
 601 valid if password aging is disabled.
 602 .RE
 603 
 604 .sp
 605 .ne 2
 606 .na
 607 \fB\fB-x\fR \fImax\fR\fR
 608 .ad
 609 .RS 11n
 610 Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of
 611 days that the password is valid for \fIname\fR. The aging for \fIname\fR is
 612 turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&.
 613 .RE
 614 
 615 .SH OPERANDS
 616 .sp
 617 .LP
 618 The following operand is supported:
 619 .sp
 620 .ne 2
 621 .na
 622 \fB\fIname\fR\fR
 623 .ad
 624 .RS 8n
 625 User login name.
 626 .RE
 627 
 628 .SH ENVIRONMENT VARIABLES
 629 .sp
 630 .LP
 631 If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR,
 632 \fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see
 633 \fBenviron\fR(5)), are not set in the environment, the operational behavior of
 634 \fBpasswd\fR for each corresponding locale category is determined by the value
 635 of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents
 636 are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If
 637 none of the above variables is set in the environment, the \fBC\fR (U.S. style)
 638 locale determines how \fBpasswd\fR behaves.
 639 .sp
 640 .ne 2
 641 .na
 642 \fB\fBLC_CTYPE\fR\fR
 643 .ad
 644 .RS 15n
 645 Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a
 646 valid value, \fBpasswd\fR can display and handle text and filenames containing
 647 valid characters for that locale. \fBpasswd\fR can display and handle Extended
 648 Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or
 649 3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or
 650 more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are
 651 valid.
 652 .RE
 653 
 654 .sp
 655 .ne 2
 656 .na
 657 \fB\fBLC_MESSAGES\fR\fR
 658 .ad
 659 .RS 15n
 660 Determines how diagnostic and informative messages are presented. This includes
 661 the language and style of the messages, and the correct form of affirmative and
 662 negative responses. In the \fBC\fR locale, the messages are presented in the
 663 default form found in the program itself (in most cases, U.S. English).
 664 .RE
 665 
 666 .SH EXIT STATUS
 667 .sp
 668 .LP
 669 The \fBpasswd\fR command exits with one of the following values:
 670 .sp
 671 .ne 2
 672 .na
 673 \fB\fB0\fR\fR
 674 .ad
 675 .RS 6n
 676 Success.
 677 .RE
 678 
 679 .sp
 680 .ne 2
 681 .na
 682 \fB\fB1\fR\fR
 683 .ad
 684 .RS 6n
 685 Permission denied.
 686 .RE
 687 
 688 .sp
 689 .ne 2
 690 .na
 691 \fB\fB2\fR\fR
 692 .ad
 693 .RS 6n
 694 Invalid combination of options.
 695 .RE
 696 
 697 .sp
 698 .ne 2
 699 .na
 700 \fB\fB3\fR\fR
 701 .ad
 702 .RS 6n
 703 Unexpected failure. Password file unchanged.
 704 .RE
 705 
 706 .sp
 707 .ne 2
 708 .na
 709 \fB\fB4\fR\fR
 710 .ad
 711 .RS 6n
 712 Unexpected failure. Password file(s) missing.
 713 .RE
 714 
 715 .sp
 716 .ne 2
 717 .na
 718 \fB\fB5\fR\fR
 719 .ad
 720 .RS 6n
 721 Password file(s) busy. Try again later.
 722 .RE
 723 
 724 .sp
 725 .ne 2
 726 .na
 727 \fB\fB6\fR\fR
 728 .ad
 729 .RS 6n
 730 Invalid argument to option.
 731 .RE
 732 
 733 .sp
 734 .ne 2
 735 .na
 736 \fB\fB7\fR\fR
 737 .ad
 738 .RS 6n
 739 Aging option is disabled.
 740 .RE
 741 
 742 .sp
 743 .ne 2
 744 .na
 745 \fB\fB8\fR\fR
 746 .ad
 747 .RS 6n
 748 No memory.
 749 .RE
 750 
 751 .sp
 752 .ne 2
 753 .na
 754 \fB\fB9\fR\fR
 755 .ad
 756 .RS 6n
 757 System error.
 758 .RE
 759 
 760 .sp
 761 .ne 2
 762 .na
 763 \fB\fB10\fR\fR
 764 .ad
 765 .RS 6n
 766 Account expired.
 767 .RE
 768 
 769 .SH FILES
 770 .sp
 771 .ne 2
 772 .na
 773 \fB\fB/etc/default/passwd\fR\fR
 774 .ad
 775 .RS 23n
 776 Default values can be set for the following flags in \fB/etc/default/passwd\fR.
 777 For example: \fBMAXWEEKS=26\fR
 778 .sp
 779 .ne 2
 780 .na
 781 \fB\fBDICTIONDBDIR\fR\fR
 782 .ad
 783 .RS 16n
 784 The directory where the generated dictionary databases reside. Defaults to
 785 \fB/var/passwd\fR.
 786 .sp
 787 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
 788 does not perform a dictionary check.
 789 .RE
 790 
 791 .sp
 792 .ne 2
 793 .na
 794 \fB\fBDICTIONLIST\fR\fR
 795 .ad
 796 .RS 16n
 797 DICTIONLIST can contain list of comma separated dictionary files such as
 798 \fBDICTIONLIST=\fR\fIfile1\fR, \fIfile2\fR, \fIfile3\fR. Each dictionary file
 799 contains multiple lines and each line consists of a word and a NEWLINE
 800 character (similar to \fB/usr/share/lib/dict/words\fR.) You must specify full
 801 pathnames. The words from these files are merged into a database that is used
 802 to determine whether a password is based on a dictionary word.
 803 .sp
 804 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
 805 does not perform a dictionary check.
 806 .sp
 807 To pre-build the dictionary database, see \fBmkpwdict\fR(1M).
 808 .RE
 809 
 810 .sp
 811 .ne 2
 812 .na
 813 \fB\fBHISTORY\fR\fR
 814 .ad
 815 .RS 16n
 816 Maximum number of prior password history to keep for a user. Setting the
 817 \fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior
 818 password history of all users to be discarded at the next password change by
 819 any user. The default is not to define the \fBHISTORY\fR flag. The maximum
 820 value is \fB26.\fR Currently, this functionality is enforced only for user
 821 accounts defined in the \fBfiles\fR name service (local
 822 \fBpasswd\fR(4)/\fBshadow\fR(4)).
 823 .RE
 824 
 825 .sp
 826 .ne 2
 827 .na
 828 \fB\fBMAXREPEATS\fR\fR
 829 .ad
 830 .RS 16n
 831 Maximum number of allowable consecutive repeating characters. If
 832 \fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks
 833 .RE
 834 
 835 .sp
 836 .ne 2
 837 .na
 838 \fB\fBMAXWEEKS\fR\fR
 839 .ad
 840 .RS 16n
 841 Maximum time period that password is valid.
 842 .RE
 843 
 844 .sp
 845 .ne 2
 846 .na
 847 \fB\fBMINALPHA\fR\fR
 848 .ad
 849 .RS 16n
 850 Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the
 851 default is \fB2\fR.
 852 .RE
 853 
 854 .sp
 855 .ne 2
 856 .na
 857 \fB\fBMINDIFF\fR\fR
 858 .ad
 859 .RS 16n
 860 Minimum differences required between an old and a new password. If
 861 \fBMINDIFF\fR is not set, the default is \fB3\fR.
 862 .RE
 863 
 864 .sp
 865 .ne 2
 866 .na
 867 \fB\fBMINDIGIT\fR\fR
 868 .ad
 869 .RS 16n
 870 Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to
 871 zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR
 872 if \fBMINNONALPHA\fR is also specified.
 873 .RE
 874 
 875 .sp
 876 .ne 2
 877 .na
 878 \fB\fBMINLOWER\fR\fR
 879 .ad
 880 .RS 16n
 881 Minimum number of lower case letters required. If not set or zero (0), the
 882 default is no checks.
 883 .RE
 884 
 885 .sp
 886 .ne 2
 887 .na
 888 \fB\fBMINNONALPHA\fR\fR
 889 .ad
 890 .RS 16n
 891 Minimum number of non-alpha (including numeric and special) required. If
 892 \fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify
 893 \fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified.
 894 .RE
 895 
 896 .sp
 897 .ne 2
 898 .na
 899 \fB\fBMINWEEKS\fR\fR
 900 .ad
 901 .RS 16n
 902 Minimum time period before the password can be changed.
 903 .RE
 904 
 905 .sp
 906 .ne 2
 907 .na
 908 \fB\fBMINSPECIAL\fR\fR
 909 .ad
 910 .RS 16n
 911 Minimum number of special (non-alpha and non-digit) characters required. If
 912 \fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You
 913 cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR.
 914 .RE
 915 
 916 .sp
 917 .ne 2
 918 .na
 919 \fB\fBMINUPPER\fR\fR
 920 .ad
 921 .RS 16n
 922 Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or
 923 is zero (\fB0\fR), the default is no checks.
 924 .RE
 925 
 926 .sp
 927 .ne 2
 928 .na
 929 \fB\fBNAMECHECK\fR\fR
 930 .ad
 931 .RS 16n
 932 Enable/disable checking or the login name. The default is to do login name
 933 checking. A case insensitive value of \fBno\fR disables this feature.
 934 .RE
 935 
 936 .sp
 937 .ne 2
 938 .na
 939 \fB\fBPASSLENGTH\fR\fR
 940 .ad
 941 .RS 16n
 942 Minimum length of password, in characters.
 943 .RE
 944 
 945 .sp
 946 .ne 2
 947 .na
 948 \fB\fBWARNWEEKS\fR\fR
 949 .ad
 950 .RS 16n
 951 Time period until warning of date of password's ensuing expiration.
 952 .RE
 953 
 954 .sp
 955 .ne 2
 956 .na
 957 \fB\fBWHITESPACE\fR\fR
 958 .ad
 959 .RS 16n
 960 Determine if white space characters are allowed in passwords. Valid values are
 961 \fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR,
 962 white space characters are allowed.
 963 .RE
 964 
 965 .RE
 966 
 967 .sp
 968 .ne 2
 969 .na
 970 \fB\fB/etc/oshadow\fR\fR
 971 .ad
 972 .RS 23n
 973 Temporary file used by \fBpasswd\fR, \fBpassmgmt\fR and \fBpwconv\fR to update
 974 the real shadow file.
 975 .RE
 976 
 977 .sp
 978 .ne 2
 979 .na
 980 \fB\fB/etc/passwd\fR\fR
 981 .ad
 982 .RS 23n
 983 Password file.
 984 .RE
 985 
 986 .sp
 987 .ne 2
 988 .na
 989 \fB\fB/etc/shadow\fR\fR
 990 .ad
 991 .RS 23n
 992 Shadow password file.
 993 .RE
 994 
 995 .sp
 996 .ne 2
 997 .na
 998 \fB\fB/etc/shells\fR\fR
 999 .ad
1000 .RS 23n
1001 Shell database.
1002 .RE
1003 
1004 .SH ATTRIBUTES
1005 .sp
1006 .LP
1007 See \fBattributes\fR(5) for descriptions of the following attributes:
1008 .sp
1009 
1010 .sp
1011 .TS
1012 box;
1013 c | c
1014 l | l .
1015 ATTRIBUTE TYPE  ATTRIBUTE VALUE
1016 _
1017 CSI     Enabled
1018 _
1019 Interface Stability     See below.
1020 .TE
1021 
1022 .sp
1023 .LP
1024 The human readable output is Uncommitted. The options are Committed.
1025 .SH SEE ALSO
1026 .sp
1027 .LP
1028 \fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBkpasswd\fR(1), \fBlogin\fR(1),
1029 \fBnistbladm\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M),
1030 \fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpassmgmt\fR(1M),
1031 \fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M),
1032 \fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C),
1033 \fBgetusershell\fR(3C), \fBnis_local_directory\fR(3NSL), \fBpam\fR(3PAM),
1034 \fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4),
1035 \fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBattributes\fR(5),
1036 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
1037 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5),
1038 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5)
1039 .SH NOTES
1040 .sp
1041 .LP
1042 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
1043 provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
1044 \fBpam_unix_session\fR(5), \fBpam_authtok_check\fR(5),
1045 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), and
1046 \fBpam_passwd_auth\fR(5).
1047 .sp
1048 .LP
1049 The \fBnispasswd\fR and \fBypasswd\fR commands are wrappers around
1050 \fBpasswd\fR. Use of \fBnispasswd\fR and \fBypasswd\fR is discouraged. Use
1051 \fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead.
1052 .sp
1053 .LP
1054 NIS+ might not be supported in future releases of the Solaris operating system.
1055 Tools to aid the migration from NIS+ to LDAP are available in the current
1056 Solaris release. For more information, visit
1057 http://www.sun.com/directory/nisplus/transition.html.
1058 .sp
1059 .LP
1060 Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the
1061 failed login count.
1062 .sp
1063 .LP
1064 Changing a password reactivates an account deactivated for inactivity for the
1065 length of the inactivity period.
1066 .sp
1067 .LP
1068 If \fB/etc/shells\fR is present, and is corrupted, it may provide an attack
1069 vector that would compromise the system.  The \fBgetusershell\fR(3c) library
1070 call has a pre-vetted list of shells, so /etc/shells should be used with
1071 caution.
1072 .sp
1073 .LP
1074 Input terminal processing might interpret some key sequences and not pass them
1075 to the \fBpasswd\fR command.
1076 .sp
1077 .LP
1078 An account with no password, status code \fBNP\fR, might not be able to login.
1079 See the \fBlogin\fR(1) \fBPASSREQ\fR option.