Print this page
3798 Typo in passwd(1) man page
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/passwd.1
+++ new/usr/src/man/man1/passwd.1
1 1 '\" te
2 2 .\" Copyright 1989 AT&T
3 3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
6 6 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH PASSWD 1 "Feb 25, 2009"
7 +.TH PASSWD 1 "May 31, 2013"
8 8 .SH NAME
9 9 passwd \- change login password and password attributes
10 10 .SH SYNOPSIS
11 11 .LP
12 12 .nf
13 13 \fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis | \fB-r\fR nisplus] [\fIname\fR]
14 14 .fi
15 15
16 16 .LP
17 17 .nf
18 18 \fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR]
19 19 .fi
20 20
21 21 .LP
22 22 .nf
23 23 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR]
24 24 .fi
25 25
26 26 .LP
27 27 .nf
28 28 \fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR]
29 29 .fi
30 30
31 31 .LP
32 32 .nf
33 33 \fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR]
34 34 [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
35 35 .fi
36 36
37 37 .LP
38 38 .nf
39 39 \fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR]
40 40 .fi
41 41
42 42 .LP
43 43 .nf
44 44 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR]
45 45 .fi
46 46
47 47 .LP
48 48 .nf
49 49 \fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR]
50 50 .fi
51 51
52 52 .LP
53 53 .nf
54 54 \fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
55 55 .fi
56 56
57 57 .LP
58 58 .nf
59 59 \fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR]
60 60 .fi
61 61
62 62 .LP
63 63 .nf
64 64 \fBpasswd\fR \fB-r\fR nisplus [\fB-egh\fR] [\fB-D\fR \fIdomainname\fR] [\fIname\fR]
65 65 .fi
66 66
67 67 .LP
68 68 .nf
69 69 \fBpasswd\fR \fB-r\fR nisplus \fB-s\fR [\fB-a\fR]
70 70 .fi
71 71
72 72 .LP
73 73 .nf
74 74 \fBpasswd\fR \fB-r\fR nisplus [\fB-D\fR \fIdomainname\fR] \fB-s\fR [\fIname\fR]
75 75 .fi
76 76
77 77 .LP
78 78 .nf
79 79 \fBpasswd\fR \fB-r\fR nisplus [\fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR]
80 80 [\fB-x\fR \fImax\fR] [\fB-D\fR \fIdomainname\fR] \fIname\fR
81 81 .fi
82 82
83 83 .SH DESCRIPTION
84 84 .sp
85 85 .LP
86 86 The \fBpasswd\fR command changes the password or lists password attributes
87 87 associated with the user's login \fIname\fR. Additionally, privileged users can
88 88 use \fBpasswd\fR to install or change passwords and attributes associated with
89 89 any login \fIname\fR.
90 90 .sp
91 91 .LP
92 92 When used to change a password, \fBpasswd\fR prompts everyone for their old
93 93 password, if any. It then prompts for the new password twice. When the old
94 94 password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If
95 95 \fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M),
96 96 \fBnistbladm\fR(1), and \fBshadow\fR(4) for additional information.
97 97 .sp
98 98 .LP
99 99 The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information
100 100 from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in
101 101 the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that
102 102 the password for the user is already in \fB/etc/shadow\fR and should not be
103 103 modified.
104 104 .sp
105 105 .LP
106 106 If aging is sufficient, a check is made to ensure that the new password meets
107 107 construction requirements. When the new password is entered a second time, the
108 108 two copies of the new password are compared. If the two copies are not
109 109 identical, the cycle of prompting for the new password is repeated for, at
110 110 most, two more times.
111 111 .sp
112 112 .LP
113 113 Passwords must be constructed to meet the following requirements:
114 114 .RS +4
115 115 .TP
116 116 .ie t \(bu
117 117 .el o
118 118 Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is
119 119 defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting
120 120 \fBPASSLENGTH\fR to more than eight characters requires configuring
121 121 \fBpolicy.conf\fR(4) with an algorithm that supports greater than eight
122 122 characters.
123 123 .RE
124 124 .RS +4
125 125 .TP
126 126 .ie t \(bu
127 127 .el o
128 128 Each password must meet the configured complexity constraints specified in
129 129 \fB/etc/default/passwd\fR.
130 130 .RE
131 131 .RS +4
132 132 .TP
133 133 .ie t \(bu
134 134 .el o
135 135 Each password must not be a member of the configured dictionary as specified in
136 136 \fB/etc/default/passwd\fR.
137 137 .RE
138 138 .RS +4
139 139 .TP
140 140 .ie t \(bu
141 141 .el o
142 142 For accounts in name services which support password history checking, if prior
143 143 password history is defined, new passwords must not be contained in the prior
144 144 password history.
145 145 .RE
146 146 .sp
147 147 .LP
148 148 If all requirements are met, by default, the \fBpasswd\fR command consults
149 149 \fB/etc/nsswitch.conf\fR to determine in which repositories to perform password
150 150 update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The
151 151 sources (repositories) associated with these entries are updated. However, the
152 152 password update configurations supported are limited to the following cases.
153 153 Failure to comply with the configurations prevents users from logging onto the
154 154 system. The password update configurations are:
155 155 .RS +4
156 156 .TP
157 157 .ie t \(bu
158 158 .el o
159 159 \fBpasswd: files\fR
160 160 .RE
161 161 .RS +4
162 162 .TP
163 163 .ie t \(bu
164 164 .el o
165 165 \fBpasswd: files ldap\fR
166 166 .RE
167 167 .RS +4
168 168 .TP
169 169 .ie t \(bu
170 170 .el o
171 171 \fBpasswd: files nis\fR
172 172 .RE
173 173 .RS +4
174 174 .TP
175 175 .ie t \(bu
176 176 .el o
177 177 \fBpasswd: files nisplus\fR
178 178 .RE
179 179 .RS +4
180 180 .TP
181 181 .ie t \(bu
182 182 .el o
183 183 \fBpasswd: compat\fR (==> files nis)
184 184 .RE
185 185 .RS +4
186 186 .TP
187 187 .ie t \(bu
188 188 .el o
189 189 \fBpasswd: compat\fR (==> files ldap)
190 190 .sp
191 191 \fBpasswd_compat: ldap\fR
192 192 .RE
193 193 .RS +4
194 194 .TP
195 195 .ie t \(bu
196 196 .el o
197 197 \fBpasswd: compat\fR (==> files nisplus)
198 198 .sp
199 199 \fBpasswd_compat: nisplus\fR
200 200 .RE
201 201 .sp
202 202 .LP
203 203 You can add the \fBad\fR keyword to any of the \fBpasswd\fR configurations in
204 204 the above list. However, you cannot use the \fBpasswd\fR command to change the
205 205 password of an Active Directory (AD) user. If the \fBad\fR keyword is found in
206 206 the \fBpasswd\fR entry during a password update operation, it is ignored. To
207 207 update the password of an AD user, use the \fBkpasswd\fR(1) command.
208 208 .sp
209 209 .LP
210 210 Network administrators, who own the NIS+ password table, can change any
211 211 password attributes. The administrator configured for updating LDAP shadow
212 212 information can also change any password attributes. See \fBldapclient\fR(1M).
213 213 .sp
214 214 .LP
215 215 When a user has a password stored in one of the name services as well as a
216 216 local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible
217 217 to have different passwords in the name service and local files entry. Use
218 218 \fBpasswd\fR \fB-r\fR to change a specific password repository.
219 219 .sp
220 220 .LP
221 221 In the \fBfiles\fR case, super-users (for instance, real and effective uid
222 222 equal to \fB0\fR, see \fBid\fR(1M) and \fBsu\fR(1M)) can change any password.
223 223 Hence, \fBpasswd\fR does not prompt privileged users for the old password.
224 224 Privileged users are not forced to comply with password aging and password
225 225 construction requirements. A privileged user can create a null password by
226 226 entering a carriage return in response to the prompt for a new password. (This
227 227 differs from \fBpasswd\fR \fB-d\fR because the \fBpassword\fR prompt is still
228 228 displayed.) If NIS is in effect, superuser on the root master can change any
229 229 password without being prompted for the old NIS \fBpasswd\fR, and is not forced
230 230 to comply with password construction requirements.
231 231 .sp
232 232 .LP
233 233 If LDAP is in effect, superuser on any Native LDAP client system can change any
234 234 password without being prompted for the old LDAP passwd, and is not forced to
235 235 comply with password construction requirements.
236 236 .sp
237 237 .LP
238 238 Normally, \fBpasswd\fR entered with no arguments changes the password of the
239 239 current user. When a user logs in and then invokes \fBsu\fR(1M) to become
240 240 superuser or another user, \fBpasswd\fR changes the original user's password,
241 241 not the password of the superuser or the new user.
242 242 .sp
243 243 .LP
244 244 Any user can use the \fB-s\fR option to show password attributes for his or her
245 245 own login \fIname\fR, provided they are using the \fB-r\fR \fBnisplus\fR
246 246 argument. Otherwise, the \fB-s\fR argument is restricted to the superuser.
247 247 .sp
248 248 .LP
249 249 The format of the display is:
250 250 .sp
251 251 .in +2
252 252 .nf
253 253 \fIname status mm/dd/yy min max warn\fR
254 254 .fi
255 255 .in -2
256 256 .sp
257 257
258 258 .sp
259 259 .LP
260 260 or, if password aging information is not present,
261 261 .sp
262 262 .in +2
263 263 .nf
264 264 \fIname status\fR
265 265 .fi
266 266 .in -2
267 267 .sp
268 268
269 269 .sp
270 270 .LP
271 271 where
272 272 .sp
273 273 .ne 2
274 274 .na
275 275 \fB\fIname\fR\fR
276 276 .ad
277 277 .RS 12n
278 278 The login \fBID\fR of the user.
279 279 .RE
280 280
281 281 .sp
282 282 .ne 2
283 283 .na
284 284 \fB\fIstatus\fR\fR
285 285 .ad
286 286 .RS 12n
287 287 The password status of \fIname\fR.
288 288 .sp
289 289 The \fIstatus\fR field can take the following values:
290 290 .sp
291 291 .ne 2
292 292 .na
293 293 \fBLK\fR
294 294 .ad
295 295 .RS 6n
296 296 This account is \fBlocked\fR account. See Security.
297 297 .RE
298 298
299 299 .sp
300 300 .ne 2
301 301 .na
302 302 \fBNL\fR
303 303 .ad
304 304 .RS 6n
305 305 This account is a \fBno login\fR account. See \fBSecurity\fR.
306 306 .RE
307 307
308 308 .sp
309 309 .ne 2
310 310 .na
311 311 \fBNP\fR
312 312 .ad
313 313 .RS 6n
314 314 This account has no password and is therefore open without authentication.
315 315 .RE
316 316
317 317 .sp
318 318 .ne 2
319 319 .na
320 320 \fBPS\fR
321 321 .ad
322 322 .RS 6n
323 323 This account has a password.
324 324 .RE
325 325
326 326 .RE
327 327
328 328 .sp
329 329 .ne 2
330 330 .na
331 331 \fB\fImm/dd/yy\fR\fR
332 332 .ad
333 333 .RS 12n
334 334 The date password was last changed for \fIname\fR. All password aging dates are
335 335 determined using Greenwich Mean Time (Universal Time) and therefore can differ
336 336 by as much as a day in other time zones.
337 337 .RE
338 338
339 339 .sp
340 340 .ne 2
341 341 .na
342 342 \fB\fImin\fR\fR
343 343 .ad
344 344 .RS 12n
345 345 The minimum number of days required between password changes for \fIname\fR.
346 346 \fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
347 347 .RE
348 348
349 349 .sp
350 350 .ne 2
351 351 .na
352 352 \fB\fImax\fR\fR
353 353 .ad
354 354 .RS 12n
355 355 The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR
356 356 is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
357 357 .RE
358 358
359 359 .sp
360 360 .ne 2
361 361 .na
362 362 \fB\fIwarn\fR\fR
363 363 .ad
364 364 .RS 12n
365 365 The number of days relative to \fImax\fR before the password expires and the
366 366 \fIname\fR are warned.
367 367 .RE
368 368
369 369 .SS "Security"
370 370 .sp
371 371 .LP
372 372 \fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a
373 373 service name \fBpasswd\fR and uses service module type \fBauth\fR for
374 374 authentication and password for password change.
375 375 .sp
376 376 .LP
377 377 Locking an account (\fB-l\fR option) does not allow its use for password based
378 378 login or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or
379 379 \fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based
380 380 login, while continuing to allow delayed execution.
381 381 .SH OPTIONS
382 382 .sp
383 383 .LP
384 384 The following options are supported:
385 385 .sp
386 386 .ne 2
387 387 .na
388 388 \fB\fB-a\fR\fR
389 389 .ad
390 390 .RS 17n
391 391 Shows password attributes for all entries. Use only with the \fB-s\fR option.
392 392 \fIname\fR must not be provided. For the \fBnisplus\fR repository, this shows
393 393 only the entries in the NIS+ password table in the local domain that the
394 394 invoker is authorized to read. For the \fBfiles\fR and \fBldap\fR repositories,
395 395 this is restricted to the superuser.
396 396 .RE
397 397
398 398 .sp
399 399 .ne 2
400 400 .na
401 401 \fB\fB-D\fR \fIdomainname\fR\fR
402 402 .ad
403 403 .RS 17n
404 404 Consults the \fBpasswd.org_dir\fR table in \fBdomainname\fR. If this option is
405 405 not specified, the default \fBdomainname\fR returned by
406 406 \fBnis_local_directory\fR(3NSL) are used. This domain name is the same as that
407 407 returned by \fBdomainname\fR(1M).
408 408 .RE
409 409
410 410 .sp
411 411 .ne 2
412 412 .na
413 413 \fB\fB-e\fR\fR
414 414 .ad
415 415 .RS 17n
416 416 Changes the login shell. The choice of shell is limited by the requirements
417 417 of \fBgetusershell\fR(3C). If the user currently has a shell that is not
418 418 allowed by \fBgetusershell\fR, only root can change it.
419 419 .RE
420 420
421 421 .sp
422 422 .ne 2
423 423 .na
424 424 \fB\fB-g\fR\fR
425 425 .ad
426 426 .RS 17n
427 427 Changes the gecos (finger) information. For the \fBfiles\fR repository, this
428 428 only works for the superuser. Normal users can change the \fBldap\fR,
429 429 \fBnis\fR, or \fBnisplus\fR repositories.
430 430 .RE
431 431
432 432 .sp
433 433 .ne 2
434 434 .na
435 435 \fB\fB-h\fR\fR
436 436 .ad
437 437 .RS 17n
438 438 Changes the home directory.
439 439 .RE
440 440
441 441 .sp
442 442 .ne 2
443 443 .na
444 444 \fB\fB-r\fR\fR
445 445 .ad
446 446 .RS 17n
447 447 Specifies the repository to which an operation is applied. The supported
448 448 repositories are \fBfiles\fR, \fBldap\fR, \fBnis\fR, or \fBnisplus\fR.
449 449 .RE
450 450
451 451 .sp
452 452 .ne 2
453 453 .na
454 454 \fB\fB-s\fR \fIname\fR\fR
455 455 .ad
456 456 .RS 17n
457 457 Shows password attributes for the login \fIname\fR. For the \fBnisplus\fR
458 458 repository, this works for everyone. However for the \fBfiles\fR and \fBldap\fR
459 459 repositories, this only works for the superuser. It does not work at all for
460 460 the \fBnis\fR repository which does not support password aging.
461 461 .sp
462 462 The output of this option, and only this option is Stable and parsable. The
463 463 format is \fIusername\fR followed by white space followed by one of the
464 464 following codes.
465 465 .sp
466 466 New codes might be added in the future so code that parses this must be
|
↓ open down ↓ |
449 lines elided |
↑ open up ↑ |
467 467 flexible in the face of unknown codes. While all existing codes are two
468 468 characters in length that might not always be the case.
469 469 .sp
470 470 The following are the current status codes:
471 471 .sp
472 472 .ne 2
473 473 .na
474 474 \fB\fBLK\fR\fR
475 475 .ad
476 476 .RS 6n
477 -Account is locked for UNIX authenitcation. \fBpasswd -l\fR was run or the
477 +Account is locked for UNIX authentication. \fBpasswd -l\fR was run or the
478 478 authentication failed \fBRETRIES\fR times.
479 479 .RE
480 480
481 481 .sp
482 482 .ne 2
483 483 .na
484 484 \fB\fBNL\fR\fR
485 485 .ad
486 486 .RS 6n
487 487 The account is a no login account. \fBpasswd -N\fR has been run.
488 488 .RE
489 489
490 490 .sp
491 491 .ne 2
492 492 .na
493 493 \fB\fBNP\fR\fR
494 494 .ad
495 495 .RS 6n
496 496 Account has no password. \fBpasswd -d\fR was run.
497 497 .RE
498 498
499 499 .sp
500 500 .ne 2
501 501 .na
502 502 \fB\fBPS\fR\fR
503 503 .ad
504 504 .RS 6n
505 505 The account probably has a valid password.
506 506 .RE
507 507
508 508 .sp
509 509 .ne 2
510 510 .na
511 511 \fB\fBUN\fR\fR
512 512 .ad
513 513 .RS 6n
514 514 The data in the password field is unknown. It is not a recognizable hashed
515 515 password or any of the above entries. See \fBcrypt\fR(3C) for valid password
516 516 hashes.
517 517 .RE
518 518
519 519 .RE
520 520
521 521 .SS "Privileged User Options"
522 522 .sp
523 523 .LP
524 524 Only a privileged user can use the following options:
525 525 .sp
526 526 .ne 2
527 527 .na
528 528 \fB\fB-d\fR\fR
529 529 .ad
530 530 .RS 11n
531 531 Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR
532 532 is not prompted for password. It is only applicable to the \fBfiles\fR and
533 533 \fBldap\fR repositories.
534 534 .sp
535 535 If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is
536 536 not able to login. \fBPASSREQ=YES\fR is the delivered default.
537 537 .RE
538 538
539 539 .sp
540 540 .ne 2
541 541 .na
542 542 \fB\fB-f\fR\fR
543 543 .ad
544 544 .RS 11n
545 545 Forces the user to change password at the next login by expiring the password
546 546 for \fIname\fR.
547 547 .RE
548 548
549 549 .sp
550 550 .ne 2
551 551 .na
552 552 \fB\fB-l\fR\fR
553 553 .ad
554 554 .RS 11n
555 555 Locks password entry for \fIname\fR. See the \fB-d\fR or \fB-u\fR option for
556 556 unlocking the account.
557 557 .RE
558 558
559 559 .sp
560 560 .ne 2
561 561 .na
562 562 \fB\fB-N\fR\fR
563 563 .ad
564 564 .RS 11n
565 565 Makes the password entry for name a value that cannot be used for login, but
566 566 does not lock the account. See the \fB-d\fR option for removing the value, or
567 567 to set a password to allow logins.
568 568 .RE
569 569
570 570 .sp
571 571 .ne 2
572 572 .na
573 573 \fB\fB-n\fR \fImin\fR\fR
574 574 .ad
575 575 .RS 11n
576 576 Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum
577 577 number of days between password changes for \fIname\fR. If \fImin\fR is greater
578 578 than \fImax\fR, the user can not change the password. Always use this option
579 579 with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned
580 580 off). In that case, \fImin\fR need not be set.
581 581 .RE
582 582
583 583 .sp
584 584 .ne 2
585 585 .na
586 586 \fB\fB-u\fR\fR
587 587 .ad
588 588 .RS 11n
589 589 Unlocks a locked password for entry name. See the \fB-d\fR option for removing
590 590 the locked password, or to set a password to allow logins.
591 591 .RE
592 592
593 593 .sp
594 594 .ne 2
595 595 .na
596 596 \fB\fB-w\fR \fIwarn\fR\fR
597 597 .ad
598 598 .RS 11n
599 599 Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of
600 600 days before the password expires and the user is warned. This option is not
601 601 valid if password aging is disabled.
602 602 .RE
603 603
604 604 .sp
605 605 .ne 2
606 606 .na
607 607 \fB\fB-x\fR \fImax\fR\fR
608 608 .ad
609 609 .RS 11n
610 610 Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of
611 611 days that the password is valid for \fIname\fR. The aging for \fIname\fR is
612 612 turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&.
613 613 .RE
614 614
615 615 .SH OPERANDS
616 616 .sp
617 617 .LP
618 618 The following operand is supported:
619 619 .sp
620 620 .ne 2
621 621 .na
622 622 \fB\fIname\fR\fR
623 623 .ad
624 624 .RS 8n
625 625 User login name.
626 626 .RE
627 627
628 628 .SH ENVIRONMENT VARIABLES
629 629 .sp
630 630 .LP
631 631 If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR,
632 632 \fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see
633 633 \fBenviron\fR(5)), are not set in the environment, the operational behavior of
634 634 \fBpasswd\fR for each corresponding locale category is determined by the value
635 635 of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents
636 636 are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If
637 637 none of the above variables is set in the environment, the \fBC\fR (U.S. style)
638 638 locale determines how \fBpasswd\fR behaves.
639 639 .sp
640 640 .ne 2
641 641 .na
642 642 \fB\fBLC_CTYPE\fR\fR
643 643 .ad
644 644 .RS 15n
645 645 Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a
646 646 valid value, \fBpasswd\fR can display and handle text and filenames containing
647 647 valid characters for that locale. \fBpasswd\fR can display and handle Extended
648 648 Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or
649 649 3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or
650 650 more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are
651 651 valid.
652 652 .RE
653 653
654 654 .sp
655 655 .ne 2
656 656 .na
657 657 \fB\fBLC_MESSAGES\fR\fR
658 658 .ad
659 659 .RS 15n
660 660 Determines how diagnostic and informative messages are presented. This includes
661 661 the language and style of the messages, and the correct form of affirmative and
662 662 negative responses. In the \fBC\fR locale, the messages are presented in the
663 663 default form found in the program itself (in most cases, U.S. English).
664 664 .RE
665 665
666 666 .SH EXIT STATUS
667 667 .sp
668 668 .LP
669 669 The \fBpasswd\fR command exits with one of the following values:
670 670 .sp
671 671 .ne 2
672 672 .na
673 673 \fB\fB0\fR\fR
674 674 .ad
675 675 .RS 6n
676 676 Success.
677 677 .RE
678 678
679 679 .sp
680 680 .ne 2
681 681 .na
682 682 \fB\fB1\fR\fR
683 683 .ad
684 684 .RS 6n
685 685 Permission denied.
686 686 .RE
687 687
688 688 .sp
689 689 .ne 2
690 690 .na
691 691 \fB\fB2\fR\fR
692 692 .ad
693 693 .RS 6n
694 694 Invalid combination of options.
695 695 .RE
696 696
697 697 .sp
698 698 .ne 2
699 699 .na
700 700 \fB\fB3\fR\fR
701 701 .ad
702 702 .RS 6n
703 703 Unexpected failure. Password file unchanged.
704 704 .RE
705 705
706 706 .sp
707 707 .ne 2
708 708 .na
709 709 \fB\fB4\fR\fR
710 710 .ad
711 711 .RS 6n
712 712 Unexpected failure. Password file(s) missing.
713 713 .RE
714 714
715 715 .sp
716 716 .ne 2
717 717 .na
718 718 \fB\fB5\fR\fR
719 719 .ad
720 720 .RS 6n
721 721 Password file(s) busy. Try again later.
722 722 .RE
723 723
724 724 .sp
725 725 .ne 2
726 726 .na
727 727 \fB\fB6\fR\fR
728 728 .ad
729 729 .RS 6n
730 730 Invalid argument to option.
731 731 .RE
732 732
733 733 .sp
734 734 .ne 2
735 735 .na
736 736 \fB\fB7\fR\fR
737 737 .ad
738 738 .RS 6n
739 739 Aging option is disabled.
740 740 .RE
741 741
742 742 .sp
743 743 .ne 2
744 744 .na
745 745 \fB\fB8\fR\fR
746 746 .ad
747 747 .RS 6n
748 748 No memory.
749 749 .RE
750 750
751 751 .sp
752 752 .ne 2
753 753 .na
754 754 \fB\fB9\fR\fR
755 755 .ad
756 756 .RS 6n
757 757 System error.
758 758 .RE
759 759
760 760 .sp
761 761 .ne 2
762 762 .na
763 763 \fB\fB10\fR\fR
764 764 .ad
765 765 .RS 6n
766 766 Account expired.
767 767 .RE
768 768
769 769 .SH FILES
770 770 .sp
771 771 .ne 2
772 772 .na
773 773 \fB\fB/etc/default/passwd\fR\fR
774 774 .ad
775 775 .RS 23n
776 776 Default values can be set for the following flags in \fB/etc/default/passwd\fR.
777 777 For example: \fBMAXWEEKS=26\fR
778 778 .sp
779 779 .ne 2
780 780 .na
781 781 \fB\fBDICTIONDBDIR\fR\fR
782 782 .ad
783 783 .RS 16n
784 784 The directory where the generated dictionary databases reside. Defaults to
785 785 \fB/var/passwd\fR.
786 786 .sp
787 787 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
788 788 does not perform a dictionary check.
789 789 .RE
790 790
791 791 .sp
792 792 .ne 2
793 793 .na
794 794 \fB\fBDICTIONLIST\fR\fR
795 795 .ad
796 796 .RS 16n
797 797 DICTIONLIST can contain list of comma separated dictionary files such as
798 798 \fBDICTIONLIST=\fR\fIfile1\fR, \fIfile2\fR, \fIfile3\fR. Each dictionary file
799 799 contains multiple lines and each line consists of a word and a NEWLINE
800 800 character (similar to \fB/usr/share/lib/dict/words\fR.) You must specify full
801 801 pathnames. The words from these files are merged into a database that is used
802 802 to determine whether a password is based on a dictionary word.
803 803 .sp
804 804 If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
805 805 does not perform a dictionary check.
806 806 .sp
807 807 To pre-build the dictionary database, see \fBmkpwdict\fR(1M).
808 808 .RE
809 809
810 810 .sp
811 811 .ne 2
812 812 .na
813 813 \fB\fBHISTORY\fR\fR
814 814 .ad
815 815 .RS 16n
816 816 Maximum number of prior password history to keep for a user. Setting the
817 817 \fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior
818 818 password history of all users to be discarded at the next password change by
819 819 any user. The default is not to define the \fBHISTORY\fR flag. The maximum
820 820 value is \fB26.\fR Currently, this functionality is enforced only for user
821 821 accounts defined in the \fBfiles\fR name service (local
822 822 \fBpasswd\fR(4)/\fBshadow\fR(4)).
823 823 .RE
824 824
825 825 .sp
826 826 .ne 2
827 827 .na
828 828 \fB\fBMAXREPEATS\fR\fR
829 829 .ad
830 830 .RS 16n
831 831 Maximum number of allowable consecutive repeating characters. If
832 832 \fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks
833 833 .RE
834 834
835 835 .sp
836 836 .ne 2
837 837 .na
838 838 \fB\fBMAXWEEKS\fR\fR
839 839 .ad
840 840 .RS 16n
841 841 Maximum time period that password is valid.
842 842 .RE
843 843
844 844 .sp
845 845 .ne 2
846 846 .na
847 847 \fB\fBMINALPHA\fR\fR
848 848 .ad
849 849 .RS 16n
850 850 Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the
851 851 default is \fB2\fR.
852 852 .RE
853 853
854 854 .sp
855 855 .ne 2
856 856 .na
857 857 \fB\fBMINDIFF\fR\fR
858 858 .ad
859 859 .RS 16n
860 860 Minimum differences required between an old and a new password. If
861 861 \fBMINDIFF\fR is not set, the default is \fB3\fR.
862 862 .RE
863 863
864 864 .sp
865 865 .ne 2
866 866 .na
867 867 \fB\fBMINDIGIT\fR\fR
868 868 .ad
869 869 .RS 16n
870 870 Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to
871 871 zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR
872 872 if \fBMINNONALPHA\fR is also specified.
873 873 .RE
874 874
875 875 .sp
876 876 .ne 2
877 877 .na
878 878 \fB\fBMINLOWER\fR\fR
879 879 .ad
880 880 .RS 16n
881 881 Minimum number of lower case letters required. If not set or zero (0), the
882 882 default is no checks.
883 883 .RE
884 884
885 885 .sp
886 886 .ne 2
887 887 .na
888 888 \fB\fBMINNONALPHA\fR\fR
889 889 .ad
890 890 .RS 16n
891 891 Minimum number of non-alpha (including numeric and special) required. If
892 892 \fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify
893 893 \fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified.
894 894 .RE
895 895
896 896 .sp
897 897 .ne 2
898 898 .na
899 899 \fB\fBMINWEEKS\fR\fR
900 900 .ad
901 901 .RS 16n
902 902 Minimum time period before the password can be changed.
903 903 .RE
904 904
905 905 .sp
906 906 .ne 2
907 907 .na
908 908 \fB\fBMINSPECIAL\fR\fR
909 909 .ad
910 910 .RS 16n
911 911 Minimum number of special (non-alpha and non-digit) characters required. If
912 912 \fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You
913 913 cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR.
914 914 .RE
915 915
916 916 .sp
917 917 .ne 2
918 918 .na
919 919 \fB\fBMINUPPER\fR\fR
920 920 .ad
921 921 .RS 16n
922 922 Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or
923 923 is zero (\fB0\fR), the default is no checks.
924 924 .RE
925 925
926 926 .sp
927 927 .ne 2
928 928 .na
929 929 \fB\fBNAMECHECK\fR\fR
930 930 .ad
931 931 .RS 16n
932 932 Enable/disable checking or the login name. The default is to do login name
933 933 checking. A case insensitive value of \fBno\fR disables this feature.
934 934 .RE
935 935
936 936 .sp
937 937 .ne 2
938 938 .na
939 939 \fB\fBPASSLENGTH\fR\fR
940 940 .ad
941 941 .RS 16n
942 942 Minimum length of password, in characters.
943 943 .RE
944 944
945 945 .sp
946 946 .ne 2
947 947 .na
948 948 \fB\fBWARNWEEKS\fR\fR
949 949 .ad
950 950 .RS 16n
951 951 Time period until warning of date of password's ensuing expiration.
952 952 .RE
953 953
954 954 .sp
955 955 .ne 2
956 956 .na
957 957 \fB\fBWHITESPACE\fR\fR
958 958 .ad
959 959 .RS 16n
960 960 Determine if white space characters are allowed in passwords. Valid values are
961 961 \fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR,
962 962 white space characters are allowed.
963 963 .RE
964 964
965 965 .RE
966 966
967 967 .sp
968 968 .ne 2
969 969 .na
970 970 \fB\fB/etc/oshadow\fR\fR
971 971 .ad
972 972 .RS 23n
973 973 Temporary file used by \fBpasswd\fR, \fBpassmgmt\fR and \fBpwconv\fR to update
974 974 the real shadow file.
975 975 .RE
976 976
977 977 .sp
978 978 .ne 2
979 979 .na
980 980 \fB\fB/etc/passwd\fR\fR
981 981 .ad
982 982 .RS 23n
983 983 Password file.
984 984 .RE
985 985
986 986 .sp
987 987 .ne 2
988 988 .na
989 989 \fB\fB/etc/shadow\fR\fR
990 990 .ad
991 991 .RS 23n
992 992 Shadow password file.
993 993 .RE
994 994
995 995 .sp
996 996 .ne 2
997 997 .na
998 998 \fB\fB/etc/shells\fR\fR
999 999 .ad
1000 1000 .RS 23n
1001 1001 Shell database.
1002 1002 .RE
1003 1003
1004 1004 .SH ATTRIBUTES
1005 1005 .sp
1006 1006 .LP
1007 1007 See \fBattributes\fR(5) for descriptions of the following attributes:
1008 1008 .sp
1009 1009
1010 1010 .sp
1011 1011 .TS
1012 1012 box;
1013 1013 c | c
1014 1014 l | l .
1015 1015 ATTRIBUTE TYPE ATTRIBUTE VALUE
1016 1016 _
1017 1017 CSI Enabled
1018 1018 _
1019 1019 Interface Stability See below.
1020 1020 .TE
1021 1021
1022 1022 .sp
1023 1023 .LP
1024 1024 The human readable output is Uncommitted. The options are Committed.
1025 1025 .SH SEE ALSO
1026 1026 .sp
1027 1027 .LP
1028 1028 \fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBkpasswd\fR(1), \fBlogin\fR(1),
1029 1029 \fBnistbladm\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M),
1030 1030 \fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpassmgmt\fR(1M),
1031 1031 \fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M),
1032 1032 \fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C),
1033 1033 \fBgetusershell\fR(3C), \fBnis_local_directory\fR(3NSL), \fBpam\fR(3PAM),
1034 1034 \fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4),
1035 1035 \fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBattributes\fR(5),
1036 1036 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
1037 1037 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5),
1038 1038 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5)
1039 1039 .SH NOTES
1040 1040 .sp
1041 1041 .LP
1042 1042 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
1043 1043 provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
1044 1044 \fBpam_unix_session\fR(5), \fBpam_authtok_check\fR(5),
1045 1045 \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), and
1046 1046 \fBpam_passwd_auth\fR(5).
1047 1047 .sp
1048 1048 .LP
1049 1049 The \fBnispasswd\fR and \fBypasswd\fR commands are wrappers around
1050 1050 \fBpasswd\fR. Use of \fBnispasswd\fR and \fBypasswd\fR is discouraged. Use
1051 1051 \fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead.
1052 1052 .sp
1053 1053 .LP
1054 1054 NIS+ might not be supported in future releases of the Solaris operating system.
1055 1055 Tools to aid the migration from NIS+ to LDAP are available in the current
1056 1056 Solaris release. For more information, visit
1057 1057 http://www.sun.com/directory/nisplus/transition.html.
1058 1058 .sp
1059 1059 .LP
1060 1060 Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the
1061 1061 failed login count.
1062 1062 .sp
1063 1063 .LP
1064 1064 Changing a password reactivates an account deactivated for inactivity for the
1065 1065 length of the inactivity period.
1066 1066 .sp
1067 1067 .LP
1068 1068 If \fB/etc/shells\fR is present, and is corrupted, it may provide an attack
1069 1069 vector that would compromise the system. The \fBgetusershell\fR(3c) library
1070 1070 call has a pre-vetted list of shells, so /etc/shells should be used with
1071 1071 caution.
1072 1072 .sp
1073 1073 .LP
1074 1074 Input terminal processing might interpret some key sequences and not pass them
1075 1075 to the \fBpasswd\fR command.
1076 1076 .sp
1077 1077 .LP
1078 1078 An account with no password, status code \fBNP\fR, might not be able to login.
1079 1079 See the \fBlogin\fR(1) \fBPASSREQ\fR option.
|
↓ open down ↓ |
592 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX