1passwd(1) User Commands passwd(1)
2
6 passwd - change login password and password attributes
7
9 passwd [-r files | -r ldap | -r nis | -r nisplus] [name]
10 passwd [-r files] [-egh] [name]
13 passwd [-r files] -s [-a]
16 passwd [-r files] -s [name]
19 passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]
22 [-w warn] [-x max] name
23 passwd -r ldap [-egh] [name]
26 passwd [-r ldap ] -s [-a]
29 passwd [-r ldap ] -s [name]
32 passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name
35 passwd -r nis [-egh] [name]
38 passwd -r nisplus [-egh] [-D domainname] [name]
41 passwd -r nisplus -s [-a]
44 passwd -r nisplus [-D domainname] -s [name]
47 passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn]
50 [-x max] [-D domainname] name
51
54 The passwd command changes the password or lists password attributes
55 associated with the user's login name. Additionally, privileged users
56 can use passwd to install or change passwords and attributes associated
57 with any login name.
58 When used to change a password, passwd prompts everyone for their old
61 password, if any. It then prompts for the new password twice. When the
62 old password is entered, passwd checks to see if it has aged suffi‐
63 ciently. If aging is insufficient, passwd terminates; see pwconv(1M),
64 nistbladm(1), and shadow(4) for additional information.
65 The pwconv command creates and updates /etc/shadow with information
68 from /etc/passwd. pwconv relies on a special value of x in the password
69 field of /etc/passwd. This value of xindicates that the password for
70 the user is already in /etc/shadow and should not be modified.
71 If aging is sufficient, a check is made to ensure that the new password
74 meets construction requirements. When the new password is entered a
75 second time, the two copies of the new password are compared. If the
76 two copies are not identical, the cycle of prompting for the new pass‐
77 word is repeated for, at most, two more times.
78 Passwords must be constructed to meet the following requirements:
81 o Each password must have PASSLENGTH characters, where
83 PASSLENGTH is defined in /etc/default/passwd and is set to
84 6. Setting PASSLENGTH to more than eight characters requires
85 configuring policy.conf(4) with an algorithm that supports
86 greater than eight characters.
87 o Each password must meet the configured complexity con‐
89 straints specified in /etc/default/passwd.
90 o Each password must not be a member of the configured dictio‐
92 nary as specified in /etc/default/passwd.
93 o For accounts in name services which support password history
95 checking, if prior password history is defined, new pass‐
96 words must not be contained in the prior password history.
97 If all requirements are met, by default, the passwd command consults
100 /etc/nsswitch.conf to determine in which repositories to perform pass‐
101 word update. It searches the passwd and passwd_compat entries. The
102 sources (repositories) associated with these entries are updated. How‐
103 ever, the password update configurations supported are limited to the
104 following cases. Failure to comply with the configurations prevents
105 users from logging onto the system. The password update configurations
106 are:
107 o passwd: files
109 o passwd: files ldap
111 o passwd: files nis
113 o passwd: files nisplus
115 o passwd: compat (==> files nis)
117 o passwd: compat (==> files ldap)
119 passwd_compat: ldap
121 o passwd: compat (==> files nisplus)
123 passwd_compat: nisplus
125 You can add the ad keyword to any of the passwd configurations in the
128 above list. However, you cannot use the passwd command to change the
129 password of an Active Directory (AD) user. If the ad keyword is found
130 in the passwd entry during a password update operation, it is ignored.
131 To update the password of an AD user, use the kpasswd(1) command.
132 Network administrators, who own the NIS+ password table, can change any
135 password attributes. The administrator configured for updating LDAP
136 shadow information can also change any password attributes. See ldap‐
137 client(1M).
138 When a user has a password stored in one of the name services as well
141 as a local files entry, the passwd command updates both. It is possible
142 to have different passwords in the name service and local files entry.
143 Use passwd -r to change a specific password repository.
144 In the files case, super-users (for instance, real and effective uid
147 equal to 0, see id(1M) and su(1M)) can change any password. Hence,
148 passwd does not prompt privileged users for the old password. Privi‐
149 leged users are not forced to comply with password aging and password
150 construction requirements. A privileged user can create a null password
151 by entering a carriage return in response to the prompt for a new pass‐
152 word. (This differs from passwd -d because the password prompt is still
153 displayed.) If NIS is in effect, superuser on the root master can
154 change any password without being prompted for the old NIS passwd, and
155 is not forced to comply with password construction requirements.
156 If LDAP is in effect, superuser on any Native LDAP client system can
159 change any password without being prompted for the old LDAP passwd, and
160 is not forced to comply with password construction requirements.
161 Normally, passwd entered with no arguments changes the password of the
164 current user. When a user logs in and then invokes su(1M) to become
165 superuser or another user, passwd changes the original user's password,
166 not the password of the superuser or the new user.
167 Any user can use the -s option to show password attributes for his or
170 her own login name, provided they are using the -r nisplus argument.
171 Otherwise, the -s argument is restricted to the superuser.
172 The format of the display is:
175 name status mm/dd/yy min max warn
177 or, if password aging information is not present,
182 name status
184 where
189 name The login ID of the user.
191 status The password status of name.
194 The status field can take the following values:
196 LK This account is locked account. See Security.
198 NL This account is a no login account. See Security.
201 NP This account has no password and is therefore open
204 without authentication.
205 PS This account has a password.
208 mm/dd/yy The date password was last changed for name. All password
212 aging dates are determined using Greenwich Mean Time (Uni‐
213 versal Time) and therefore can differ by as much as a day
214 in other time zones.
215 min The minimum number of days required between password
218 changes for name. MINWEEKS is found in /etc/default/passwd
219 and is set to NULL.
220 max The maximum number of days the password is valid for name.
223 MAXWEEKS is found in /etc/default/passwd and is set to
224 NULL.
225 warn The number of days relative to max before the password
228 expires and the name are warned.
229 Security
232 passwd uses pam(3PAM) for password change. It calls PAM with a service
233 name passwd and uses service module type auth for authentication and
234 password for password change.
235 Locking an account (-l option) does not allow its use for password
238 based login or delayed execution (such as at(1), batch(1), or
239 cron(1M)). The -N option can be used to disallow password based login,
240 while continuing to allow delayed execution.
241
243 The following options are supported:
244 -a Shows password attributes for all entries. Use only
246 with the -s option. name must not be provided. For the
247 nisplus repository, this shows only the entries in the
248 NIS+ password table in the local domain that the
249 invoker is authorized to read. For the files and ldap
250 repositories, this is restricted to the superuser.
251 -D domainname Consults the passwd.org_dir table in domainname. If
254 this option is not specified, the default domainname
255 returned by nis_local_directory(3NSL) are used. This
256 domain name is the same as that returned by domain‐
257 name(1M).
258 -e Changes the login shell. For the files repository,
261 this only works for the superuser. Normal users can
262 change the ldap, nis, or nisplus repositories. The
263 choice of shell is limited by the requirements of
264 getusershell(3C). If the user currently has a shell
265 that is not allowed by getusershell, only root can
266 change it.
267 -g Changes the gecos (finger) information. For the files
270 repository, this only works for the superuser. Normal
271 users can change the ldap, nis, or nisplus reposito‐
272 ries.
273 -h Changes the home directory.
276 -r Specifies the repository to which an operation is
279 applied. The supported repositories are files, ldap,
280 nis, or nisplus.
281 -s name Shows password attributes for the login name. For the
284 nisplus repository, this works for everyone. However
285 for the files and ldap repositories, this only works
286 for the superuser. It does not work at all for the nis
287 repository which does not support password aging.
288 The output of this option, and only this option is
290 Stable and parsable. The format is username followed
291 by white space followed by one of the following codes.
292 New codes might be added in the future so code that
294 parses this must be flexible in the face of unknown
295 codes. While all existing codes are two characters in
296 length that might not always be the case.
297 The following are the current status codes:
299 LK Account is locked for UNIX authenitcation.
301 passwd -l was run or the authentication failed
302 RETRIES times.
303 NL The account is a no login account. passwd -N has
306 been run.
307 NP Account has no password. passwd -d was run.
310 PS The account probably has a valid password.
313 UN The data in the password field is unknown. It is
316 not a recognizable hashed password or any of the
317 above entries. See crypt(3C) for valid password
318 hashes.
319 Privileged User Options
323 Only a privileged user can use the following options:
324 -d Deletes password for name and unlocks the account. The login
326 name is not prompted for password. It is only applicable to
327 the files and ldap repositories.
328 If the login(1) option PASSREQ=YES is configured, the
330 account is not able to login. PASSREQ=YES is the delivered
331 default.
332 -f Forces the user to change password at the next login by
335 expiring the password for name.
336 -l Locks password entry for name. See the -d or -u option for
339 unlocking the account.
340 -N Makes the password entry for name a value that cannot be
343 used for login, but does not lock the account. See the -d
344 option for removing the value, or to set a password to allow
345 logins.
346 -n min Sets minimum field for name. The min field contains the min‐
349 imum number of days between password changes for name. If
350 min is greater than max, the user can not change the pass‐
351 word. Always use this option with the -x option, unless max
352 is set to −1 (aging turned off). In that case, min need not
353 be set.
354 -u Unlocks a locked password for entry name. See the -d option
357 for removing the locked password, or to set a password to
358 allow logins.
359 -w warn Sets warn field for name. The warn field contains the number
362 of days before the password expires and the user is warned.
363 This option is not valid if password aging is disabled.
364 -x max Sets maximum field for name. The max field contains the num‐
367 ber of days that the password is valid for name. The aging
368 for name is turned off immediately if max is set to −1.
369
372 The following operand is supported:
373 name User login name.
375
378 If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
379 LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set
380 in the environment, the operational behavior of passwd for each corre‐
381 sponding locale category is determined by the value of the LANG envi‐
382 ronment variable. If LC_ALL is set, its contents are used to override
383 both the LANG and the other LC_* variables. If none of the above vari‐
384 ables is set in the environment, the C (U.S. style) locale determines
385 how passwd behaves.
386 LC_CTYPE Determines how passwd handles characters. When LC_CTYPE
388 is set to a valid value, passwd can display and handle
389 text and filenames containing valid characters for that
390 locale. passwd can display and handle Extended Unix Code
391 (EUC) characters where any individual character can be
392 1, 2, or 3 bytes wide. passwd can also handle EUC char‐
393 acters of 1, 2, or more column widths. In the C locale,
394 only characters from ISO 8859-1 are valid.
395 LC_MESSAGES Determines how diagnostic and informative messages are
398 presented. This includes the language and style of the
399 messages, and the correct form of affirmative and nega‐
400 tive responses. In the C locale, the messages are pre‐
401 sented in the default form found in the program itself
402 (in most cases, U.S. English).
403
406 The passwd command exits with one of the following values:
407 0 Success.
409 1 Permission denied.
412 2 Invalid combination of options.
415 3 Unexpected failure. Password file unchanged.
418 4 Unexpected failure. Password file(s) missing.
421 5 Password file(s) busy. Try again later.
424 6 Invalid argument to option.
427 7 Aging option is disabled.
430 8 No memory.
433 9 System error.
436 10 Account expired.
439
442 /etc/default/passwd Default values can be set for the following
443 flags in /etc/default/passwd. For example:
444 MAXWEEKS=26
445 DICTIONDBDIR The directory where the gener‐
447 ated dictionary databases
448 reside. Defaults to /var/passwd.
449 If neither DICTIONLIST nor DIC‐
451 TIONDBDIR is specified, the sys‐
452 tem does not perform a dictio‐
453 nary check.
454 DICTIONLIST DICTIONLIST can contain list of
457 comma separated dictionary files
458 such as DICTIONLIST=file1,
459 file2, file3. Each dictionary
460 file contains multiple lines and
461 each line consists of a word and
462 a NEWLINE character (similar to
463 /usr/share/lib/dict/words.) You
464 must specify full pathnames. The
465 words from these files are
466 merged into a database that is
467 used to determine whether a
468 password is based on a dictio‐
469 nary word.
470 If neither DICTIONLIST nor DIC‐
472 TIONDBDIR is specified, the sys‐
473 tem does not perform a dictio‐
474 nary check.
475 To pre-build the dictionary
477 database, see mkpwdict(1M).
478 HISTORY Maximum number of prior password
481 history to keep for a user. Set‐
482 ting the HISTORY value to zero
483 (0), or removing the flag,
484 causes the prior password his‐
485 tory of all users to be dis‐
486 carded at the next password
487 change by any user. The default
488 is not to define the HISTORY
489 flag. The maximum value is 26.
490 Currently, this functionality is
491 enforced only for user accounts
492 defined in the files name ser‐
493 vice (local
494 passwd(4)/shadow(4)).
495 MAXREPEATS Maximum number of allowable con‐
498 secutive repeating characters.
499 If MAXREPEATS is not set or is
500 zero (0), the default is no
501 checks
502 MAXWEEKS Maximum time period that pass‐
505 word is valid.
506 MINALPHA Minimum number of alpha charac‐
509 ter required. If MINALPHA is not
510 set, the default is 2.
511 MINDIFF Minimum differences required
514 between an old and a new pass‐
515 word. If MINDIFF is not set, the
516 default is 3.
517 MINDIGIT Minimum number of digits
520 required. If MINDIGIT is not set
521 or is set to zero (0), the
522 default is no checks. You cannot
523 be specify MINDIGIT if MINNONAL‐
524 PHA is also specified.
525 MINLOWER Minimum number of lower case
528 letters required. If not set or
529 zero (0), the default is no
530 checks.
531 MINNONALPHA Minimum number of non-alpha
534 (including numeric and special)
535 required. If MINNONALPHA is not
536 set, the default is 1. You can‐
537 not specify MINNONALPHA if
538 MINDIGIT or MINSPECIAL is also
539 specified.
540 MINWEEKS Minimum time period before the
543 password can be changed.
544 MINSPECIAL Minimum number of special (non-
547 alpha and non-digit) characters
548 required. If MINSPECIAL is not
549 set or is zero (0), the default
550 is no checks. You cannot specify
551 MINSPECIAL if you also specify
552 MINNONALPHA.
553 MINUPPER Minimum number of upper case
556 letters required. If MINUPPER is
557 not set or is zero (0), the
558 default is no checks.
559 NAMECHECK Enable/disable checking or the
562 login name. The default is to do
563 login name checking. A case
564 insensitive value of no disables
565 this feature.
566 PASSLENGTH Minimum length of password, in
569 characters.
570 WARNWEEKS Time period until warning of
573 date of password's ensuing expi‐
574 ration.
575 WHITESPACE Determine if white space charac‐
578 ters are allowed in passwords.
579 Valid values are YES and NO. If
580 WHITESPACE is not set or is set
581 to YES, white space characters
582 are allowed.
583 /etc/oshadow Temporary file used by passwd, passmgmt and
587 pwconv to update the real shadow file.
588 /etc/passwd Password file.
591 /etc/shadow Shadow password file.
594 /etc/shells Shell database.
597
600 See attributes(5) for descriptions of the following attributes:
601 ┌─────────────────────────────┬─────────────────────────────┐
606 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
607 ├─────────────────────────────┼─────────────────────────────┤
608 │Availability │SUNWcsu │
609 ├─────────────────────────────┼─────────────────────────────┤
610 │CSI │Enabled │
611 ├─────────────────────────────┼─────────────────────────────┤
612 │Interface Stability │See below. │
613 └─────────────────────────────┴─────────────────────────────┘
614 The human readable output is Uncommitted. The options are Committed.
617
619 at(1), batch(1), finger(1), kpasswd(1), login(1), nistbladm(1),
620 cron(1M), domainname(1M), eeprom(1M), id(1M), ldapclient(1M), mkpw‐
621 dict(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M), userdel(1M),
622 usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C), getusershell(3C),
623 nis_local_directory(3NSL), pam(3PAM), loginlog(4), nsswitch.conf(4),
624 pam.conf(4), passwd(4), policy.conf(4), shadow(4), shells(4),
625 attributes(5), environ(5), pam_authtok_check(5), pam_authtok_get(5),
626 pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5), pam_unix_account(5),
627 pam_unix_auth(5), pam_unix_session(5)
628
630 The pam_unix(5) module is no longer supported. Similar functionality is
631 provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
632 pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
633 pam_dhkeys(5), and pam_passwd_auth(5).
634 The nispasswd and ypasswd commands are wrappers around passwd. Use of
637 nispasswd and ypasswd is discouraged. Use passwd -r repository_name
638 instead.
639 NIS+ might not be supported in future releases of the Solaris operating
642 system. Tools to aid the migration from NIS+ to LDAP are available in
643 the current Solaris release. For more information, visit
644 http://www.sun.com/directory/nisplus/transition.html.
645 Changing a password in the files and ldap repositories clears the
648 failed login count.
649 Changing a password reactivates an account deactivated for inactivity
652 for the length of the inactivity period.
653 Input terminal processing might interpret some key sequences and not
656 pass them to the passwd command.
657 An account with no password, status code NP, might not be able to
660 login. See the login(1) PASSREQ option.
661SunOS 5.11 25 Feb 2009 passwd(1)