|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
User Commands passwd(1)
NAME
passwd - change login password and password attributes
SYNOPSIS
passwd [-r files | -r ldap | -r nis | -r nisplus] [name]
passwd [ -r files] [-egh] [name]
passwd [ -r files] -s [-a]
passwd [ -r files] -s [name]
passwd [ -r files] [-d | -l | -u | -N] [-f] [-n min] [-
w warn] [-x max] name
passwd -r ldap [-egh] [name]
passwd -r nis [-egh] [name]
passwd -r nisplus [-egh] [-D domainname] [name]
passwd -r nisplus -s [-a]
passwd -r nisplus [-D domainname] -s [name]
passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn]
[-x max] [-D domainname] name
DESCRIPTION
The passwd command changes the password or lists password
attributes associated with the user's login name. Addition-
ally, privileged users can use passwd to install or change
passwords and attributes associated with any login name.
When used to change a password, passwd prompts everyone for
their old password, if any. It then prompts for the new
password twice. When the old password is entered, passwd
checks to see if it has "aged" sufficiently. If "aging" is
insufficient, passwd terminates; see pwconv(1M), nist-
bladm(1), and shadow(4) for additional information.
The pwconv command creates and updates /etc/shadow with
information from /etc/passwd. pwconv relies on a special
value of 'x' in the password field of /etc/passwd. This
value of 'x' indicates that the password for the user is
already in /etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the
new password meets construction requirements. When the new
password is entered a second time, the two copies of the new
password are compared. If the two copies are not identical,
the cycle of prompting for the new password is repeated for,
SunOS 5.10 Last change: 24 Feb 2006 1
User Commands passwd(1)
at most, two more times.
Passwords must be constructed to meet the following require-
ments:
o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is set
to 6. Setting PASSLENGTH to more than eight characters
requires configuring policy.conf(4) with an algorithm
that supports greater than eight characters.
o Each password must meet the configured complexity con-
straints specified in /etc/default/passwd.
o Each password must not be a member of the configured
dictionary as specified in /etc/default/passwd.
o For accounts in name services which support password
history checking, if prior password history is defined,
new passwords must not be contained in the prior pass-
word history.
If all requirements are met, by default, the passwd command
consults /etc/nsswitch.conf to determine in which reposi-
tories to perform password update. It searches the passwd
and passwd_compat entries. The sources (repositories) asso-
ciated with these entries are updated. However, the password
update configurations supported are limited to the following
cases. Failure to comply with the configurations prevents
users from logging onto the system. The password update con-
figurations are:
o passwd: files
o passwd: files ldap
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files ldap)
passwd_compat: ldap
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
SunOS 5.10 Last change: 24 Feb 2006 2
User Commands passwd(1)
Network administrators, who own the NIS+ password table, can
change any password attributes.
When a user has a password stored in one of the name ser-
vices as well as a local files entry, the passwd command
updates both. It is possible to have different passwords in
the name service and local files entry. Use passwd -r to
change a specific password repository.
In the files case, super-users (for instance, real and
effective uid equal to 0, see id(1M) and su(1M)) can change
any password. Hence, passwd does not prompt privileged users
for the old password. Privileged users are not forced to
comply with password aging and password construction
requirements. A privileged user can create a null password
by entering a carriage return in response to the prompt for
a new password. (This differs from passwd -d because the
"password" prompt is still displayed.) If NIS is in effect,
superuser on the root master can change any password without
being prompted for the old NIS passwd, and is not forced to
comply with password construction requirements.
Normally, passwd entered with no arguments changes the pass-
word of the current user. When a user logs in and then
invokes su(1M) to become super-user or another user, passwd
changes the original user's password, not the password of
the super-user or the new user.
Any user can use the -s option to show password attributes
for his or her own login name, provided they are using the
-r nisplus argument. Otherwise, the -s argument is res-
tricted to the superuser.
The format of the display is:
name status mm/dd/yy min max warn
or, if password aging information is not present,
name status
where
name The login ID of the user.
status The password status of name.
The status field can take the following
values:
SunOS 5.10 Last change: 24 Feb 2006 3
User Commands passwd(1)
PS This account has a password.
NL This account is a no login account.
See Security.
LK This account is locked account. See
Security.
NP This account has no password and is
therefore open without authentica-
tion.
mm/dd/yy The date password was last changed for name.
All password aging dates are determined
using Greenwich Mean Time (Universal Time)
and therefore can differ by as much as a day
in other time zones.
min The minimum number of days required between
password changes for name. MINWEEKS is found
in /etc/default/passwd and is set to NULL.
max The maximum number of days the password is
valid for name. MAXWEEKS is found in
/etc/default/passwd and is set to NULL.
warn The number of days relative to max before
the password expires and the name are
warned.
Security
passwd uses pam(3PAM) for password change. It calls PAM with
a service name passwd and uses service module type auth for
authentication and password for password change.
SunOS 5.10 Last change: 24 Feb 2006 4
User Commands passwd(1)
Locking an account (-l option) does not allow its use for
password based login or delayed execution (such as at(1),
batch(1), or cron(1M)). The -N option can be used to disal-
low password based login, while continuing to allow delayed
execution.
OPTIONS
The following options are supported:
-a Shows password attributes for all entries.
Use only with the -s option. name must not
be provided. For the nisplus repository,
this shows only the entries in the NIS+
password table in the local domain that the
invoker is authorized to "read". For the
files repository, this is restricted to the
superuser.
-D domainname Consults the passwd.org_dir table in domain-
name. If this option is not specified, the
default domainname returned by
nis_local_directory(3NSL) are used. This
domain name is the same as that returned by
domainname(1M).
-e Changes the login shell. For the files repo-
sitory, this only works for the superuser.
Normal users can change the ldap, nis, or
nisplus repositories. The choice of shell is
limited by the requirements of
getusershell(3C). If the user currently has
a shell that is not allowed by getusershell,
only root can change it.
-g Changes the gecos (finger) information. For
the files repository, this only works for
the superuser. Normal users can change the
ldap, nis, or nisplus repositories.
-h Changes the home directory.
SunOS 5.10 Last change: 24 Feb 2006 5
User Commands passwd(1)
-r Specifies the repository to which an opera-
tion is applied. The supported repositories
are files, ldap, nis, or nisplus.
-s name Shows password attributes for the login
name. For the nisplus repository, this works
for everyone. However for the files reposi-
tory, this only works for the superuser. It
does not work at all for the nis repository
which does not support password aging.
Privileged User Options
Only a privileged user can use the following options:
-d Deletes password for name and unlocks the
account. The login name is not prompted for
password. It is only applicable to the files
repository.
-f Forces the user to change password at the
next login by expiring the password for
name.
-l Locks password entry for name. See the -d or
-u option for unlocking the account.
-N Makes the password entry for name a value
that cannot be used for login, but does not
lock the account. See the -d option for
removing the value, or to set a password to
allow logins.
-n min Sets minimum field for name. The min field
contains the minimum number of days between
password changes for name. If min is greater
than max, the user can not change the pass-
word. Always use this option with the -x
option, unless max is set to -1 (aging
turned off). In that case, min need not be
set.
SunOS 5.10 Last change: 24 Feb 2006 6
User Commands passwd(1)
-u Unlocks a locked password for entry name.
See the -d option for removing the locked
password, or to set a password to allow
logins.
-w warn Sets warn field for name. The warn field
contains the number of days before the pass-
word expires and the user is warned. This
option is not valid if password aging is
disabled.
-x max Sets maximum field for name. The max field
contains the number of days that the pass-
word is valid for name. The aging for nameis
turned off immediately if max is set to -1.
OPERANDS
The following operand is supported:
name User login name.
ENVIRONMENT VARIABLES
If any of the LC_* variables, that is, LC_CTYPE,
LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and
LC_MONETARY (see environ(5)), are not set in the environ-
ment, the operational behavior of passwd for each
corresponding locale category is determined by the value of
the LANG environment variable. If LC_ALL is set, its con-
tents are used to override both the LANG and the other LC_*
variables. If none of the above variables is set in the
environment, the "C" (U.S. style) locale determines how
passwd behaves.
LC_CTYPE Determines how passwd handles characters.
When LC_CTYPE is set to a valid value,
passwd can display and handle text and
filenames containing valid characters for
that locale. passwd can display and handle
Extended Unix Code (EUC) characters where
any individual character can be 1, 2, or 3
bytes wide. passwd can also handle EUC char-
acters of 1, 2, or more column widths. In
the "C" locale, only characters from ISO
8859-1 are valid.
SunOS 5.10 Last change: 24 Feb 2006 7
User Commands passwd(1)
LC_MESSAGES Determines how diagnostic and informative
messages are presented. This includes the
language and style of the messages, and the
correct form of affirmative and negative
responses. In the "C" locale, the messages
are presented in the default form found in
the program itself (in most cases, U.S.
English).
EXIT STATUS
The passwd command exits with one of the following values:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
7 Aging option is disabled.
8 No memory.
9 System error.
SunOS 5.10 Last change: 24 Feb 2006 8
User Commands passwd(1)
10 Account expired.
FILES
/etc/default/passwd
Default values can be set for the following flags in
/etc/default/passwd. For example: MAXWEEKS=26
DICTIONDBDIR The directory where the generated dic-
tionary databases reside. Defaults to
/var/passwd.
If neither DICTIONLIST nor DICTIONDBDIR
is specified, the system does not per-
form a dictionary check.
DICTIONLIST DICTIONLIST can contain list of comma
separated dictionary files such as
DICTIONLIST=file1, file2, file3. Each
dictionary file contains multiple lines
and each line consists of a word and a
<NEWLINE> character (similar to
/usr/share/lib/dict/words.) You must
specify full pathnames. The words from
these files are merged into a database
that is used to determine whether a
password is based on a dictionary word.
If neither DICTIONLIST nor DICTIONDBDIR
is specified, the system does not per-
form a dictionary check.
To prebuild the dictionary database, see
mkpwdict(1M).
HISTORY Maximum number of prior password history
to keep for a user. Setting the HISTORY
value to zero (0), or removing the flag,
causes the prior password history of all
users to be discarded at the next pass-
word change by any user. The default is
not to define the HISTORY flag. The max-
imum value is 26. Currently, this func-
tionality is enforced only for user
SunOS 5.10 Last change: 24 Feb 2006 9
User Commands passwd(1)
accounts defined in the "files" name
service (local passwd(4)/shadow(4)).
MAXREPEATS Maximum number of allowable consecutive
repeating characters. If MAXREPEATS is
not set or is zero (0), the default is
no checks
MAXWEEKS Maximum time period that password is
valid.
MINALPHA Minimum number of alpha character
required. If MINALPHA is not set, the
default is 2.
MINDIFF Minimum differences required between an
old and a new password. If MINDIFF is
not set, the default is 3.
MINDIGIT Minimum number of digits required. If
MINDIGIT is not set or is set to zero
(0), the default is no checks. You can-
not be specify MINDIGIT if MINNONALPHA
is also specified.
MINLOWER Minimum number of lower case letters
required. If not set or zero (0), the
default is no checks.
MINNONALPHA Minimum number of non-alpha (including
numeric and special) required. If MIN-
NONALPHA is not set, the default is 1.
You cannot specify MINNONALPHA if MINDI-
GIT or MINSPECIAL is also specified.
SunOS 5.10 Last change: 24 Feb 2006 10
User Commands passwd(1)
MINWEEKS Minimum time period before the password
can be changed.
MINSPECIAL Minimum number of special (non-alpha and
non-digit) characters required. If
MINSPECIAL is not set or is zero (0),
the default is no checks. You cannot
specify MINSPECIAL if you also specify
MINNONALPHA.
MINUPPER Minimum number of upper case letters
required. If MINUPPER is not set or is
zero (0), the default is no checks.
NAMECHECK Enable/disable checking or the login
name. The default is to do login name
checking. A case insensitive value of
"no" disables this feature.
PASSLENGTH Minimum length of password, in charac-
ters.
WARNWEEKS Time period until warning of date of
password's ensuing expiration.
WHITESPACE Determine if whitespace characters are
allowed in passwords. Valid values are
YES and NO. If WHITESPACE is not set or
is set to YES, whitespace characters are
allowed.
/etc/oshadow
Temporary file used by passwd, passmgmt and pwconv to
update the real shadow file.
SunOS 5.10 Last change: 24 Feb 2006 11
User Commands passwd(1)
/etc/passwd
Password file.
/etc/shadow
Shadow password file.
/etc/shells
Shell database.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| CSI | Enabled |
|_____________________________|_____________________________|
| Interface Stability | See below. |
|_____________________________|_____________________________|
The human readable output is Unstable. The options are
Evolving.
SEE ALSO
at(1), batch(1), finger(1), login(1), nistbladm(1),
orcron(1M), domainname(1M), eeprom(1M), id(1M),
mkpwdict(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M),
userdel(1M), usermod(1M), crypt(3C), getpwnam(3C),
getspnam(3C), getusershell(3C), nis_local_directory(3NSL),
pam(3PAM), loginlog(4), nsswitch.conf(4), pam.conf(4),
passwd(4), policy.conf(4), shadow(4), shells(4), attri-
butes(5), environ(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_ldap(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)
NOTES
The pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_unix_account(5),
SunOS 5.10 Last change: 24 Feb 2006 12
User Commands passwd(1)
pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and
pam_passwd_auth(5).
The nispasswd and ypasswd commands are wrappers around
passwd. Use of nispasswd and ypasswd is discouraged. Use
passwd -r repository_name instead.
NIS+ might not be supported in future releases of the
Solaris operating system. Tools to aid the migration from
NIS+ to LDAP are available in the current Solaris release.
For more information, visit
http://www.sun.com/directory/nisplus/transition.html.
Changing a password in the files repository clears the
failed login count.
Input terminal processing might interpret some key sequences
and not pass them to the passwd command.
SunOS 5.10 Last change: 24 Feb 2006 13
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:25:11 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2874 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2487 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2406 hits)
(Suse Linux 10.1)
|
Man Pages 
