passwd(1)
passwd --
change login password and password attributes
Synopsis
passwd [login_name]
passwd
[-l | -d]
[-f]
[-x max]
[-n min]
[-w warn]
login_name
passwd -s [-a]
passwd -s [login_name]
passwd -p
Description
The passwd command lets any user change the password
or get a list of the current password attributes for
his or her login_name.
Privileged users may run passwd
to perform these functions for any user,
and to set the password attributes for any user. The command can be used to change passwords in the Network Information Service (NIS) database.
A password is usually assigned by an administrator
while creating a user account
for the owner of the login name login_name.
Later the user can change the password either
by running the passwd command
without any options
or by invoking the -p option
to the login procedure.
To use the latter method,
enter a -p immediately after
the login prompt (before entering login_name):
login: -p
login_name
The login scheme then calls
the passwd command.
See
login(1)
for details.
Command syntax
Any user may use the -s option:
-s-
Show password attributes for the user's own login_name.
Only a privileged user may use the following options:
-d-
Delete the password for login_name
so that the user is not prompted for a password.
-f-
Force the user to change the password at the
next login by expiring the password for login_name.
-l-
Lock the password entry for login_name.
-n min-
Specify the minimum number of days between password
changes for user login_name.
Always use this option with the -x option
unless max is set to -1 (aging turned off).
In that case, min need not be set.
-p-
Generate an encrypted password on the standard output
from a plain text password entered in response to a prompt.
-s-
Show password attributes for login_name.
-s -a-
Show the password attributes for all users.
-w warn-
Specify the number of days (relative to max)
on which user login_name will be warned
before the password expires.
-x max-
Specify the number of days the password is valid
for user login_name.
Password construction
Passwords must be constructed
to meet the following requirements:
-
Each password must have at least
PASSLENGTH
characters as defined in /etc/default/passwd.
PASSLENGTH
must be at least 3.
The first 80 characters of a password are treated as significant
(this is the value of PASS_MAX in /usr/include/limits.h).
-
Each password must contain at least two alphabetic
characters and at least one numeric or special character.
(In this case, ``alphabetic'' includes
all uppercase and lowercase letters.)
-
Each password must differ from the user's login
name
and any reverse
or circular shift of that login
name.
(Corresponding uppercase and lowercase letters
are considered equivalent.)
-
A new password must differ from the old one
by at least three characters.
If a password generator program
has been specified for a user
through the useradd (or usermod) command,
passwd calls the password generator program
to generate possible passwords for the user to select;
when a password generator is used,
none of the normally required
password construction rules are enforced.
Operation
When used to change a password,
passwd prompts ordinary users
for their old password, if any.
If sufficient time has passed
since the old password was set,
passwd then prompts the user twice
for the new password;
otherwise it terminates.
Next, passwd checks to make sure
the new password meets construction requirements.
When the new password is entered a second time,
the two copies of the new password are compared.
If the two copies are not identical,
the cycle of prompting for the new password
is repeated a maximum of twice.
Privileged users may change any password;
the passwd command does not prompt
a privileged user for an old password.
Privileged users are not forced to comply with
password aging and password construction requirements.
Such users can create a null password
by pressing <Enter> in response to
the prompt for a new password.
(This differs from passwd -d
because the Password:
prompt will still be displayed.)
Local passwords and NIS passwords
Passwords and information related to passwords are kept in two
files on the system, /etc/passwd and /etc/shadow.
An NIS database containing passwords is also maintained for NIS users.
In the case where a user has entries in both the local
/etc/passwd file and the NIS database, the password that
will be updated is determined primarily by two factors:
-
if a user has an entry in this database, the local password is
always the one that is updated. This database is usually created
at boot time by
creatiadb(1M).
Note that user logins that
begin with a
+
or
-
character are ignored by creatiadb and therefore do not have
corresponding entries in the I&A database.
-
if a user has a password specified in the local /etc/shadow
file, this password will always be updated, whether or not the
same user has an entry in the NIS passwd database. If the user has
an /etc/shadow entry with no password, then passwd
will update the user's entry in the NIS passwd database.
Password aging
Passwords are valid for finite periods
(defined by the system administrator),
after which they must be changed.
Therefore a record must be kept of each password
and the period for which it's active.
As the expiration date for a password approaches,
its owner is warned to choose a new password
before a specified number of days elapses.
The process of monitoring password schedules
and notifying users about their passwords, when necessary,
is called password aging.
Information about the password for
each user on the system
is kept in /etc/shadow,
which is readable only by privileged users.
Each user's line in /etc/shadow
has four parameters
that affect password aging:
lastchanged:-
The date on which the password for the user was last changed.
(Note that this date
is determined using Greenwich Mean Time and,
therefore, may differ by as much as a day
in other time zones.)
minimum:-
The number of days that must elapse after the lastchanged
date before the password for the user can be changed.
maximum:-
The number of days for which the password for the user will be valid
after the lastchanged date (after which it will be necessary to change
the password).
This number does not include
the day on which the password is set.
warn:-
The number of days the user will receive warnings
about the impending expiration of his or her password.
Thus, for
example, if the value of warn is 7, the owner of
login_name will
start receiving warnings a week before the password expires.
The last three of these parameters may be set by the command line options
-n,
-x,
and
-w,
respectively.
In the absence of command options,
their values are set from the
/etc/default/passwd file.
The ``Defaults'' section describes these parameters.
If minimum is greater than maximum, the user may not
change the password.
Aging for login_name is turned off immediately
if maximum is set to -1.
If maximum is set to 0, the user is forced to
change the password at the next login session
after the lastchanged date, and aging is turned off at that time.
Password aging is never turned off directly by the
command line passwd -x 0 login_name.
Instead, this command sets
the ``maximum'' field to 0.
If the ``lastchanged'' field is not 0,
the aging fields will be cleared
the next time the passwd command is used
to change the user's password.
If, however, the ``lastchanged'' field is set to 0,
the aging fields are not changed.
If you expect the aging fields to be cleared
and they're not, the explanation could be that
the ``lastchanged'' field has been set to 0
without your realizing it.
There are two possible explanations.
-
You (the administrator) may have expired
a user's password by running the command
passwd -f login_name.
In this case,
the value of lastchanged
would have been set to 0.
-
The ``maximum'' field may have been clear when
you issued the command passwd -x 0 login_name.
In this case,
the passwd command itself
would have set the value of lastchanged to 0.
Displaying password attributes
When the passwd command is used
to show password attributes,
the format of the display is:
login_name status lastchanged minimum maximum warn
or, if password aging information is not present,
login_name status
The fields are defined as follows:
login_name-
The login ID of the user.
status-
The password status of login_name: PS
stands for passworded,
LK stands for locked,
and NP stands for no password.
The last four fields are as defined under Password Aging.
Defaults
By assigning values to a set of parameters in
the file /etc/default/passwd, an administrator can control
the aging and length of passwords.
The following
parameters are available.
MINALPHA-
Minimum number of alphanumeric chars a password must have (default is 2).
MINDIFF-
Minimum number of characters old and new password must differ (default is 3).
MINDIGIT-
Minimum number of digits (default is 1); only one of
MINDIGIT or MINOTHER can be set.
MINOTHER-
Minimum number of other [special] characters (default is 1); only one of
MINOTHER or MINDIGIT can be set.
MINWEEKS-
Minimum number of weeks before a password can be changed.
In a delivered system, the value is 0.
MAXWEEKS-
Maximum number of weeks a password can be unchanged.
In a delivered system, the value is 24.
WARNWEEKS-
Number of weeks before a password expires
that the user is to be warned.
In a delivered system, the value is 1.
PASSLENGTH-
Minimum number of characters in a password.
In a delivered system, the value is 3.
Note that the passwd command
option arguments
min,
max,
and
warn
and the corresponding /etc/shadow fields
``minimum'',
``maximum'',
and
``warn''
treat aging in terms of days;
the corresponding /etc/default/passwd fields,
MINWEEKS,
MAXWEEKS,
and
WARNWEEKS,
in terms of weeks.
When password aging is off for a user
but default aging values exist in
/etc/default/passwd,
then password aging will be turned on when the user's password is changed.
Files
/etc/shadow-
/etc/passwd-
/etc/oshadow-
/etc/opasswd-
/etc/default/passwd-
/usr/lib/locale/locale/LC_MESSAGES/uxcore.abi-
language-specific message file (see LANG on
environ(5).)
/etc/security/ia/index-
index into /etc/security/ia/master
/etc/security/ia/master-
contains all I&A information about users
Diagnostics
The passwd
command exits with a return code of 0 upon successful completion.
Following are reasons for failure:
-
permission denied
-
invalid combination of options
-
unexpected failure; password file unchanged
-
unexpected failure; password file(s) missing
-
password file(s) busy; try again later
-
invalid argument to option
-
unexpected failure
-
unknown ID
-
aging disabled
-
password may only be changed at login time
Some errors could be due to a missing or corrupted /etc/shadow file.
Check the /etc/shadow file and, if necessary, create it using the
pwconv(1M)
command.
The pwconv command creates a new /etc/shadow file
using the currently defined logins, passwords, and password aging
information found in the existing /etc/passwd and
/etc/security/ia files.
References
crypt(3G),
id(1M),
login(1),
passwd(4),
pwconv(1M),
shadow(4),
su(1M),
useradd(1M),
userdel(1M),
usermod(1M)
Notices
If root runs the passwd -d command
to delete a password for
a user for whom password aging is in effect,
that user will not be allowed to add a new password
until the
NULL
password has been aged.
This is true even if the
PASSREQ
flag in /etc/default/login is set to
YES.
This results in a user without a password.
We recommend you use the -f option
whenever you use -d to delete a password.
By doing so, you'll ensure the user is forced
to change his or her password when he or she
next logs in.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 05 July 2004