Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
passwd(1)			 User Commands			     passwd(1)

       passwd -	change login password and password attributes

       passwd [-r files	| -r ldap | -r nis | -r	nisplus]  [name]

       passwd [	-r files] [-egh] [name]

       passwd [	-r files] -s [-a]

       passwd [	-r files] -s [name]

       passwd [	-r files] [-d |	-l]  [-f] [-n min] [-w warn] [-x max] name

       passwd  -r ldap [-egh] [name]

       passwd  -r nis [-egh] [name]

       passwd  -r nisplus [-egh] [-D domainname] [name]

       passwd  -r nisplus -s [-a]

       passwd  -r nisplus [-D domainname] -s [name]

       passwd	-r  nisplus  [-l] [-f] [-n min]	[-w warn] [-x max] [-D domain-
       name] name

       The passwd command changes the password or  lists  password  attributes
       associated  with	 the user's login name.	Additionally, privileged users
       may use passwd to install or change passwords and attributes associated
       with any	login name.

       When  used  to change a password, passwd	prompts	everyone for their old
       password, if any. It then prompts for the new password twice. When  the
       old  password  is entered, passwd checks	to see if it has "aged"	suffi-
       ciently.	If "aging" is insufficient, passwd terminates; see pwconv(1M),
       nistbladm(1), and shadow(4) for additional information.

       When  LDAP,  NIS,  or NIS+ is in	effect on a system, passwd changes the
       NIS or NIS+ database. The NIS or	NIS+ password may  be  different  from
       the  password  on  the  local  machine.	If NIS or NIS+ is running, use
       passwd -r to change password information	on the local machine.

       The pwconv command creates and  updates	/etc/shadow  with  information
       from  /etc/passwd. pwconv relies	on a special value of 'x' in the pass-
       word field of /etc/passwd. This value of	'x' indicates that  the	 pass-
       word for	the user is already in /etc/shadow and should not be modified.

       If aging	is sufficient, a check is made to ensure that the new password
       meets construction requirements.	When the new  password	is  entered  a
       second  time,  the  two copies of the new password are compared.	If the
       two copies are not identical, the cycle of prompting for	the new	 pass-
       word is repeated	for, at	most, two more times.

       Passwords must be constructed to	meet the following requirements:

	  o  Each  password  must have PASSLENGTH characters, where PASSLENGTH
	     is	defined	in /etc/default/passwd and is set to 6.	Only the first
	     eight characters are significant.

	  o  Each password must	contain	at least two alphabetic	characters and
	     at	least one numeric or special character.	In this	case,  "alpha-
	     betic" refers to all upper	or lower case letters.

	  o  Each  password must differ	from the user's	login name and any re-
	     verse or circular shift of	that login name. For  comparison  pur-
	     poses, an upper case letter and its corresponding lower case let-
	     ter are equivalent.

	  o  New passwords must	differ from the	old by at least	three  charac-
	     ters.  For	comparison purposes, an	upper case letter and its cor-
	     responding	lower case letter are equivalent.

       If all requirements are met, by default,	the passwd command  will  con-
       sult  /etc/nsswitch.conf	 to determine in which repositories to perform
       password	update.	It searches the	passwd and passwd_compat entries.  The
       sources	(repositories)	associated with	these entries will be updated.
       However,	the password update configurations supported  are  limited  to
       the  following  cases.  Failure	to comply with the configurations will
       prevent users from logging onto the system. The password	update config-
       urations	are:

	  o  passwd: files

	  o  passwd: files ldap

	  o  passwd: files nis

	  o  passwd: files nisplus

	  o  passwd: compat (==> files nis)

	  o  passwd: compat (==> files ldap)

       passwd_compat: ldap

	  o  passwd: compat (==> files nisplus)

       passwd_compat: nisplus

       Network administrators, who own the NIS+	password table,	may change any
       password	attributes.

       In the files case, super-users (for instance, real  and	effective  uid
       equal  to  0,  see  id(1M)  and su(1M)) may change any password.	Hence,
       passwd does not prompt privileged users for the	old  password.	Privi-
       leged  users  are not forced to comply with password aging and password
       construction requirements. A privileged user can	create a null password
       by entering a carriage return in	response to the	prompt for a new pass-
       word. (This differs from	passwd -d because the "password"  prompt  will
       still  be displayed.) If	NIS is in effect, superuser on the root	master
       can change any password without being prompted for the old NIS  passwd,
       and is not forced to comply with	password construction requirements.

       Normally,  passwd entered with no arguments will	change the password of
       the current user. When a	user logs in and then invokes su(1M) to	become
       super-user  or  another	user,  passwd  will change the original	user's
       password, not the password of the super-user or the new user.

       Any user	may use	the -s option to show password attributes for  his  or
       her  own	 login	name, provided they are	using the -r nisplus argument.
       Otherwise, the -s argument is restricted	to the superuser.

       The format of the display will be:

       name status mm/dd/yy min	max warn

       or, if password aging information is not	present,

       name status


       name  The login ID of the user.

	     The password status of name: PS stands for	passworded or  locked,
	     LK	stands for locked, and NP stands for no	password.

	     The  date	password  was  last  changed for name. Notice that all
	     password aging dates are determined  using	 Greenwich  Mean  Time
	     (Universal	 Time) and therefore may differ	by as much as a	day in
	     other time	zones.

       min   The minimum number	of days	required between password changes  for
	     name.  MINWEEKS  is  found	 in  /etc/default/passwd and is	set to

       max   The maximum number	of  days  the  password	 is  valid  for	 name.
	     MAXWEEKS is found in /etc/default/passwd and is set to NULL.

       warn  The  number  of  days relative to max before the password expires
	     and the name will be warned.

       passwd uses pam(3PAM) for password management.  The  PAM	 configuration
       policy, listed through /etc/pam.conf, specifies the password modules to
       be used for passwd. Here	is a partial pam.conf file  with  entries  for
       the passwd command using	the passwd-auth	module:

       passwd  auth required

       If  there  are  no entries for the passwd service, then the entries for
       the "other" service will	be used.  If  multiple	password  modules  are
       listed, then the	user may be prompted for multiple passwords.

       The following options are supported:

       -a    Shows  password  attributes for all entries. Use only with	the -s
	     option. name must not be provided.	For  the  nisplus  repository,
	     this will show only the entries in	the NIS+ password table	in the
	     local domain that the invoker is authorized to  "read".  For  the
	     files repository, this is restricted to the superuser.

       -D domainname
	     Consults  the  passwd.org_dir table in domainname.	If this	option
	     is	not specified, the  default  domainname	 returned  by  nis_lo-
	     cal_directory(3NSL) will be used. This domain name	is the same as
	     that returned by domainname(1M).

       -e    Changes the login shell. For  the	files  repository,  this  only
	     works  for	the super-user.	Normal users may change	the ldap, nis,
	     or	nisplus	repositories. The choice of shell is  limited  by  the
	     requirements  of  getusershell(3C).  If  the user currently has a
	     shell that	is not allowed by getusershell,	only root  may	change

       -g    Changes the gecos (finger)	information. For the files repository,
	     this only works for the superuser.	Normal users  may  change  the
	     ldap, nis,	or nisplus repositories.

       -h    Changes the home directory.

       -r    Specifies	the  repository	 to which an operation is applied. The
	     supported repositories are	files, ldap, nis, or nisplus.

       -s name
	     Shows password attributes for the login  name.  For  the  nisplus
	     repository, this works for	everyone. However for the files	repos-
	     itory, this only works for	the superuser. It does not work	at all
	     for the nis repository which does not support password aging.

   Privileged User Options
       Only a privileged user can use the following options:

       -d    Deletes  password	for  name. The login name will not be prompted
	     for password. It is only applicable to the	files repository.

       -f    Forces the	user to	change password	at the next login by  expiring
	     the password for name.

       -l    Locks password entry for name.

       -n min
	     Sets  minimum  field for name. The	min field contains the minimum
	     number of days between password  changes  for  name.  If  min  is
	     greater  than  max,  the user may not change the password.	Always
	     use this option with the -x option, unless	max is set to -1  (ag-
	     ing turned	off). In that case, min	need not be set.

       -w warn
	     Sets  warn	 field for name. The warn field	contains the number of
	     days before the password expires and the user is warned. This op-
	     tion is not valid if password aging is disabled.

       -x max
	     Sets maximum field	for name. The max field	contains the number of
	     days that the password is valid for name. The aging for name will
	     be	turned off immediately if max is set to	-1. If it is set to 0,
	     then the user is forced to	change the password at the next	 login
	     session and aging is turned off.

       The following operand is	supported:

       name  User login	name.

       If  any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
       LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are  not  set
       in  the environment, the	operational behavior of	passwd for each	corre-
       sponding	locale category	is determined by the value of the  LANG	 envi-
       ronment	variable.  If LC_ALL is	set, its contents are used to override
       both the	LANG and the other LC_*	variables. If none of the above	 vari-
       ables is	set in the environment,	the "C"	(U.S. style) locale determines
       how passwd behaves.

	     Determines	how passwd handles characters. When LC_CTYPE is	set to
	     a	valid  value, passwd can display and handle text and filenames
	     containing	valid characters for that locale. passwd  can  display
	     and handle	Extended Unix Code (EUC) characters where any individ-
	     ual character can be 1, 2,	or 3 bytes wide. passwd	can also  han-
	     dle EUC characters	of 1, 2, or more column	widths.	In the "C" lo-
	     cale, only	characters from	ISO 8859-1 are valid.

	     Determines	how diagnostic and informative messages	are presented.
	     This  includes  the  language  and	style of the messages, and the
	     correct form of affirmative and negative responses.  In  the  "C"
	     locale,  the  messages are	presented in the default form found in
	     the program itself	(in most cases,	U.S. English).

       The passwd command exits	with one of the	following values:

       0     Success.

       1     Permission	denied.

       2     Invalid combination of options.

       3     Unexpected	failure. Password file unchanged.

       4     Unexpected	failure. Password file(s) missing.

       5     Password file(s) busy. Try	again later.

       6     Invalid argument to option.

       7     Aging option is disabled.

       8     No	memory.

       9     System error.

       10    Account expired.



	     Password file.

	     Shadow password file.

	     Default values can	be set for the	following  flags  in  /etc/de-
	     fault/passwd. For example:	MAXWEEKS=26

		   Maximum time	period that password is	valid.

		   Minimum time	period before the password can be changed.

		   Minimum length of password, in characters.

		   Time	period until warning of	date of	password's ensuing ex-

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |CSI			     |Enabled			   |

       finger(1), login(1), nistbladm(1), domainname(1M), eeprom(1M),  id(1M),
       passmgmt(1M),   pwconv(1M),  su(1M),  useradd(1M),  userdel(1M),	 user-
       mod(1M),	 crypt(3C),  getpwnam(3C),   getspnam(3C),   getusershell(3C),
       nis_local_directory(3NSL),  pam(3PAM),  loginlog(4),  nsswitch.conf(4),
       pam.conf(4), passwd(4), shadow(4), attributes(5), environ(5), pam_auth-
       tok_check(5),  pam_authtok_get(5), pam_authtok_store(5),	pam_dhkeys(5),
       pam_ldap(5),   pam_unix(5),   pam_unix_account(5),    pam_unix_auth(5),

       The pam_unix(5) module might not	be supported in	a future release. Sim-
       ilar    functionality	is    provided	   by	  pam_unix_account(5),
       pam_unix_auth(5),  pam_unix_session(5), pam_authtok_check(5), pam_auth-
       tok_get(5),	 pam_authtok_store(5),	     pam_dhkeys(5),	   and

       The  nispasswd  and ypasswd commands are	wrappers around	passwd.	Use of
       nispasswd and ypasswd is	discouraged. Use passwd	-r repository_name in-

       NIS+ might not be supported in future releases of the SolarisTM Operat-
       ing Environment.	Tools to aid the  migration  from  NIS+	 to  LDAP  are
       available in the	Solaris	9 operating environment. For more information,

SunOS 5.9			  10 Dec 2001			     passwd(1)


Want to link to this manual page? Use this URL:

home | help