Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
passwd(1)							     passwd(1)

       passwd -	change login password and password attributes

       passwd [-r files	| -r ldap | -r nis | -r	nisplus]  [name]

       passwd [	-r files] [-egh] [name]

       passwd [	-r files] -s [-a]

       passwd [	-r files] -s [name]

       passwd  [  -r  files]  [-d  |  -l  |  -u	| -N]  [-f] [-n	min] [-w warn]
       [-x max]	name

       passwd  -r ldap [-egh] [name]

       passwd  -r nis [-egh] [name]

       passwd  -r nisplus [-egh] [-D domainname] [name]

       passwd  -r nisplus -s [-a]

       passwd  -r nisplus [-D domainname] -s [name]

       passwd  -r nisplus [-l |	-u | -N]   [-f]	 [-n min]  [-w warn]  [-x max]
       [-D domainname] name

       The  passwd  command  changes the password or lists password attributes
       associated with the user's login	name. Additionally,  privileged	 users
       can use passwd to install or change passwords and attributes associated
       with any	login name.

       When used to change a password, passwd prompts everyone for  their  old
       password,  if any. It then prompts for the new password twice. When the
       old password is entered,	passwd checks to see if	it has	"aged"	suffi-
       ciently.	If "aging" is insufficient, passwd terminates; see pwconv(1M),
       nistbladm(1), and shadow(4) for additional information.

       When LDAP, NIS, or NIS+ is in effect on a system,  passwd  changes  the
       NIS  or	NIS+  database.	The NIS	or NIS+	password can be	different from
       the password on the local machine. If  NIS  or  NIS+  is	 running,  use
       passwd -r to change password information	on the local machine.

       The  pwconv  command  creates  and updates /etc/shadow with information
       from /etc/passwd. pwconv	relies on a special value of 'x' in the	 pass-
       word  field  of /etc/passwd. This value of 'x' indicates	that the pass-
       word for	the user is already in /etc/shadow and should not be modified.

       If aging	is sufficient, a check is made to ensure that the new password
       meets construction requirements.	When the new  password	is  entered  a
       second  time,  the  two copies of the new password are compared.	If the
       two copies are not identical, the cycle of prompting for	the new	 pass-
       word is repeated	for, at	most, two more times.

       Passwords must be constructed to	meet the following requirements:

	 o  Each password must have PASSLENGTH characters, where PASSLENGTH is
	    defined in /etc/default/passwd and is set to 6. Setting PASSLENGTH
	    to	more than eight	characters requires configuring	policy.conf(4)
	    with an algorithm that supports greater than eight characters.

	 o  Each password must	meet  the  configured  complexity  constraints
	    specified in /etc/default/passwd.

	 o  Each password must not be a	member of the configured dictionary as
	    specified in /etc/default/passwd.

	 o  For	accounts in  name  services  which  support  password  history
	    checking, if prior password	history	is defined, new	passwords must
	    not	be contained in	the prior password history.

       If all requirements are met, by default,	the  passwd  command  consults
       /etc/nsswitch.conf  to determine	in which repositories to perform pass-
       word update. It searches	the  passwd  and  passwd_compat	 entries.  The
       sources	(repositories) associated with these entries are updated. How-
       ever, the password update configurations	supported are limited  to  the
       following  cases.  Failure  to  comply with the configurations prevents
       users from logging onto the system. The password	update	configurations

	 o  passwd: files

	 o  passwd: files ldap

	 o  passwd: files nis

	 o  passwd: files nisplus

	 o  passwd: compat (==>	files nis)

	 o  passwd: compat (==>	files ldap)

	    passwd_compat: ldap

	 o  passwd: compat (==>	files nisplus)

	    passwd_compat: nisplus

       Network administrators, who own the NIS+	password table,	can change any
       password	attributes.

       In the files case, super-users (for instance, real  and	effective  uid
       equal  to  0,  see  id(1M)  and su(1M)) can change any password.	Hence,
       passwd does not prompt privileged users for the	old  password.	Privi-
       leged  users  are not forced to comply with password aging and password
       construction requirements. A privileged user can	create a null password
       by entering a carriage return in	response to the	prompt for a new pass-
       word. (This differs from	passwd -d because  the	"password"  prompt  is
       still displayed.) If NIS	is in effect, superuser	on the root master can
       change any password without being prompted for the old NIS passwd,  and
       is not forced to	comply with password construction requirements.

       Normally,  passwd entered with no arguments changes the password	of the
       current user. When a user logs in and then  invokes  su(1M)  to	become
       super-user  or  another	user, passwd changes the original user's pass-
       word, not the password of the super-user	or the new user.

       Any user	can use	the -s option to show password attributes for  his  or
       her  own	 login	name, provided they are	using the -r nisplus argument.
       Otherwise, the -s argument is restricted	to the superuser.

       The format of the display is:

       name status mm/dd/yy min	max warn

       or, if password aging information is not	present,

       name status


       name	       The login ID of the user.

       status	       The password status of name.

		       The status field	can take the following values:

		       PS	This account has a password.

		       NL	This account is	a no login account. See	 Secu-

		       LK	This  account is locked	account. See Security.

		       NP	This account has no password and is  therefore
				open without authentication.

       mm/dd/yy	       The  date password was last changed for name. All pass-
		       word aging dates	are determined	using  Greenwich  Mean
		       Time  (Universal	 Time)	and therefore can differ by as
		       much as a day in	other time zones.

       min	       The minimum number of days  required  between  password
		       changes	  for	 name.	  MINWEEKS    is    found   in
		       /etc/default/passwd and is set to NULL.

       max	       The maximum number of days the password	is  valid  for
		       name.  MAXWEEKS	is found in /etc/default/passwd	and is
		       set to NULL.

       warn	       The number of days relative to max before the  password
		       expires and the name are	warned.

       passwd  uses pam(3PAM) for password change. It calls PAM	with a service
       name passwd and uses service module type	auth  for  authentication  and
       password	for password change.

       Locking	an  account  (-l  option)  does	not allow its use for password
       based  login  or	 delayed  execution  (such  as	at(1),	batch(1),   or
       cron(1M)).  The -N option can be	used to	disallow password based	login,
       while continuing	to allow delayed execution.

       The following options are supported:

       -a	       Shows password attributes for  all  entries.  Use  only
		       with  the -s option. name must not be provided. For the
		       nisplus repository, this	shows only the entries in  the
		       NIS+  password  table  in  the  local  domain  that the
		       invoker is authorized to	"read".	For the	files  reposi-
		       tory, this is restricted	to the superuser.

       -D domainname   Consults	 the  passwd.org_dir  table  in	domainname. If
		       this option is not specified,  the  default  domainname
		       returned	 by  nis_local_directory(3NSL)	are used. This
		       domain name is the same as  that	 returned  by  domain-

       -e	       Changes the login shell.	For the	files repository, this
		       only works for the superuser. Normal users  can	change
		       the  ldap,  nis,	or nisplus repositories. The choice of
		       shell  is  limited  by  the  requirements  of  getuser-
		       shell(3C).  If  the  user currently has a shell that is
		       not allowed by getusershell, only root can change it.

       -g	       Changes the gecos (finger) information. For  the	 files
		       repository,  this  only works for the superuser.	Normal
		       users can change	the ldap, nis,	or  nisplus  reposito-

       -h	       Changes the home	directory.

       -r	       Specifies  the  repository  to  which  an  operation is
		       applied.	The supported repositories  are	 files,	 ldap,
		       nis, or nisplus.

       -s name	       Shows  password	attributes for the login name. For the
		       nisplus repository, this	works  for  everyone.  However
		       for the files repository, this only works for the supe-
		       ruser. It does not work at all for the  nis  repository
		       which does not support password aging.

   Privileged User Options
       Only a privileged user can use the following options:

       -d	       Deletes	password for name and unlocks the account. The
		       login name is not prompted for  password.  It  is  only
		       applicable to the files repository.

       -f	       Forces the user to change password at the next login by
		       expiring	the password for name.

       -l	       Locks password entry for	name. See the -d or -u	option
		       for unlocking the account.

       -N	       Makes  the  password entry for name a value that	cannot
		       be used for login, but does not lock the	 account.  See
		       the -d option for removing the value, or	to set a pass-
		       word to allow logins.

       -n min	       Sets minimum field for name. The	min field contains the
		       minimum	number	of  days  between password changes for
		       name. If	min is greater than  max,  the	user  can  not
		       change the password. Always use this option with	the -x
		       option, unless max is set to -1 (aging turned off).  In
		       that case, min need not be set.

       -u	       Unlocks	a  locked  password for	entry name. See	the -d
		       option for removing the locked password,	or  to	set  a
		       password	to allow logins.

       -w warn	       Sets  warn  field for name. The warn field contains the
		       number of days before the password expires and the user
		       is  warned.  This option	is not valid if	password aging
		       is disabled.

       -x max	       Sets maximum field for name. The	max field contains the
		       number of days that the password	is valid for name. The
		       aging for nameis	turned off immediately if max  is  set
		       to -1.

       The following operand is	supported:

       name	       User login name.

       If  any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
       LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are  not  set
       in  the environment, the	operational behavior of	passwd for each	corre-
       sponding	locale category	is determined by the value of the  LANG	 envi-
       ronment	variable.  If LC_ALL is	set, its contents are used to override
       both the	LANG and the other LC_*	variables. If none of the above	 vari-
       ables is	set in the environment,	the "C"	(U.S. style) locale determines
       how passwd behaves.

       LC_CTYPE	       Determines how passwd handles characters. When LC_CTYPE
		       is  set to a valid value, passwd	can display and	handle
		       text and	filenames containing valid characters for that
		       locale.	passwd	can  display  and handle Extended Unix
		       Code (EUC) characters where  any	 individual  character
		       can  be	1,  2, or 3 bytes wide.	passwd can also	handle
		       EUC characters of 1, 2, or more column widths.  In  the
		       "C"  locale, only characters from ISO 8859-1 are	valid.

       LC_MESSAGES     Determines how diagnostic and informative messages  are
		       presented.  This	includes the language and style	of the
		       messages, and the correct form of affirmative and nega-
		       tive  responses.	 In  the  "C" locale, the messages are
		       presented in the	default	 form  found  in  the  program
		       itself (in most cases, U.S. English).

       The passwd command exits	with one of the	following values:

       0	Success.

       1	Permission denied.

       2	Invalid	combination of options.

       3	Unexpected failure. Password file unchanged.

       4	Unexpected failure. Password file(s) missing.

       5	Password file(s) busy. Try again later.

       6	Invalid	argument to option.

       7	Aging option is	disabled.

       8	No memory.

       9	System error.

       10	Account	expired.


	   Default   values   can   be	 set   for   the  following  flags  in
	   /etc/default/passwd.	For example: MAXWEEKS=26

	   DICTIONDBDIR	   The directory where the generated dictionary	 data-
			   bases reside. Defaults to /var/passwd.

			   If  neither	DICTIONLIST nor	DICTIONDBDIR is	speci-
			   fied, the system  does  not	perform	 a  dictionary

	   DICTIONLIST	   DICTIONLIST	can  contain  list  of comma separated
			   dictionary files such as DICTIONLIST=file1,	file2,
			   file3. Each dictionary file contains	multiple lines
			   and each line consists of a word  and  a  <NEWLINE>
			   character  (similar	to /usr/share/lib/dict/words.)
			   You must specify full  pathnames.  The  words  from
			   these files are merged into a database that is used
			   to determine	whether	a password is based on a  dic-
			   tionary word.

			   If  neither	DICTIONLIST nor	DICTIONDBDIR is	speci-
			   fied, the system  does  not	perform	 a  dictionary

			   To  prebuild	 the  dictionary  database,  see mkpw-

	   HISTORY	   Maximum number of prior password  history  to  keep
			   for	a user.	Setting	the HISTORY value to zero (0),
			   or removing the flag,  causes  the  prior  password
			   history  of	all  users to be discarded at the next
			   password change by any user.	The default is not  to
			   define  the	HISTORY	flag. The maximum value	is 26.
			   Currently, this functionality is enforced only  for
			   user	 accounts  defined in the "files" name service
			   (local passwd(4)/shadow(4)).

	   MAXREPEATS	   Maximum number of allowable	consecutive  repeating
			   characters.	If  MAXREPEATS	is  not	set or is zero
			   (0),	the default is no checks

	   MAXWEEKS	   Maximum time	period that password is	valid.

	   MINALPHA	   Minimum number  of  alpha  character	 required.  If
			   MINALPHA is not set,	the default is 2.

	   MINDIFF	   Minimum  differences	 required between an old and a
			   new password. If MINDIFF is not set,	the default is

	   MINDIGIT	   Minimum  number  of digits required.	If MINDIGIT is
			   not set or is set to	zero (0), the  default	is  no
			   checks. You cannot be specify MINDIGIT if MINNONAL-
			   PHA is also specified.

	   MINLOWER	    Minimum number of lower case letters required.  If
			   not set or zero (0),	the default is no checks.

	   MINNONALPHA	   Minimum  number of non-alpha	(including numeric and
			   special) required. If MINNONALPHA is	not  set,  the
			   default  is	1.  You	 cannot	specify	MINNONALPHA if
			   MINDIGIT or MINSPECIAL is also specified.

	   MINWEEKS	   Minimum time	period	before	the  password  can  be

	   MINSPECIAL	   Minimum number of special (non-alpha	and non-digit)
			   characters required.	If MINSPECIAL is not set or is
			   zero	 (0),  the  default  is	 no checks. You	cannot
			   specify MINSPECIAL if you also specify MINNONALPHA.

	   MINUPPER	   Minimum  number  of upper case letters required. If
			   MINUPPER is not set or is zero (0), the default  is
			   no checks.

	   NAMECHECK	   Enable/disable  checking  or	 the  login  name. The
			   default is to do login name checking. A case	insen-
			   sitive value	of "no"	disables this feature.

	   PASSLENGTH	   Minimum length of password, in characters.

	   WARNWEEKS	   Time	 period	 until	warning	 of date of password's
			   ensuing expiration.

	   WHITESPACE	   Determine if	whitespace characters are  allowed  in
			   passwords.  Valid  values are YES and NO. If	WHITE-
			   SPACE is not	set or is set to YES, whitespace char-
			   acters are allowed.


	   Temporary  file  used  by passwd, passmgmt and pwconv to update the
	   real	shadow file.


	   Password file.


	   Shadow password file.


	   Shell database.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |CSI			     |Enabled			   |
       |Interface Stability	     |See below.		   |

       The human readable output is Unstable. The options are Evolving.

       at(1), batch(1),	finger(1), login(1), nistbladm(1), orcron(1M), domain-
       name(1M),  eeprom(1M),  id(1M), mkpwdict(1M), passmgmt(1M), pwconv(1M),
       su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C),
       getspnam(3C),  getusershell(3C),	 nis_local_directory(3NSL), pam(3PAM),
       loginlog(4), nsswitch.conf(4), pam.conf(4), passwd(4),  policy.conf(4),
       shadow(4),  shells(4), attributes(5), environ(5), pam_authtok_check(5),
       pam_authtok_get(5), pam_authtok_store(5),  pam_dhkeys(5),  pam_ldap(5),
       pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	by pam_unix_account(5),	pam_unix_auth(5), pam_unix_session(5),
       pam_authtok_check(5),	 pam_authtok_get(5),	 pam_authtok_store(5),
       pam_dhkeys(5), and pam_passwd_auth(5).

       The nispasswd and ypasswd commands are wrappers around passwd.  Use  of
       nispasswd  and  ypasswd	is  discouraged. Use passwd -r repository_name

       NIS+ might not be supported in future releases of the Solaris Operating
       Environment. Tools to aid the migration from NIS+ to LDAP are available
       in the Solaris 9	operating environment.	For  more  information,	 visit

       Changing	 a  password  in  the files repository clears the failed login

				  8 Mar	2005			     passwd(1)


Want to link to this manual page? Use this URL:

home | help