Solaris Naming Administration Guide

The passwd Command

The passwd command performs various operations regarding passwords. The passwd command replaces the nispasswd command. You should use the passwd command for all activities which used to be performed with the nispasswd command. (See the passwd command man page for a complete description of all passwd flags, options, and arguments.)

The passwd command allows users to perform the following operations:

Administrators can use the passwd command to perform the following operations:

passwd and the nsswitch.conf File

The name service switch determines where the passwd command (and other commands) obtains and stores password information. If the passwd entry of the applicable nsswitch.conf file points to:

The passwd -r Option

When you run the passwd command with the -r nisplus, -r nis, or -r files arguments, those options override the nsswitch.conf file setting. You will be warned that this is the case. If you continue, the -r option will cause the passwd command to ignore the nsswitch.conf file sequence and update the information in the password information storage location pointed to by the -r flag.

For example, if the passwd entry in the applicable nsswitch.conf file reads:

 passwd: files nisplus

files is the first (primary) source, and passwd run without the -r option will get its password information from the /etc/passwd file. If you run the command with the -r nisplus option, passwd will get its information from the appropriate NIS+ passwd table and make its changes to that table, not to the /etc/passwd file.

The -r option should only be used when you cannot use the nsswitch.conf file because the search sequence is wrong. For example, when you need to update password information that is stored in two places, you can use the order specified in the nsswitch.conf file for the first one, but for the second one you have to force the use of the secondary or tertiary source.

The message:

Your specified repository is not defined in the nsswitch file!

indicates that your change will be made to the password information in the repository specified by the -r option, but that change will not affect anyone until the nsswitch.conf file is changed to point to that repository. For example, suppose the nsswitch.conf file reads passwd: files nis and you use the -r nisplus option to establish password-aging limits in an NIS+ passwd table. Those password-aging rules will sit in that table unused because the nsswitch.conf file is directing everyone to other places for their password information.

The passwd Command and "NIS+ Environment"

In this chapter, the phrase NIS+ environment refers to situations where the passwd entry of the applicable nsswitch.conf file is set to nisplus, or the passwd command is run with the -r nisplus argument.

The passwd Command and Credentials

When run in an NIS+ environment (see above), the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).

The passwd Command and Permissions

In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.

By default, in a normal NIS+ environment the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:

Note -

Regardless of what permissions they have, everyone in the world, and nobody classes are forced to comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password has aged past its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.

To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:

Table 11-1 Access Rights for passwd Command

This Operation 

Requires These Rights 

To This Object 

Displaying information 


passwd table entry 

Changing Information 


passwd table entry 

Adding New Information 


passwd table 

The passwd Command and Keys

If you use passwd in an NIS+ environment to change a principal's password, it tries to update the principal's private (secret) key in the cred table.

The passwd Command and Other Domains

To operate on the passwd table of another domain, use:

passwd [options] -D domainname