Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

passwd (1)

Name

passwd - change login password and password attributes

Synopsis

passwd [-r files | -r ldap | 
-r nis] [name]
passwd [-r files] [-egh] [
name]
passwd [-r files] -s [
-a]
passwd [-r files] -s [
name]
passwd [-r files] [-d | 
-l | -u | -N | -p hash] [-f] [
-n min] 
     [-w warn] [-x 
max] name
passwd -r ldap [-egh] [
name]
passwd [-r ldap ] -s [
-a]
passwd [-r ldap ] -s [
name]
passwd -r ldap [-d | -l | -u | -N | -p hash
] [-f] [-n min] 
     [-w warn] [-x 
max] name
passwd -r nis [-egh] [
name]

Description

The passwd command changes the password or lists password attributes associated with the user's login name. Additionally, authorized users can use passwd to install or change passwords and attributes associated with any login name.

When used to change a password, passwd prompts everyone for their old password, if any. It then prompts for the new password twice. When the old password is entered, passwd checks to see if it has aged sufficiently. If aging is insufficient, passwd terminates. For additional information, see the pwconv(8) and shadow(5) man pages.

The pwconv command creates and updates /etc/shadow with information from /etc/passwd. pwconv relies on a special value of x in the password field of /etc/passwd. This value of xindicates that the password for the user is already in /etc/shadow and should not be modified.

If aging is sufficient, a check is made to ensure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical, the cycle of prompting for the new password is repeated for, at most, two more times.

Passwords must be constructed to meet the following requirements:

  • Each password must have at least PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 8. Setting PASSLENGTH to more than eight characters requires configuring policy.conf(5) with an algorithm that supports more than eight characters.

  • Each password must meet the configured complexity constraints specified in /etc/default/passwd.

  • Each password must not be a member of the configured dictionary as specified in /etc/default/passwd.

  • For accounts in name services which support password history checking, if prior password history is defined, new passwords must not be contained in the prior password history.

If all requirements are met, by default, the passwd command consults /etc/nsswitch.conf to determine in which repositories to perform password update. It searches the passwd entry. The sources (repositories) associated with that entry are updated. However, the password update configurations supported are limited and should follow these rules:

  • passwd line must have one, two, or three entries

  • First passwd entry should be files.

  • passwd entries other than files, NIS, and LDAP, are ignored and skipped during password update.

  • It is necessary to use a source-specific tool to update password in such database.

Network administrators, who own the password table, can change any password attributes. The administrator configured for updating LDAP shadow information can also change any password attributes. For more information, see the ldapclient(8) man page.

When a user has a password stored in one of the name services as well as a local files entry, the passwd command updates both. It is possible to have different passwords in the name service and local files entry. Use passwd –r to change a specific password repository.

The passwd command does not prompt authorized users for the old password.

If LDAP is in effect, an authorized user on any Native LDAP client system can change any password without being prompted for the old LDAP password.

By default, even users authorized to change the password of other users must comply with the configured password policy. For more information, see the pam_authtok_check(7) man page.

Normally, passwd entered with no arguments changes the password of the current user. When a user logs in and then invokes su(8) to become role or another user, passwd changes the original user's password, not the password of the role or the new user.

The –s argument is restricted to an authorized user.

The format of the display is:

name status mm/dd/yy min max warn

or, if password aging information is not present,

name status

where

name

The login ID of the user.

status

The password status of name.

The status field can take the following values:

AL

The account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See policy.conf(5) and user_attr(5) and the "Security" section.

LK

The account is locked. passwd –l was run or the account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See policy.conf(5) and user_attr(5) and the “Security” section.

NL

The account is a non-UNIX authentication account. passwd –N has been run. See “Security”. Accounts in this state are not automatically locked when the system or per-user policy is LOCK_AFTER_RETRIES=YES.

NP

This account has no password and is therefore open without authentication.

PS

This account has a password.

UN

The data in the password field is unknown. It is not a recognizable hashed password or any of the above entries. See crypt(3C) for valid password hashes.

UP

This account has not yet been activated by the administrator and cannot be used. See Security.

mm/dd/yy

The date password was last changed for name. All password aging dates are determined using Greenwich Mean Time (Universal Time) and therefore can differ by as much as a day in other time zones.

min

The minimum number of days required between password changes for name. MINWEEKS is found in /etc/default/passwd and is set to NULL.

max

The maximum number of days the password is valid for name. MAXWEEKS is found in /etc/default/passwd and is set to NULL.

warn

The number of days relative to max before the password expires and the name are warned.

The default password ageing policy can be specified in either days or in weeks. When the default values are specified for either MAXWEEKS or MINWEEKS the shadow(5) database is updated using units of days. It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. The MIN and WARN policies ore only active if a MAX policy is also set.

Security

passwd uses pam(3PAM) for password change. It calls PAM with a service name passwd and uses service module type auth for authentication and password for password change.

Locking an account (–l option) does not allow its use for any logins or delayed execution (such as at(1), batch(1), or cron(8)). The –N option can be used to disallow password-based login, while continuing to allow delayed execution or login with non-UNIX authentication methods.

Locked accounts that have never had a password cannot have their status changed directly to an active password. See –d. Changing a password on a locked account that had a password prior to being locked, changes the password without unlocking the account. See –u to unlock the account. An authorized administrator can activate an account in the not yet activated state by giving it a password or running passwd –N to activate it for non-UNIX authentication or delayed execution only.

An account can become locked following inactivity. To unlock such an account use the –u or –f options. With –u, the password is not changed; the use of –f forces a password change.

Options

The following options are supported:

–a

Shows password attributes for all entries. Use only with the –s option. name must not be provided. For the files and ldap repositories, this is restricted to the authorized user.

–e

Changes the login shell. For the files repository, this only works for the superuser. Normal users can change the ldap or nis repositories. The choice of shell is limited by the requirements of getusershell(3C). If the user currently has a shell that is not allowed by getusershell, only root can change it.

–g

Changes the gecos (finger) information. For the files repository, this only works for the superuser. Normal users can change the ldap or nis repositories.

–h

Changes the home directory.

–r

Specifies the repository to which an operation is applied. The supported repositories are files, ldap, or nis.

–s name

Shows password attributes for the login name. For the files and ldap repositories, this only works for the authorized user. It does not work at all for the nis repository, which does not support password aging.

The output of this option, and only this option, is Committed and parsable. The format is username followed by white space followed by one of the following codes.

New codes might be added in the future so code that parses this must be flexible in the face of unknown codes. While all existing codes are two characters in length that might not always be the case.

The following are the current status codes:

AL

The account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See policy.conf(5) and user_attr(5) and the "Security" section.

LK

The account is locked. passwd –l was run or the account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See policy.conf(5) and user_attr(5) and the “Security” section.

NL

The account is a non-UNIX authentication account. passwd –N has been run. See “Security”. Accounts in this state are not automatically locked when the system or per-user policy is LOCK_AFTER_RETRIES=YES.

NP

Account has no password. passwd -d was run.

PS

The account probably has a valid password.

UN

The data in the password field is unknown. It is not a recognizable hashed password or any of the above entries. See crypt(3C) for valid password hashes.

UP

This account has not yet been activated by the administrator and cannot be used. See Security.

Authorized User Options

An administrator needs to be granted the User Security profile to be able to lock and unlock an existing account. That profile also provides the ability to activate a newly created account, set password aging options and view password attributes. The following lists shows the authorizations required to perform the various operations.

Only an authorized user can use the following options:

–d

Deletes password for name and unlocks the account. The login name is not prompted for password. It is only applicable to the files and ldap repositories.

If the login(1) option PASSREQ=YES is configured, the account is not able to login. PASSREQ=YES is the delivered default.

–f

Forces the user to change password at the next login by expiring the password for name. This option is useful for unlocking accounts that have become locked due to inactivity.

–l

Locks account for name unless it is already locked. See the –u option for unlocking the account. Only accounts that are marked for non-UNIX authentication or delayed execution can be locked and will return to the same state when unlocked.

–N

Makes the password entry for name a value that cannot be used for login with UNIX authentication, but does not lock the account. See the –d option for removing the value, or –l to lock the account.

–p hash

Specifies the exact string value to be placed in the shadow password field. The user must have both the solaris.passwd.assign and solaris.passwd.nocheck authorizations. It is intended to be used for scripting password hash updates. Its use is generally discouraged, as the hashed password is visible through ps(1) while the command runs.

–n min

Sets minimum field for name. The min field contains the minimum number of days between password changes for name. If min is greater than max, the user can not change the password. Always use this option with the –x option, unless max is set to −1 (aging turned off). In that case, min need not be set.

–u

Unlocks a locked password for entry name. The –u option is useful for unlocking accounts that have become locked due to failed attempts or were administratively locked with the –l option. An account that is marked as a non-UNIX authentication account (passwd –N) returns to that state when it is unlocked.

–w warn

Sets warn field for name. The warn field contains the number of days before the password expires and the user is warned. This option is not valid if password aging is disabled.

–x max

Sets maximum field for name. The max field contains the number of days that the password is valid for name. The aging for name is turned off immediately if max is set to −1.

Operands

The following operand is supported:

name

User login name.

Environment Variables

If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(7)), are not set in the environment, the operational behavior of passwd for each corresponding locale category is determined by the value of the LANG environment variable. If LC_ALL is set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables is set in the environment, the C (U.S. style) locale determines how passwd behaves.

LC_CTYPE

Determines how passwd handles characters. When LC_CTYPE is set to a valid value, passwd can display and handle text and filenames containing valid characters for that locale. passwd can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. passwd can also handle EUC characters of 1, 2, or more column widths. In the C locale, only characters from ISO 8859-1 are valid.

LC_MESSAGES

Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the C locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English).

Exit Status

The passwd command exits with one of the following values:

0

Success.

1

Permission denied.

2

Invalid combination of options.

3

Unexpected failure. Password file unchanged.

4

Unexpected failure. Password file(s) missing.

5

Password file(s) busy. Try again later.

6

Invalid argument to option.

7

Aging option is disabled.

8

No memory.

9

System error.

10

Account expired.

11

Password information unchanged.

Files

/etc/default/passwd

Default values can be set for the following flags in /etc/default/passwd. For example: MAXWEEKS=26

The /etc/default/passwd file is obsolete. However, you can use the svc:/system/security/account-policy:default service to set the corresponding SMF properties.

The following table lists the mapping between the properties in the /etc/default/passwd and the SMF properties:

Property in /etc/default/login
Corresponding SMF Property
DICTIONDBDIR
password/dictionary/db_dir
DICTIONLIST
password/dictionary/word_list
DICTIONMINWORDLENGTH
password/dictionary/min_word_length
HISTORY
password/history
MAXREPEATS
password/complexity/max_repeats
MAXDAYS
password/aging_defaults/max_days
MAXWEEKS
password/complexity/max_days
MINALPHA
password/complexity/min_alpha
MINDIFF
password/complexity/min_diff
MINDIGIT
password/complexity/min_digit
MINLOWER
password/complexity/min_lower
MINNONALPHA
password/complexity/min_nonalpha
MINDAYS
MINWEEKS
password/complexity/min_days
MINSPECIAL
password/complexity/min_special
MINUPPER
password/complexity/min_upper
NAMECHECK
password/complexity/namecheck
PASSLENGTH
password/complexity/passlength
WARNDAYS
password/aging_defaults/warn_days
WARNWEEKS
password/complexity/warn_days
WHITESPACE
password/complexity/whitespace

For information on managing the SMF properties, see the account-policy (8S) man page.

The descriptions of the properties in the /etc/default/passwd file are as follows:

DICTIONDBDIR

The directory where the generated dictionary databases reside. Defaults to /var/passwd.

If neither DICTIONLIST nor DICTIONDBDIR is specified, the system does not perform a dictionary check.

DICTIONLIST

DICTIONLIST can contain list of comma separated dictionary files such as DICTIONLIST=file1, file2, file3. Each dictionary file contains multiple lines and each line consists of a word and a NEWLINE character. You must specify full path names. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word.

Spell-checking dictionary (similar to /usr/share/lib/dict/words) can be listed in DICTIONLIST but need to be pre-processed first. See DICTIONMINWORDLENGTH below for an easy way.

If neither DICTIONLIST nor DICTIONDBDIR is specified, the system does not perform a dictionary check.

To pre-build the dictionary database, see mkpwdict(8).

DICTIONMINWORDLENGTH

DICTIONMINWORDLENGTH can contain a number specifying the minimum word length for the source files in DICTIONLIST. Words shorter than the specified length will be omitted from the password dictionary.

The minimum value allowed is 2 [letters]; default value is 3 [letters].

HISTORY

Maximum number of prior password history to keep for a user. Setting the HISTORY value to zero (0), or removing the flag, causes the prior password history of all users to be discarded at the next password change by any user. The default is not to define the HISTORY flag. The maximum value is 26. Currently, this functionality is enforced only for user accounts defined in the files name service (local passwd(5)/shadow(5)).

MAXREPEATS

Maximum number of allowable consecutive repeating characters. If MAXREPEATS is not set or is zero (0), the default is no checks

MAXDAYS

Maximum time period in days that password is valid.

MAXWEEKS

Maximum time period in weeks that password is valid.

MINALPHA

Minimum number of alpha character required. If MINALPHA is not set, the default is 2.

MINDIFF

Minimum differences required between an old and a new password. If MINDIFF is not set, the default is 3.

MINDIGIT

Minimum number of digits required. If MINDIGIT is not set or is set to zero (0), the default is no checks. You cannot be specify MINDIGIT if MINNONALPHA is also specified.

MINLOWER

Minimum number of lower case letters required. If not set or zero (0), the default is no checks.

MINNONALPHA

Minimum number of non-alpha (including numeric and special) required. If MINNONALPHA is not set, the default is 1 . You cannot specify MINNONALPHA if MINDIGIT or MINSPECIAL is also specified.

MINDAYS

Minimum time period in days before the password can be changed.

MINWEEKS

Minimum time period in weeks before the password can be changed.

MINSPECIAL

Minimum number of special (non-alpha and non-digit) characters required. If MINSPECIAL is not set or is zero (0), the default is no checks. You cannot specify MINSPECIAL if you also specify MINNONALPHA.

MINUPPER

Minimum number of upper case letters required. If MINUPPER is not set or is zero (0), the default is no checks.

NAMECHECK

Enable/disable checking or the login name. The default is to do login name checking. A case insensitive value of no disables this feature.

PASSLENGTH

Minimum length of password, in characters.

WARNDAYS

Time period in days until warning of date of password's ensuing expiration.

WARNWEEKS

Time period in weeks until warning of date of password's ensuing expiration.

WHITESPACE

Determine if white space characters are allowed in passwords. Valid values are YES and NO. If WHITESPACE is not set or is set to YES, white space characters are allowed.

/etc/oshadow

Temporary file used by passwd and pwconv to update the real shadow file.

/etc/passwd

Password file.

/etc/shadow

Shadow password file.

/etc/shells

Shell database.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
CSI
Enabled
Interface Stability
See below.

The human readable output is Uncommitted. The options are Committed.

See Also

at(1), batch(1), finger(1), login(1), crypt(3C), getpwnam(3C), getspnam(3C), getusershell(3C), pam(3PAM), loginlog(5), nsswitch.conf(5), pam.conf(5), passwd(5), policy.conf(5), shadow(5), shells(5), user_attr(5), attributes(7), crypt_unix(7), environ(7), pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7), pam_dhkeys(7), pam_ldap(7), pam_unix_account(7), pam_unix_auth(7), pam_unix_session(7), cron(8), domainname(8), eeprom(8), id(8), ldapclient(8), mkpwdict(8), pwconv(8), su(8), useradd(8), userdel(8), usermod(8), account-policy (8S)

Notes

The yppasswd command is a wrapper around passwd. Use of yppasswd is discouraged. Use passwd –r repository_name instead.

Changing a password in the files and ldap repositories clears the failed login count.

Changing a password reactivates an account deactivated for inactivity for the length of the inactivity period.

Input terminal processing might interpret some key sequences and not pass them to the passwd command.

An account with no password, status code NP, might not be able to login. See the login(1) PASSREQ option.

Authorizations required to perform various options:

-d     Delete password               solaris.passwd.assign
-N     Set nologin                   solaris.passwd.assign
       Change any passwd             solaris.passwd.assign

       Bypass complexity checks      solaris.passwd.nocheck

-l     Lock account                  solaris.account.setpolicy
-u     Unlock account                solaris.account.setpolicy
-n     Set min field for name        solaris.account.setpolicy
-w     Set warn field for name       solaris.account.setpolicy
-x     Set max field for name        solaris.account.setpolicy
-f     Forces password expiration    solaris.account.setpolicy
-s     Display password attributes   solaris.account.setpolicy  
-a     Display password attributes   solaris.account.setpolicy  
       for all entries

-e     Change login shell            solaris.user.manage
-g     Change gecos information      solaris.user.manage
-h     Change home directory         solaris.user.manage
       Set a newly created account's 
         passwd for the first time   solaris.account.activate

All password hash algorithms except crypt_unix(7) have a maximum password length of 255.

The unlock_after user attribute only applies to accounts locked due to exceeding a failed login count.