Tribblix: manual page: passwd.1

PASSWD(1) User Commands PASSWD(1)

NAME

passwd - change login password and password attributes

SYNOPSIS

passwd [-r files | -r ldap | -r nis] [name]

passwd [-r files] [-egh] [name]

passwd [-r files] -s [-a]

passwd [-r files] -s [name]

passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]
[-w warn] [-x max] name

passwd -r ldap [-egh] [name]

passwd [-r ldap ] -s [-a]

passwd [-r ldap ] -s [name]

passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name

passwd -r nis [-egh] [name]

DESCRIPTION

The passwd command changes the password or lists password attributes
associated with the user's login name. Additionally, privileged users
can use passwd to install or change passwords and attributes
associated with any login name.

When used to change a password, passwd prompts everyone for their old
password, if any. It then prompts for the new password twice. When
the old password is entered, passwd checks to see if it has aged
sufficiently. If aging is insufficient, passwd terminates; see
pwconv(8) and shadow(5) for additional information.

The pwconv command creates and updates /etc/shadow with information
from /etc/passwd. pwconv relies on a special value of x in the
password field of /etc/passwd. This value of x indicates that the
password for the user is already in /etc/shadow and should not be
modified.

If aging is sufficient, a check is made to ensure that the new
password meets construction requirements. When the new password is
entered a second time, the two copies of the new password are
compared. If the two copies are not identical, the cycle of prompting
for the new password is repeated for, at most, two more times.

Passwords must be constructed to meet the following requirements:

o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is set to
6. Setting PASSLENGTH to more than eight characters
requires configuring policy.conf(5) with an algorithm that
supports greater than eight characters.

o Each password must meet the configured complexity
constraints specified in /etc/default/passwd.

o Each password must not be a member of the configured
dictionary as specified in /etc/default/passwd.

o For accounts in name services which support password
history checking, if prior password history is defined,
new passwords must not be contained in the prior password
history.

If all requirements are met, by default, the passwd command consults
/etc/nsswitch.conf to determine in which repositories to perform
password update. It searches the passwd and passwd_compat entries.
The sources (repositories) associated with these entries are updated.
However, the password update configurations supported are limited to
the following cases. Failure to comply with the configurations
prevents users from logging onto the system. The password update
configurations are:

o passwd: files

o passwd: files ldap

o passwd: files nis

o passwd: compat (==> files nis)

o passwd: compat (==> files ldap)

passwd_compat: ldap

You can add the ad keyword to any of the passwd configurations in the
above list. However, you cannot use the passwd command to change the
password of an Active Directory (AD) user. If the ad keyword is found
in the passwd entry during a password update operation, it is
ignored. To update the password of an AD user, use the kpasswd(1)
command.

The administrator configured for updating LDAP shadow information can
change any password attributes. See ldapclient(8).

When a user has a password stored in one of the name services as well
as a local files entry, the passwd command updates both. It is
possible to have different passwords in the name service and local
files entry. Use passwd -r to change a specific password repository.

In the files case, super-users (for instance, real and effective uid
equal to 0, see id(8) and su(8)) can change any password. Hence,
passwd does not prompt privileged users for the old password.
Privileged users are not forced to comply with password aging and
password construction requirements. A privileged user can create a
null password by entering a carriage return in response to the prompt
for a new password. (This differs from passwd -d because the password
prompt is still displayed.) If NIS is in effect, superuser on the
root master can change any password without being prompted for the
old NIS passwd, and is not forced to comply with password
construction requirements.

If LDAP is in effect, superuser on any Native LDAP client system can
change any password without being prompted for the old LDAP passwd,
and is not forced to comply with password construction requirements.

Normally, passwd entered with no arguments changes the password of
the current user. When a user logs in and then invokes su(8) to
become superuser or another user, passwd changes the original user's
password, not the password of the superuser or the new user.

Any user can use the -s option to show password attributes for his or
her own login name. Otherwise, the -s argument is restricted to the
superuser.

The format of the display is:

name status mm/dd/yy min max warn

or, if password aging information is not present,

name status

where

name
The login ID of the user.

status
The password status of name.

The status field can take the following values:

LK
This account is locked account. See Security.

NL
This account is a no login account. See Security.

NP
This account has no password and is therefore open
without authentication.

PS
This account has a password.

mm/dd/yy
The date password was last changed for name. All password
aging dates are determined using Greenwich Mean Time
(Universal Time) and therefore can differ by as much as a
day in other time zones.

min
The minimum number of days required between password
changes for name. MINWEEKS is found in
/etc/default/passwd and is set to NULL.

max
The maximum number of days the password is valid for
name. MAXWEEKS is found in /etc/default/passwd and is set
to NULL.

warn
The number of days relative to max before the password
expires and the name are warned.

Security

passwd uses pam(3PAM) for password change. It calls PAM with a
service name passwd and uses service module type auth for
authentication and password for password change.

Locking an account (-l option) does not allow its use for password
based login or delayed execution (such as at(1), batch(1), or
cron(8)). The -N option can be used to disallow password based login,
while continuing to allow delayed execution.

OPTIONS

The following options are supported:

-a
Shows password attributes for all entries. Use only
with the -s option. name must not be provided. For
the files and ldap repositories, this is restricted
to the superuser.

-e
Changes the login shell. The choice of shell is
limited by the requirements of getusershell(3C). If
the user currently has a shell that is not allowed
by getusershell, only root can change it.

-g
Changes the gecos (finger) information. For the
files repository, this only works for the superuser.
Normal users can change the ldap or nis
repositories.

-h
Changes the home directory.

-r
Specifies the repository to which an operation is
applied. The supported repositories are files, ldap,
or nis.

-s name
Shows password attributes for the login name. For
the files and ldap repositories, this only works for
the superuser. It does not work at all for the nis
repository which does not support password aging.

The output of this option, and only this option is
Stable and parsable. The format is username followed
by white space followed by one of the following
codes.

New codes might be added in the future so code that
parses this must be flexible in the face of unknown
codes. While all existing codes are two characters
in length that might not always be the case.

The following are the current status codes:

LK
Account is locked for UNIX authentication.
passwd -l was run or the authentication failed
RETRIES times.

NL
The account is a no login account. passwd -N
has been run.

NP
Account has no password. passwd -d was run.

PS
The account probably has a valid password.

UN
The data in the password field is unknown. It
is not a recognizable hashed password or any
of the above entries. See crypt(3C) for valid
password hashes.

Privileged User Options

Only a privileged user can use the following options:

-d
Deletes password for name and unlocks the account. The
login name is not prompted for password. It is only
applicable to the files and ldap repositories.

If the login(1) option PASSREQ=YES is configured, the
account is not able to login. PASSREQ=YES is the delivered
default.

-f
Forces the user to change password at the next login by
expiring the password for name.

-l
Locks password entry for name. See the -d or -u option for
unlocking the account.

-N
Makes the password entry for name a value that cannot be
used for login, but does not lock the account. See the -d
option for removing the value, or to set a password to
allow logins.

-n min
Sets minimum field for name. The min field contains the
minimum number of days between password changes for name.
If min is greater than max, the user can not change the
password. Always use this option with the -x option,
unless max is set to -1 (aging turned off). In that case,
min need not be set.

-u
Unlocks a locked password for entry name. See the -d
option for removing the locked password, or to set a
password to allow logins.

-w warn
Sets warn field for name. The warn field contains the
number of days before the password expires and the user is
warned. This option is not valid if password aging is
disabled.

-x max
Sets maximum field for name. The max field contains the
number of days that the password is valid for name. The
aging for name is turned off immediately if max is set to
-1.

OPERANDS

The following operand is supported:

name
User login name.

ENVIRONMENT VARIABLES

If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES,
LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(7)),
are not set in the environment, the operational behavior of passwd
for each corresponding locale category is determined by the value of
the LANG environment variable. If LC_ALL is set, its contents are
used to override both the LANG and the other LC_* variables. If none
of the above variables is set in the environment, the C (U.S. style)
locale determines how passwd behaves.

LC_CTYPE
Determines how passwd handles characters. When
LC_CTYPE is set to a valid value, passwd can display
and handle text and filenames containing valid
characters for that locale. passwd can display and
handle Extended Unix Code (EUC) characters where any
individual character can be 1, 2, or 3 bytes wide.
passwd can also handle EUC characters of 1, 2, or more
column widths. In the C locale, only characters from
ISO 8859-1 are valid.

LC_MESSAGES
Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and
negative responses. In the C locale, the messages are
presented in the default form found in the program
itself (in most cases, U.S. English).

EXIT STATUS

The passwd command exits with one of the following values:

0
Success.

1
Permission denied.

2
Invalid combination of options.

3
Unexpected failure. Password file unchanged.

4
Unexpected failure. Password file(s) missing.

5
Password file(s) busy. Try again later.

6
Invalid argument to option.

7
Aging option is disabled.

8
No memory.

9
System error.

10
Account expired.

FILES

/etc/default/passwd
Default values can be set for the following
flags in /etc/default/passwd. For example:
MAXWEEKS=26

DICTIONDBDIR
The directory where the
generated dictionary databases
reside. Defaults to
/var/passwd.

If neither DICTIONLIST nor
DICTIONDBDIR is specified, the
system does not perform a
dictionary check.

DICTIONLIST
DICTIONLIST can contain list
of comma separated dictionary
files such as
DICTIONLIST=file1, file2,
file3. Each dictionary file
contains multiple lines and
each line consists of a word
and a NEWLINE character
(similar to
/usr/share/lib/dict/words.)
You must specify full
pathnames. The words from
these files are merged into a
database that is used to
determine whether a password
is based on a dictionary word.

If neither DICTIONLIST nor
DICTIONDBDIR is specified, the
system does not perform a
dictionary check.

To pre-build the dictionary
database, see mkpwdict(8).

HISTORY
Maximum number of prior
password history to keep for a
user. Setting the HISTORY
value to zero (0), or removing
the flag, causes the prior
password history of all users
to be discarded at the next
password change by any user.
The default is not to define
the HISTORY flag. The maximum
value is 26. Currently, this
functionality is enforced only
for user accounts defined in
the files name service (local
passwd(5)/shadow(5)).

MAXREPEATS
Maximum number of allowable
consecutive repeating
characters. If MAXREPEATS is
not set or is zero (0), the
default is no checks

MAXWEEKS
Maximum time period that
password is valid.

MINALPHA
Minimum number of alpha
character required. If
MINALPHA is not set, the
default is 2.

MINDIFF
Minimum differences required
between an old and a new
password. If MINDIFF is not
set, the default is 3.

MINDIGIT
Minimum number of digits
required. If MINDIGIT is not
set or is set to zero (0), the
default is no checks. You
cannot be specify MINDIGIT if
MINNONALPHA is also specified.

MINLOWER
Minimum number of lower case
letters required. If not set
or zero (0), the default is no
checks.

MINNONALPHA
Minimum number of non-alpha
(including numeric and
special) required. If
MINNONALPHA is not set, the
default is 1. You cannot
specify MINNONALPHA if
MINDIGIT or MINSPECIAL is also
specified.

MINWEEKS
Minimum time period before the
password can be changed.

MINSPECIAL
Minimum number of special
(non-alpha and non-digit)
characters required. If
MINSPECIAL is not set or is
zero (0), the default is no
checks. You cannot specify
MINSPECIAL if you also specify
MINNONALPHA.

MINUPPER
Minimum number of upper case
letters required. If MINUPPER
is not set or is zero (0), the
default is no checks.

NAMECHECK
Enable/disable checking or the
login name. The default is to
do login name checking. A case
insensitive value of no
disables this feature.

PASSLENGTH
Minimum length of password, in
characters.

WARNWEEKS
Time period until warning of
date of password's ensuing
expiration.

WHITESPACE
Determine if white space
characters are allowed in
passwords. Valid values are
YES and NO. If WHITESPACE is
not set or is set to YES,
white space characters are
allowed.

/etc/oshadow
Temporary file used by passwd, passmgmt and
pwconv to update the real shadow file.

/etc/passwd
Password file.

/etc/shadow
Shadow password file.

/etc/shells
Shell database.

ATTRIBUTES

NOTES

The pam_unix(7) module is no longer supported. Similar functionality
is provided by pam_unix_account(7), pam_unix_auth(7),
pam_unix_session(7), pam_authtok_check(7), pam_authtok_get(7),
pam_authtok_store(7), pam_dhkeys(7), and pam_passwd_auth(7).

The yppasswd command is a wrapper around passwd. Use of yppasswd is
discouraged. Use passwd -r repository_name instead.

Changing a password in the files and ldap repositories clears the
failed login count.

Changing a password reactivates an account deactivated for inactivity
for the length of the inactivity period.

If /etc/shells is present, and is corrupted, it may provide an attack
vector that would compromise the system. The getusershell(3c)
library call has a pre-vetted list of shells, so /etc/shells should
be used with caution.

Input terminal processing might interpret some key sequences and not
pass them to the passwd command.

An account with no password, status code NP, might not be able to
login. See the login(1) PASSREQ option.

February 25, 2017 PASSWD(1)