passwd(1) User Commands passwd(1) NAME passwd - change login password and password attributes SYNOPSIS passwd [ name ] passwd [ -d | -l ] [ -f ] [ -n min ] [ -w warn ] [ -x max ] name passwd -s [ -a ] passwd -s [ name ] AVAILABILITY SUNWcsu DESCRIPTION The passwd command changes the password or lists password attributes associated with the user's login name. Addition- ally, privileged-users may use passwd to install or change passwords and attributes associated with any login name. When used to change a password, passwd prompts ordinary users for their old password, if any. It then prompts for the new password twice. When the old password is entered, passwd checks to see if it has "aged" sufficiently. If "aging" is insufficient, passwd terminates; see pwconv(1M) and shadow(4) for additional information. The pwconv com- mand creates and updates /etc/shadow with information from /etc/passwd. pwconv relies on a special value of 'x' in the password field of /etc/passwd. This value of 'x' indicates that the password for the user is already in /etc/shadow and should not be modified. Assuming aging is sufficient, a check is made to ensure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not ident- ical the cycle of prompting for the new password is repeated for at most two more times. Passwords must be constructed to meet the following require- ments: +o Each password must have at least six characters. Only the first eight characters are significant. PASSLENGTH is found in /etc/default/passwd and is set to 6. +o Each password must contain at least two alpha- betic characters and at least one numeric or spe- cial character. In this case, "alphabetic" refers SunOS 5.4 Last change: 17 Mar 1994 1 passwd(1) User Commands passwd(1) to all upper or lower case letters. +o Each password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent. +o New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent. Super-users (for instance, real and effective uid equal to zero, see id(1M) and su(1M)) may change any password; hence, passwd does not prompt privileged-users for the old pass- word. Privileged-users are not forced to comply with pass- word aging and password construction requirements. A privileged-user can create a null password by entering a carriage return in response to the prompt for a new pass- word. (This differs from passwd -d because the "password" prompt will still be displayed.) Any user may use the -s option to show password attributes for his or her own login name. The format of the display will be: name status mm/dd/yy min max warn or, if password aging information is not present, name status where name The login ID of the user. status The password status of name: "PS" stands for passworded or locked, "LK" stands for locked, and "NP" stands for no password. mm/dd/yy The date password was last changed for name. (Note: All password aging dates are deter- mined using Greenwich Mean Time and, there- fore, may differ by as much as a day in other time zones.) min The minimum number of days required between password changes for name. MINWEEKS is found in /etc/default/passwd and is set to NULL. max The maximum number of days the password is valid for name. MAXWEEKS is found in /etc/default/passwd and is set to NULL. warn The number of days relative to max before the password expires that the name will be warned. OPTIONS Only a privileged-user can use the following options: -a Show password attributes for all entries. Use only with -s option; name must not be provided. -d Deletes password for name. The login name will not be prompted for password. -f Force the user to change password at the next login by expiring the password for name. -l Locks password entry for name. -s Show password attributes for the login name. -n min Set minimum field for name. The min field con- tains the minimum number of days between password changes for name. If min is greater than max, the user may not change the password. Always use this option with the -x option, unless max is set to -1 (aging turned off). In that case, min need not be set. -w warn Set warn field for name. The warn field contains the number of days before the password expires that the user will be warned. -x max Set maximum field for name. The max field con- tains the number of days that the password is valid for name. The aging for name will be turned off immediately if max is set to -1. If it is set to 0, then the user is forced to change the pass- word at the next login session and aging is turned off. ENVIRONMENT If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY ) (see environ(5)) are not set in the environment, the operational behavior of passwd for each corresponding locale category is determined by the value of the LANG environment variable. If LC_ALL is set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables is set in the environment, the "C" (U.S. style) locale determines how passwd behaves. LC_CTYPE Determines how passwd handles characters. When LC_CTYPE is set to a valid value, passwd can display and handle text and filenames containing valid characters for that locale. passwd can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. passwd can also handle EUC characters of 1, 2, or more column widths. In the "C" locale, only characters from ISO 8859-1 are valid. LC_MESSAGES Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the "C" locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English). FILES /etc/oshadow /etc/passwd /etc/shadow /etc/default/passwd Default values can be set for the fol- lowing flags in /etc/default/passwd. For example: MAXWEEKS=26 MAXWEEKS Maximum time period that password is valid. MINWEEKS Minimum time period before the password can be changed. PASSLENGTH Minimum length of password, in characters. WARNWEEKS Time period until warning of date of password's ensuing expiration. SEE ALSO finger(1), login(1), nispasswd(1), yppasswd(1), domainname(1M), eeprom(1M), id(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C), loginlog(4), passwd(4), shadow(4), environ(5) DIAGNOSTICS The passwd command exits with one of the following values: 0 SUCCESS. 1 Permission denied. 2 Invalid combination of options. 3 Unexpected failure. Password file unchanged. 4 Unexpected failure. Password file(s) missing. 5 Password file(s) busy. Try again later. 6 Invalid argument to option. SunOS 5.4 Last change: 17 Mar 1994