PASSWD(1) PASSWD(1) NAME passwd - change login password and password attributes SYNOPSIS passwd [ name ] passwd [ -l | -d ] [ -n min ] [ -f ] [ -x max ] [ -w warn ] name passwd -s [ -a ] passwd -s [ name ] DESCRIPTION The passwd command changes the password or lists password attributes associated with the user's login name. Additionally, super-users may use passwd to install or change passwords and attributes associated with any login name. Passwords for NIS entries that don't override the passwd field with a local value must be changed with yppasswd(1). When used to change a password, passwd prompts ordinary users for their old password, if any. It then prompts for the new password twice. The first time the new password is entered passwd checks to see if the old password has ``aged'' sufficiently. (Aging is not supported for NIS entries, even if they have locally overridden passwords.) Password "aging" is the amount of time (usually a certain number of days) that must elapse between password changes. If ``aging'' is insufficient the new password is rejected and passwd terminates; see passwd(4). Assuming ``aging'' is sufficient, a check is made to insure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical the cycle of prompting for the new password is repeated for at most two more times. Passwords must be constructed to meet the following requirements: Each password must have at least six characters. Only the first eight characters are significant. Each password must contain at least two alphabetic characters and at least one numeric or special character. In this case, ``alphabetic'' means upper and lower case letters. Each password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent. New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent. One whose effective user ID is zero is called a super-user; see id(1), and su(1). Super-users may change any password; hence, passwd does not prompt super-users for the old password. Super-users are not forced to comply with password aging and password construction requirements. A super-user can create a null password by entering a carriage return in response to the prompt for a new password. (This differs from passwd -d because the "password" prompt will still be displayed.) Any user may use the -s option to show password attributes for his or her own login name. The format of the display will be: name status uid gid directory shell mm/dd/yy min max or, if password aging information is not present, name status uid gid directory shell or, if the entry is from NIS, name status directory shell where name The login ID of the user. status The password status of name: "PS" stands for passworded or locked, "LK" stands for locked, and "NP" stands for no password. uid Numerical user ID gid Numerical group ID directory Initial working directory shell program to use as Shell when the user logs in. mm/dd/yy The date password was last changed for name. (Because all password aging dates are determined using Greenwich Mean Time and /etc/passwd stores the information in weeks, the date may differ by as much as a week depending upon the local time zone.) min The minimum number of days required between password changes for name. max The maximum number of days the password is valid for name. Only a super-user can use the following options: -l Locks password entry for name, preventing all logins to that account, except via the rhosts(4) mechanism. Note that this feature allows a denial of service attack that may require booting from the miniroot to fix, as even the root accounts can be locked out. -d Deletes password for name. The login name will not be prompted for password. -n Set minimum field for name. The min field contains the minimum number of days between password changes for name. If min is greater than max, the user may not change the password. Always use this option with the -x option, unless max is set to -1 or 0 (aging turned off). In that case, min need not be set. -x Set maximum field for name. The max field contains the number of days that the password is valid for name. The aging for name will be turned off immediately if max is set to -1. If it is set to 0, then the user is forced to change the password at the next login session and aging is turned off. If max is less than min, only the super-user can change this user's password. -a Show password attributes for all entries. Use only with -s option; name must not be provided. -f Force the user to change password at the next login by expiring the password for name. -w The warn argument indicates the number of days before the password expires that the user is warned. This option is supported only when the shadow passwords are in use. If PAM (see pam(8)) is not enabled, the behavior of the program is influenced by the content of /etc/default/passwd if this file exists. The file is not supplied with the system, but may be locally created and modified as need be. If the file is not present, the default behaviors described below are followed. The following items are recognized: HISTORYCNT=n the number of previous passwords to retain in /etc/passwd.history for each system user. The default behavior is to not retain any (and to not create the file). Previously used passwords found in the history file may not be reused until HISTORYCNT other passwords have been used, or HISTORYDAYS have elapsed. The superuser may supply any password for a user, including previously used ones. This superuser supplied password is retained in the history file. The maximum value is 25. HISTORYDAYS=n the number of days to retain and check for previously used passwords. The default behavior is to not retain any (and to not create the history file). The maximum value is 730 (approximately two years). If HISTORYCNT has not been specified and this parameter has been, HISTORYCNT is set to 25. Smaller values of HISTORYCNT may be specified. MAXWEEKS=n the maximum number of weeks that the password is valid. The default behavior is to not set a value. This is equivalent to the -x XX command line arguments. MINWEEKS=n minimum number of weeks between password changes (part of password aging). The default behavior is to not set a value. This is equivalent to the -n XX command line arguments. PASSGEN=/path external program to be invoked to supply generated passwords. The default behavior is to not have such a program. The program is invoked in lieu of getting a password from the user. The user must select one of the choices offered. The superuser may still supply passwords, and is not presented with the generated passwords. The program must be specified as a full pathname (starts with /). It should produce the passwords on separate lines with a trailing new line character on its stdout which is read by passwd and presented to the user. Up to 20 generated passwords may be supplied by the program. If it generates more than 20, an error message is printed and no passwords are presented. No generating programs are supplied with the system. PASSLENGTH=n minimum length of an acceptable password. This defaults to 6, and has a maximum value of 8. PASSWDVALIDATE=/path external program to be invoked to validate a new password. The default behavior is to not have such a program. The program is invoked after the basic validation steps discussed above. It must be specified as a full pathname (starts with /). The program receives the new password in the clear, with a trailing new line, on its standard input, which is closed after writing this one line. The passwd program issues a wait(2) and obtains the exit status of the external validation program. Exit status of 0 indicates the new password is acceptable, all other status values indicate an error and the new password is not accepted. The exit status of the external validation program should be one of the values listed below in the DIAGNOSTICS section. Passwords being changed by the superuser are not subject to this validation. No external validation programs are supplied with the system. WARNWEEKS=n number of weeks before password expiration to begin warning the user. The default behavior is to not set a value. This is equivalent to the -w XX comand line arguments. NOTE Aging does not work with NIS entries, even if the password is locally overridden. The passwd command will silently delete commented lines (lines beginning with #) from /etc/passwd. FILES /etc/passwd, /etc/opasswd, /etc/.pwd.lock, /etc/shadow, /etc/oshadow, /etc/default/passwd, /etc/passwd.history, /etc/config/pam SEE ALSO id(1M), login(1), su(1M). yppasswd(1) for NIS passwords. crypt(3C), passwd(4), shadow(4). pam(8). DIAGNOSTICS The passwd command exits with one of the following values: 0 SUCCESS. 1 Permission denied. 2 Invalid combination of options. 3 File manipulation error. 4 Old password or shadow password file cannot be recovered. 5 Password file(s) busy. Try again later. 6 Invalid argument to option. 7 Unexpected failure. Password file unchanged. 8 Unknown login name. 9 Password aging is disabled. Page 5