Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1‎ > ‎


     passwd - change login password and password attributes

     passwd  [-r files |  -r ldap |  -r nis |  -r nisplus]

     passwd  [-r files] [-egh] [name]

     passwd  [-r files] -s [-a]

     passwd  [-r files] -s [name]

     passwd  [-r files] [-d |  -l |  -u |  -N] [-f] [-n min]
      [-w warn] [-x max] name

     passwd   -r ldap [-egh] [name]

     passwd [-r ldap ] -s [-a]

     passwd [-r ldap ] -s [name]

     passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name

     passwd   -r nis [-egh] [name]

     passwd   -r nisplus [-egh] [-D domainname] [name]

     passwd   -r nisplus -s [-a]

     passwd   -r nisplus [-D domainname] -s [name]

     passwd   -r nisplus [-l |  -u |  -N] [-f] [-n min] [-w warn]
      [-x max] [-D domainname] name

     The passwd command changes the password  or  lists  password
     attributes   associated   with   the   user's   login  name.
     Additionally, privileged users can use passwd to install  or
     change  passwords  and  attributes associated with any login

     When used to change a password, passwd prompts everyone  for
     their  old  password,  if  any.  It then prompts for the new
     password twice. When the old  password  is  entered,  passwd
     checks  to  see  if  it  has  aged sufficiently. If aging is
     insufficient,  passwd  terminates;  see  pwconv(1M),   nist-
     bladm(1), and shadow(4) for additional information.

     The pwconv command  creates  and  updates  /etc/shadow  with
     information  from  /etc/passwd.  pwconv  relies on a special
     value of 'x' in the  password  field  of  /etc/passwd.  This
     value  of  'x'  indicates  that the password for the user is
     already in /etc/shadow and should not be modified.

     If aging is sufficient, a check is made to ensure  that  the
     new  password  meets construction requirements. When the new
     password is entered a second time, the two copies of the new
     password  are compared. If the two copies are not identical,
     the cycle of prompting for the new password is repeated for,
     at most, two more times.

     Passwords must be constructed to meet the following require-

         o    Each  password  must  have  PASSLENGTH  characters,
              where  PASSLENGTH is defined in /etc/default/passwd
              and is set to 6. Setting PASSLENGTH  to  more  than
              eight      characters      requires     configuring
              policy.conf(4)  with  an  algorithm  that  supports
              greater than eight characters.

         o    Each password must meet the  configured  complexity
              constraints specified in /etc/default/passwd.

         o    Each password must not be a member of  the  config-
              ured      dictionary      as      specified      in

         o    For accounts in name services which  support  pass-
              word history checking, if prior password history is
              defined, new passwords must not be contained in the
              prior password history.

     If all requirements are met, by default, the passwd  command
     consults  /etc/nsswitch.conf  to  determine in which reposi-
     tories to perform password update. It  searches  the  passwd
     and  passwd_compat entries. The sources (repositories) asso-
     ciated with these entries are updated. However, the password
     update configurations supported are limited to the following
     cases. Failure to comply with  the  configurations  prevents
     users from logging onto the system. The password update con-
     figurations are:

         o    passwd: files

         o    passwd: files ldap

         o    passwd: files nis

         o    passwd: files nisplus

         o    passwd: compat (==> files nis)

         o    passwd: compat (==> files ldap)

              passwd_compat: ldap

         o    passwd: compat (==> files nisplus)

              passwd_compat: nisplus

     Network administrators, who own the NIS+ password table, can
     change any password attributes. The administrator configured
     for updating LDAP shadow information  can  also  change  any
     password attributes. See ldapclient(1M).

     When a user has a password stored in one of  the  name  ser-
     vices  as  well  as  a local files entry, the passwd command
     updates both. It is possible to have different passwords  in
     the  name  service  and  local files entry. Use passwd -r to
     change a specific password repository.

     In the files case, superusers (for instance, real and effec-
     tive  uid  equal to 0, see id(1M) and su(1M)) can change any
     password. Hence, passwd does not prompt privileged users for
     the  old password. Privileged users are not forced to comply
     with password aging and password construction  requirements.
     A  privileged  user can create a null password by entering a
     carriage return in response to the prompt for  a  new  pass-
     word.  (This  differs  from  passwd  -d because the password
     prompt is still displayed.) If NIS is in  effect,  superuser
     on  the  root  master  can change any password without being
     prompted for the old NIS passwd, and is not forced to comply
     with password construction requirements.

     If LDAP is in effect, superuser on any  Native  LDAP  client
     system  can  change  any password without being prompted for
     the old LDAP password, and is  not  forced  to  comply  with
     password construction requirements.

     Normally, passwd entered with no arguments changes the pass-
     word  of  the  current  user.  When  a user logs in and then
     invokes su(1M) to become superuser or another  user,  passwd
     changes  the  original  user's password, not the password of
     the superuser or the new user.

     Any user can use the -s option to show  password  attributes
     for  his  or her own login name, provided they are using the
     -r nisplus argument. Otherwise,  the  -s  argument  is  res-
     tricted to the superuser.

     The format of the display is:

       name status mm/dd/yy min max warn

     or, if password aging information is not present,

       name status


     name                The login ID of the user.

     status              The password status of name.

                         The status field can take the  following

                         PS           This account  has  a  pass-

                         NL           This account is a no  login
                                      account. See Security.

                         LK           This  account   is   locked
                                      account. See Security.

                         NP           This account has  no  pass-
                                      word  and is therefore open
                                      without authentication.

     mm/dd/yy            The date password was last  changed  for
                         name.   All  password  aging  dates  are
                         determined  using  Greenwich  Mean  Time
                         (Universal   Time)   and  therefore  can
                         differ by as much as a day in other time

     min                 The  minimum  number  of  days  required
                         between   password   changes  for  name.
                         MINWEEKS is found in /etc/default/passwd
                         and is set to NULL.

     max                 The maximum number of days the  password
                         is  valid for name. MAXWEEKS is found in
                         /etc/default/passwd and is set to NULL.

     warn                The  number  of  days  relative  to  max
                         before the password expires and the name
                         are warned.

     passwd uses pam(3PAM) for password change. It calls PAM with
     a  service name passwd and uses service module type auth for
     authentication and password for password change.

     Locking an account (-l option) does not allow  its  use  for
     password  based  login  or delayed execution (such as at(1),
     batch(1), or cron(1M)). The -N option can be used to  disal-
     low  password based login, while continuing to allow delayed


     The following options are supported:

     -a                  Shows  password   attributes   for   all
                         entries.  Use  only  with the -s option.
                         name  must  not  be  provided.  For  the
                         nisplus  repository, this shows only the
                         entries in the NIS+  password  table  in
                         the  local  domain  that  the invoker is
                         authorized to read. For  the  files  and
                         ldap  repository,  this is restricted to
                         the superuser.

     -D domainname       Consults  the  passwd.org_dir  table  in
                         domainname. If this option is not speci-
                         fied, the default domainname returned by
                         nis_local_directory(3NSL) are used. This
                         domain name is the same as that returned
                         by domainname(1M).

     -e                  Changes the login shell. For  the  files
                         repository,  this  only  works  for  the
                         superuser. Normal users can  change  the
                         ldap,  nis, or nisplus repositories. The
                         choice  of  shell  is  limited  by   the
                         requirements of getusershell(3C). If the
                         user currently has a shell that  is  not
                         allowed  by  getusershell, only root can
                         change it.

     -g                  Changes the gecos (finger)  information.
                         For  the  files  repository,  this  only
                         works for the  superuser.  Normal  users
                         can  change  the  ldap,  nis, or nisplus

     -h                  Changes the home directory.

     -r                  Specifies the  repository  to  which  an
                         operation   is  applied.  The  supported
                         repositories are files,  ldap,  nis,  or

     -s name             Shows password attributes for the  login
                         name.  For  the nisplus repository, this
                         works  for  everyone.  However  for  the
                         files  repository,  this  only works for
                         the superuser. It does not work  at  all
                         for  the  nis  and ldap repository which
                         does not support password aging.

  Privileged User Options
     Only a privileged user can use the following options:

     -d                  Deletes password for  name  and  unlocks
                         the  account.  The  login  name  is  not
                         prompted for password. It is only appli-
                         cable to the files and ldap repository.

     -f                  Forces the user to  change  password  at
                         the  next login by expiring the password
                         for name.

     -l                  Locks password entry for name.  See  the
                         -d   or  -u  option  for  unlocking  the

     -N                  Makes the  password  entry  for  name  a
                         value that cannot be used for login, but
                         does not lock the account.  See  the  -d
                         option for removing the value, or to set
                         a password to allow logins.

     -n min              Sets minimum field  for  name.  The  min
                         field  contains  the  minimum  number of
                         days between password changes for  name.
                         If min is greater than max, the user can
                         not change the password. Always use this
                         option with the -x option, unless max is
                         set to -1 (aging turned  off).  In  that
                         case, min need not be set.

     -u                  Unlocks  a  locked  password  for  entry
                         name. See the -d option for removing the
                         locked password, or to set a password to
                         allow logins.

     -w warn             Sets warn field for name. The warn field
                         contains  the  number of days before the
                         password expires and the user is warned.
                         This  option  is  not  valid if password
                         aging is disabled.

     -x max              Sets maximum field  for  name.  The  max
                         field  contains  the number of days that
                         the password  is  valid  for  name.  The
                         aging for name is turned off immediately
                         if max is set to -1.

     The following operand is supported:

     name                User login name.

     If  any  of  the  LC_*   variables,   that   is,   LC_CTYPE,
     LC_MONETARY (see environ(5)), are not set  in  the  environ-
     ment,   the   operational   behavior   of  passwd  for  each
     corresponding locale category is determined by the value  of
     the  LANG  environment  variable. If LC_ALL is set, its con-
     tents are used to override both the LANG and the other  LC_*
     variables.  If  none  of  the  above variables is set in the
     environment, the C (U.S. style) locale determines how passwd

     LC_CTYPE            Determines how  passwd  handles  charac-
                         ters.  When  LC_CTYPE  is set to a valid
                         value, passwd  can  display  and  handle
                         text   and  filenames  containing  valid
                         characters for that locale.  passwd  can
                         display  and  handle  Extended Unix Code
                         (EUC) characters  where  any  individual
                         character  can be 1, 2, or 3 bytes wide.
                         passwd can also handle EUC characters of
                         1,  2,  or  more column widths. In the C
                         locale, only characters from ISO  8859-1
                         are valid.

     LC_MESSAGES         Determines how diagnostic  and  informa-
                         tive   messages   are   presented.  This
                         includes the language and style  of  the
                         messages, and the correct form of affir-
                         mative and negative responses. In the  C
                         locale,  the  messages  are presented in
                         the default form found  in  the  program
                         itself (in most cases, U.S. English).

     The passwd command exits with one of the following values:

     0            Success.

     1            Permission denied.

     2            Invalid combination of options.

     3            Unexpected failure. Password file unchanged.

     4            Unexpected failure. Password file(s) missing.

     5            Password file(s) busy. Try again later.

     6            Invalid argument to option.

     7            Aging option is disabled.

     8            No memory.

     9            System error.

     10           Account expired.


         Default values can be set for  the  following  flags  in
         /etc/default/passwd. For example: MAXWEEKS=26

         DICTIONDBDIR        The directory  where  the  generated
                             dictionary     databases     reside.
                             Defaults to /var/passwd.

                             If  neither  DICTIONLIST  nor   DIC-
                             TIONDBDIR  is  specified, the system
                             does not perform a dictionary check.

         DICTIONLIST         DICTIONLIST  can  contain  list   of
                             comma   separated  dictionary  files
                             such  as  DICTIONLIST=file1,  file2,
                             file3. Each dictionary file contains
                             multiple lines and  each  line  con-
                             sists  of a word and a NEWLINE char-
                             acter          (similar           to
                             /usr/share/lib/dict/words.) You must
                             specify full  pathnames.  The  words
                             from  these  files are merged into a
                             database that is used  to  determine
                             whether  a  password  is  based on a
                             dictionary word.

                             If  neither  DICTIONLIST  nor   DIC-
                             TIONDBDIR  is  specified, the system
                             does not perform a dictionary check.

                             To pre-build  the  dictionary  data-
                             base, see mkpwdict(1M).

         HISTORY             Maximum  number  of  prior  password
                             history  to keep for a user. Setting
                             the HISTORY value to  zero  (0),  or
                             removing  the flag, causes the prior
                             password history of all users to  be
                             discarded   at   the  next  password
                             change by any user. The  default  is
                             not  to define the HISTORY flag. The
                             maximum value is 26. Currently, this
                             functionality  is  enforced only for
                             user accounts defined in  the  files
                             name          service         (local

         MAXREPEATS          Maximum number of allowable consecu-
                             tive  repeating  characters. If MAX-
                             REPEATS is not set or is  zero  (0),
                             the default is no checks

         MAXWEEKS            Maximum time period that password is

         MINALPHA            Minimum number  of  alpha  character
                             required.  If  MINALPHA  is not set,
                             the default is 2.

         MINDIFF             Minimum differences required between
                             an  old  and a new password. If MIN-
                             DIFF is not set, the default is 3.

         MINDIGIT            Minimum number of  digits  required.
                             If  MINDIGIT is not set or is set to
                             zero (0), the default is no  checks.
                             You  cannot  be  specify MINDIGIT if
                             MINNONALPHA is also specified.

         MINLOWER            Minimum number of lower case letters
                             required.  If  not  set or zero (0),
                             the default is no checks.

         MINNONALPHA         Minimum number of non-alpha (includ-
                             ing  numeric  and special) required.
                             If  MINNONALPHA  is  not  set,   the
                             default  is  1.  You  cannot specify
                             MINNONALPHA if MINDIGIT  or  MINSPE-
                             CIAL is also specified.

         MINWEEKS            Minimum time period before the pass-
                             word can be changed.

         MINSPECIAL          Minimum number of special (non-alpha
                             and  non-digit) characters required.
                             If MINSPECIAL is not set or is  zero
                             (0),  the  default is no checks. You
                             cannot  specify  MINSPECIAL  if  you
                             also specify MINNONALPHA.

         MINUPPER            Minimum number of upper case letters
                             required.  If MINUPPER is not set or
                             is  zero  (0),  the  default  is  no

         NAMECHECK           Enable/disable checking or the login
                             name.  The  default  is  to do login
                             name checking.  A  case  insensitive
                             value of no disables this feature.

         PASSLENGTH          Minimum length of password, in char-

         WARNWEEKS           Time period until warning of date of
                             password's ensuing expiration.

         WHITESPACE          Determine if white space  characters
                             are   allowed  in  passwords.  Valid
                             values are YES and NO. If WHITESPACE
                             is  not  set or is set to YES, white
                             space characters are allowed.


         Temporary file used by passwd, passmgmt  and  pwconv  to
         update the real shadow file.


         Password file.


         Shadow password file.


         Shell database.

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsu                     |
    | CSI                         | Enabled                     |
    | Interface Stability         | See below.                  |

     The human readable  output  is  Unstable.  The  options  are


     at(1),   batch(1),   finger(1),   login(1),    nistbladm(1),
     cron(1M),  domainname(1M), eeprom(1M), id(1M), mkpwdict(1M),
     passmgmt(1M), pwconv(1M), su(1M), useradd(1M),  userdel(1M),
     usermod(1M),    crypt(3C),    getpwnam(3C),    getspnam(3C),
     getusershell(3C),   nis_local_directory(3NSL),    pam(3PAM),
     loginlog(4),   nsswitch.conf(4),   pam.conf(4),   passwd(4),
     policy.conf(4),   shadow(4),    shells(4),    attributes(5),
     environ(5),     pam_authtok_check(5),    pam_authtok_get(5),
     pam_authtok_store(5),      pam_dhkeys(5),       pam_ldap(5),
     pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

     The pam_unix(5) module is no longer supported. Similar func-
     tionality     is     provided     by    pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),
     pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and

     The nispasswd  and  ypasswd  commands  are  wrappers  around
     passwd.  Use  of  nispasswd  and ypasswd is discouraged. Use
     passwd -r repository_name instead.

     NIS+ might not  be  supported  in  future  releases  of  the
     Solaris  operating  system.  Tools to aid the migration from
     NIS+ to LDAP are available in the current  Solaris  release.
     For            more            information,            visit

     Changing a password in the files and ldap repositories clear
     the failed login count.

     Changing a password reactivates an account  deactivated  for
     inactivity for the length of the inactivity period.

     Input terminal processing might interpret some key sequences
     and not pass them to the passwd command.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.