passwd, chfn, chsh - Changes password file information
passwd [-f | -s] [username]
passwd -q [username]
passwd -q -a
This security-sensitive command uses the SIA (Security Integration Archi-
tecture) routine as an interface to the security mechanisms. See the
matrix.conf(4) reference page for more information.
-a Report the password attributes of all users. This option may only be
used with the -q option and you must be root.
-f Invokes the chfn command when given with the passwd command.
Report the password attributes of the specified user. If the -a option
is given, all users are listed. Users other than root may only use the
-q option on themselves. If a username is not specified, then the
current username is used.
-s Invokes the chsh command when given with the passwd command.
The passwd command changes (or installs) the password associated with your
username (by default) or the specified username.
The chfn command changes the finger information in the GECOS field associ-
ated with your username or the specified username. GECOS is an obsolete
term, but refers to the finger information field of the passwd structure as
defined in the <<pwd.h>> file and the finger information field of the
/etc/passwd file as described in the passwd(4) reference page. The infor-
mation in the GECOS field has been formalized by POSIX and is a comma
separated list containing the user's full name, office phone, office
number, and home phone number.
The chsh command changes the login shell of your username or of the speci-
When using the passwd command to alter a password, the command prompts for
the current password and then for the new one. The caller must supply
both. The new password must be typed twice to forestall mistakes.
Each password must have at least six characters and can include digits,
symbols, and the letters of your alphabet. It is strongly suggested that
you include unusual punctuation, control characters, or digits in your
password. Use of only lowercase letters is discouraged. If you enter more
than eight characters when creating a password, the passwd command ignores
any characters after the eighth.
When the -q option is used, the output of the passwd command under base
security is as follows:
The status is "PS" if the user has a password, "LK" if the user has an
administrative lock, or "NP" if the user has no password.
Under enhanced security the passwd -q command gathers information from the
enhanced security password and system defaults databases and presents the
data as follows:
name status date min_change max_change
The status field is "PS" if the user has a password, "LK" if the user has
an administrative lock, or "NP" if the user has no password. The date is
the day of the last successful password change in mm/dd/yy format. The
min_change field is the period in days, measured from the date of last
password change, which must pass before a user can change his user account
password. A value of 0 means the password may be changed at any time. The
max_change field is the period in days, measured from the date of last
password change, for which the password is valid. Adding this value to the
date of last password change gives the date at which the password expires
and a change will be required. A value of 0 means that the password will
When altering the GECOS information field, the chfn command displays the
current information, broken into fields, as interpreted by the finger pro-
gram, among others, and prompts for new values. These fields include a
user's proper name, office room number, office phone number, and home phone
number. Included in each prompt is a default value, which is enclosed in [
] (brackets). The default value is accepted simply by pressing <<Return>>.
To enter a blank field, the word none can be entered.
The chfn command allows phone numbers to be entered with or without dashes.
It is a good idea to run finger after changing the GECOS information to
make sure everything is set up properly.
A superuser can change anyone's GECOS information; other users can only
change their own. Superusers can also run the account management inter-
faces, dxaccounts and usermod to modify passwords.
When altering a login shell, the chsh command displays the current login
shell and then prompts for the new one. The new login shell must be one of
the approved shells listed in the /etc/shells file unless you have
superuser privileges. If the /etc/shells file does not exist, the only
shells that can be specified are /usr/bin/sh and /usr/bin/csh.
Note that if you specify an abbreviated shell name, the command chooses the
first entry in the /etc/shells file that matches the shell abbreviation.
For example, if you specify ksh, and both the /bin/ksh and /usr/bin/ksh
shells are included in the /etc/shells file, the shell is changed to the
shell that is specified first.
A superuser can change anyone's login shell; normal users can only change
their own login shell.
When you use the passwd command, with enhanced security installed, the
system prompts for the existing password, and begins a password soli-
citation dialog that depends on the options for password generation
the administrator has enabled for your account. There are four possi-
A pronounceable password made up of meaningless syllables.
An unpronounceable password made up of random characters from the
An unpronounceable password made up of random letters from the
A user specified password, which is subject to length and trivial-
A maximum length is specified for all user passwords. The minimum
password length depends on several parameters set in the authentica-
The system requires a minimum time to elapse before you can change
your password. This stops you from reusing an old password too soon.
A password expires after a period of time known as the expiration
time. The system warns you when the expiration time is drawing near.
A password dies after a period of time known as the password lifetime.
After the lifetime passes, your account is locked until the adminis-
trator reenables it. After unlocking, you must change your password
again before you can use your account.
When you successfully type your old password, the system prints the
last successful and unsuccessful password change times. Make sure
that these times are accurate; use them to detect attempted password
changes by an unauthorized user.
You can change your own password if the administrator has enabled any
of the password generation options for your account.
Using the passwd command to reset a user's password does not unlock
the user's account if the account is locked for a reason other than an
If a password longer than 8 characters was entered under base security
and then enhanced security is installed, you must use only the first 8
characters of the original password. This is because base security
only used the first 8 characters of the password and the
enhanced/extended password is created from the base password.
See the Security manual for detailed instructions on changing your
1. To change your password, enter:
You are prompted for your old password (if it exists). You are then
prompted twice for the new password.
2. To change the office number and building values in your GECOS informa-
Your current GECOS values are displayed. Follow the instructions and
change your office number. For example, enter:
Name [Huan Kim]:
Room Number [3A-41]: 4A-43
Office Phone [3-1234]:
Home Phone [555-1234]:
Contains user information.
The list of approved shells.
Enhanced security password database for system accounts.
Enhanced security password database for user accounts.
Enhanced security's system defaults database.
Commands: finger(1), login(1), vipw(8), dxaccounts(8), usermod(8)
Files: matrix.conf(4), prpasswd(4), passwd(4)