passwd(1) User Commands passwd(1)
passwd - change login password and password attributes
passwd [-r files | -r ldap | -r nis | -r nisplus] [name]
passwd [ -r files] [-egh] [name]
passwd [ -r files] -s [-a]
passwd [ -r files] -s [name]
passwd [ -r files] [-d | -l | -u | -N] [-f] [-n min] [-w warn]
[-x max] name
passwd -r ldap [-egh] [name]
passwd -r nis [-egh] [name]
passwd -r nisplus [-egh] [-D domainname] [name]
passwd -r nisplus -s [-a]
passwd -r nisplus [-D domainname] -s [name]
passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn] [-x max]
[-D domainname] name
The passwd command changes the password or lists password attributes
associated with the user's login name. Additionally, privileged users
can use passwd to install or change passwords and attributes associated
with any login name.
When used to change a password, passwd prompts everyone for their old
password, if any. It then prompts for the new password twice. When the
old password is entered, passwd checks to see if it has "aged" suffi-
ciently. If "aging" is insufficient, passwd terminates; see pwconv(1M),
nistbladm(1), and shadow(4) for additional information.
When LDAP, NIS, or NIS+ is in effect on a system, passwd changes the
NIS or NIS+ database. The NIS or NIS+ password can be different from
the password on the local machine. If NIS or NIS+ is running, use
passwd -r to change password information on the local machine.
The pwconv command creates and updates /etc/shadow with information
from /etc/passwd. pwconv relies on a special value of 'x' in the pass-
word field of /etc/passwd. This value of 'x' indicates that the pass-
word for the user is already in /etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the new password
meets construction requirements. When the new password is entered a
second time, the two copies of the new password are compared. If the
two copies are not identical, the cycle of prompting for the new pass-
word is repeated for, at most, two more times.
Passwords must be constructed to meet the following requirements:
o Each password must have PASSLENGTH characters, where PASSLENGTH is
defined in /etc/default/passwd and is set to 6. Setting PASSLENGTH
to more than eight characters requires configuring policy.conf(4)
with an algorithm that supports greater than eight characters.
o Each password must meet the configured complexity constraints
specified in /etc/default/passwd.
o Each password must not be a member of the configured dictionary as
specified in /etc/default/passwd.
o For accounts in name services which support password history
checking, if prior password history is defined, new passwords must
not be contained in the prior password history.
If all requirements are met, by default, the passwd command consults
/etc/nsswitch.conf to determine in which repositories to perform pass-
word update. It searches the passwd and passwd_compat entries. The
sources (repositories) associated with these entries are updated. How-
ever, the password update configurations supported are limited to the
following cases. Failure to comply with the configurations prevents
users from logging onto the system. The password update configurations
o passwd: files
o passwd: files ldap
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files ldap)
o passwd: compat (==> files nisplus)
Network administrators, who own the NIS+ password table, can change any
In the files case, super-users (for instance, real and effective uid
equal to 0, see id(1M) and su(1M)) can change any password. Hence,
passwd does not prompt privileged users for the old password. Privi-
leged users are not forced to comply with password aging and password
construction requirements. A privileged user can create a null password
by entering a carriage return in response to the prompt for a new pass-
word. (This differs from passwd -d because the "password" prompt is
still displayed.) If NIS is in effect, superuser on the root master can
change any password without being prompted for the old NIS passwd, and
is not forced to comply with password construction requirements.
Normally, passwd entered with no arguments changes the password of the
current user. When a user logs in and then invokes su(1M) to become
super-user or another user, passwd changes the original user's pass-
word, not the password of the super-user or the new user.
Any user can use the -s option to show password attributes for his or
her own login name, provided they are using the -r nisplus argument.
Otherwise, the -s argument is restricted to the superuser.
The format of the display is:
name status mm/dd/yy min max warn
or, if password aging information is not present,
name The login ID of the user.
status The password status of name: PS stands for passworded
or locked, LK stands for locked, and NP stands for no
mm/dd/yy The date password was last changed for name. All pass-
word aging dates are determined using Greenwich Mean
Time (Universal Time) and therefore can differ by as
much as a day in other time zones.
min The minimum number of days required between password
changes for name. MINWEEKS is found in
/etc/default/passwd and is set to NULL.
max The maximum number of days the password is valid for
name. MAXWEEKS is found in /etc/default/passwd and is
set to NULL.
warn The number of days relative to max before the password
expires and the name are warned.
passwd uses pam(3PAM) for password change. It calls PAM with a service
name passwd and uses service module type auth for authentication and
password for password change.
Locking an account (-l option) does not allow its use for password
based login or delayed execution (such as at(1), batch(1), or
cron(1M)). The -N option can be used to disallow password based login,
while continuing to allow delayed execution.
The following options are supported:
-a Shows password attributes for all entries. Use only
with the -s option. name must not be provided. For the
nisplus repository, this shows only the entries in the
NIS+ password table in the local domain that the
invoker is authorized to "read". For the files reposi-
tory, this is restricted to the superuser.
-D domainname Consults the passwd.org_dir table in domainname. If
this option is not specified, the default domainname
returned by nis_local_directory(3NSL) are used. This
domain name is the same as that returned by domain-
-e Changes the login shell. For the files repository, this
only works for the superuser. Normal users can change
the ldap, nis, or nisplus repositories. The choice of
shell is limited by the requirements of getuser-
shell(3C). If the user currently has a shell that is
not allowed by getusershell, only root can change it.
-g Changes the gecos (finger) information. For the files
repository, this only works for the superuser. Normal
users can change the ldap, nis, or nisplus reposito-
-h Changes the home directory.
-r Specifies the repository to which an operation is
applied. The supported repositories are files, ldap,
nis, or nisplus.
-s name Shows password attributes for the login name. For the
nisplus repository, this works for everyone. However
for the files repository, this only works for the supe-
ruser. It does not work at all for the nis repository
which does not support password aging.
Privileged User Options
Only a privileged user can use the following options:
-d Deletes password for name and unlocks the account. The
login name is not prompted for password. It is only
applicable to the files repository.
-f Forces the user to change password at the next login by
expiring the password for name.
-l Locks password entry for name. See the -d or -u option
for unlocking the account.
-N Makes the password entry for name a value that cannot
be used for login, but does not lock the account. See
the -d option for removing the value, or to set a pass-
word to allow logins.
-n min Sets minimum field for name. The min field contains the
minimum number of days between password changes for
name. If min is greater than max, the user can not
change the password. Always use this option with the -x
option, unless max is set to -1 (aging turned off). In
that case, min need not be set.
-u Unlocks a locked password for entry name. See the -d
option for removing the locked password, or to set a
password to allow logins.
-w warn Sets warn field for name. The warn field contains the
number of days before the password expires and the user
is warned. This option is not valid if password aging
-x max Sets maximum field for name. The max field contains the
number of days that the password is valid for name. The
aging for nameis turned off immediately if max is set
The following operand is supported:
name User login name.
If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(5)), are not set
in the environment, the operational behavior of passwd for each corre-
sponding locale category is determined by the value of the LANG envi-
ronment variable. If LC_ALL is set, its contents are used to override
both the LANG and the other LC_* variables. If none of the above vari-
ables is set in the environment, the "C" (U.S. style) locale determines
how passwd behaves.
LC_CTYPE Determines how passwd handles characters. When LC_CTYPE
is set to a valid value, passwd can display and handle
text and filenames containing valid characters for that
locale. passwd can display and handle Extended Unix
Code (EUC) characters where any individual character
can be 1, 2, or 3 bytes wide. passwd can also handle
EUC characters of 1, 2, or more column widths. In the
"C" locale, only characters from ISO 8859-1 are valid.
LC_MESSAGES Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and nega-
tive responses. In the "C" locale, the messages are
presented in the default form found in the program
itself (in most cases, U.S. English).
The passwd command exits with one of the following values:
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
7 Aging option is disabled.
8 No memory.
9 System error.
10 Account expired.
Default values can be set for the following flags in
/etc/default/passwd. For example: MAXWEEKS=26
DICTIONDBDIR The directory where the generated dictionary data-
bases reside. Defaults to /var/passwd. If neither
DICTIONLIST nor DICTIONDBDIR is specified, the sys-
tem does not perform a dictionary check.
DICTIONLIST DICTIONLIST can contain list of comma separated
dictionary files such as DICTIONLIST=file1, file2,
file3. Each dictionary file contains multiple lines
and each line consists of a word and a <<NEWLINE>>
character (similar to /usr/share/lib/dict/words.)
You must specify full pathnames. The words from
these files are merged into a database that is used
to determine whether a password is based on a dic-
tionary word. If neither DICTIONLIST nor DICTIONDB-
DIR is specified, the system performs a dictionary
To prebuild the dictionary database, see mkpw-
HISTORY Maximum number of prior password history to keep
for a user. Setting the HISTORY value to zero (0),
or removing the flag, causes the prior password
history of all users to be discarded at the next
password change by any user. The default is not to
define the HISTORY flag. The maximum value is 26.
Currently, this functionality is enforced only for
user accounts defined in the "files" name service
MAXREPEATS Maximum number of allowable consecutive repeating
characters. If MAXREPEATS is not set or is zero
(0), the default is no checks
MAXWEEKS Maximum time period that password is valid.
MINALPHA Minimum number of alpha character required. If
MINALPHA is not set, the default is 2.
MINDIFF Minimum differences required between an old and a
new password. If MINDIFF is not set, the default is
MINDIGIT Minimum number of digits required. If MINDIGIT is
not set or is set to zero (0), the default is no
checks. You cannot be specify MINDIGIT if MINNONAL-
PHA is also specified.
MINLOWER Minimum number of lower case letters required. If
not set or zero (0), the default is no checks.
MINNONALPHA Minimum number of non-alpha (including numeric and
special) required. If MINNONALPHA is not set, the
default is 1. You cannot specify MINNONALPHA if
MINDIGIT or MINSPECIAL is also specified.
MINWEEKS Minimum time period before the password can be
MINSPECIAL Minimum number of special (non-alpha and non-digit)
characters required. If MINSPECIAL is not set or is
zero (0), the default is no checks. You cannot
specify MINSPECIAL if you also specify MINNONALPHA.
MINUPPER Minimum number of upper case letters required. If
MINUPPER is not set or is zero (0), the default is
NAMECHECK Enable/disable checking or the login name. The
default is to do login name checking. A case insen-
sitive value of "no" disables this feature.
PASSLENGTH Minimum length of password, in characters.
WARNWEEKS Time period until warning of date of password's
WHITESPACE Determine if whitespace characters are allowed in
passwords. Valid values are YES and NO. If WHITE-
SPACE is not set or is set to YES, whitespace char-
acters are allowed.
Temporary file used by passwd, passmgmt and pwconv to update the
real shadow file.
Shadow password file.
See attributes(5) for descriptions of the following attributes:
tab() allbox; cw(2.750000i)| cw(2.750000i) lw(2.750000i)|
lw(2.750000i). ATTRIBUTE TYPEATTRIBUTE VALUE AvailabilitySUNWcsu
CSIEnabled Interface StabilitySee below.
The human readable output is Unstable. The options are Evolving.
at(1), batch(1), finger(1), login(1), nistbladm(1), orcron(1M), domain-
name(1M), eeprom(1M), id(1M), mkpwdict(1M), passmgmt(1M), pwconv(1M),
su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C),
getspnam(3C), getusershell(3C), nis_local_directory(3NSL), pam(3PAM),
loginlog(4), nsswitch.conf(4), pam.conf(4), passwd(4), policy.conf(4),
shadow(4), shells(4), attributes(5), environ(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5),
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)
The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5),
pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), and pam_passwd_auth(5).
The nispasswd and ypasswd commands are wrappers around passwd. Use of
nispasswd and ypasswd is discouraged. Use passwd -r repository_name
NIS+ might not be supported in future releases of the Solaris Operating
Environment. Tools to aid the migration from NIS+ to LDAP are available
in the Solaris 9 operating environment. For more information, visit
Changing a password in the files repository clears the failed login
SunOS 5.10 2 Sep 2004 passwd(1)