passwd(1) passwd(1)
NAME
passwd - define or change login password and password attributes
SYNOPSIS
passwd [option ...] [loginname]
DESCRIPTION
The passwd command can be used to define a password for a login name
or change an existing password in the /etc/shadow file. It can also be
used to list or change specific password attributes.
Any user may list the password attributes for his or her own login
name. Ordinary users may change only the password and password attri-
butes which correspond to their own login names. The system adminis-
trator, on the other hand, can change the passwords and password
attributes for all local login names.
passwd prompts ordinary users (without system administrator privi-
leges) for their old password, if one was defined.
It then prompts for the new password to be entered. To avoid errors,
the new password has to be entered twice. The passwords are not
displayed on the screen as they are typed.
When the old password is entered, passwd checks to see if it has
"aged" sufficiently. If "aging" is insufficient, passwd terminates
[see shadow(4)]. If no aging requirements have been defined for the
user's password (options -n and -x), the default values MAXWEEK and
MINWEEK from the /etc/default/passwd file are used [see
defaultpasswd(4)]. If aging requirements have been defined, the cor-
responding information in the /etc/shadow file remains unmodified.
Assuming aging is sufficient, passwd checks that the new password has
the correct format.
A password
- must be at least PASSLENGTH characters long, as defined in the
/etc/default/passwd file. PASSLENGTH has a minimum value of six
characters. passwd always evaluates only the first eight characters
of a password, even if PASSLENGTH is greater than eight.
- must contain at least two alphabetic characters and at least one
numeric or special character. The alphabetic characters may be
entered in uppercase or lowercase.
Page 1 Reliant UNIX 5.44 Printed 11/98
passwd(1) passwd(1)
- must differ from the user's login name and any reverse or circular
shift of that login name. For comparison purposes, no differentia-
tion is made between uppercase and lowercase.
- must differ from the old password (if one was defined) by at least
three characters. For comparison purposes, no differentiation is
made between uppercase and lowercase.
- must generally not contain the <CR> character.
If the ADDCHECK variable is set to yes in the /etc/default/passwd file
[see defaultpasswd(4), the following additional checks are carried
out:
- A search is carried out for over-simplistic passwords such as a
series of repeated letters.
- The password is compared with some host-specific information such
as the host name.
- The password is checked to determine if it is formed from an arbi-
trary combination of letters in the user entry in /etc/passwd
(inverting the login name, writing the login twice).
- The password is compared with information on the user at local and
remote systems which the finger(1) command supplies.
- Dictionaries created specially [see makedict(1M)] are searched
through to locate the password.
The checks carried out are not case-sensitive (except with character
checks).
By default, the following characters are not permitted in passwords
[see ascii(5)]:
CTRL-C (ETX), CTRL-D (EOT), CTRL-H (BS), CTRL-J (LF), CTRL-M (CR),
CTRL-O (SI), CTRL-Q (DC1), CTRL-R (DC2), CTRL-S (DC3), CTRL-Y (EM),
CTRL-Z (SUB), CTRL-\ (FS), CTRL-[ (ESC), CTRL-] (GS), DEL
The following types of password are accepted:
- Passwords containing uppercase and lowercase.
- Passwords containing punctuation marks.
- Passwords containing numbers.
- Passwords containing permitted CTRL characters.
The passwd command evaluates only the first 8 characters of a pass-
word.
Page 2 Reliant UNIX 5.44 Printed 11/98
passwd(1) passwd(1)
The system administrator is not prompted for the old password, and no
check is performed to see whether the new password is in the correct
format (except for <CR>) or complies with password aging requirements.
OPTIONS
No option specified:
The password of the login name under which you logged in is
changed.
-s Shows the password attributes for loginname in the following
format:
loginname status MM/DD/YY minimum maximum warning
or, if no password aging requirements have been set:
loginname status
loginname
Login name under which the user has logged in.
status
The current password status of loginname: PS stands for
passworded or locked, LK stands for locked, and NP stands
for no password.
MM/DD/YY
The date on which the password for loginname was last
changed. This date is indicated in Greenwich Mean Time and
may therefore differ by as much as a day in other time
zones.
minimum
The minimum number of days required between password changes
for loginname. The default value is MINWEEKS, as defined in
the /etc/default/passwd file.
maximum
The maximum number of days the password is to be valid for
loginname. The default value is MAXWEEKS, as defined in the
/etc/default/passwd file.
warning
The number of days before the password expires that the user
will be warned.
The following options can only be used by the system administrator:
-l Locks the password entry for loginname.
-d Deletes the password for loginname. The loginname will not be
prompted for a password.
Page 3 Reliant UNIX 5.44 Printed 11/98
passwd(1) passwd(1)
Caution:
If the system administrator has deleted a password for a user
using the -d option, and password aging is activated for that
user, the user can no longer enter a new password even if the
PASSREQ entry in /etc/login/default file is set to YES. This
means that the user no longer has a password. For this reason you
should always use the -f option with the -d option. This will
force the user to change the password at the next login.
-n min
At least min days must pass between two password modifications.
If min is greater than max, the user cannot change the password.
You should always use this option with the -x option, unless max
is set to -1 (aging turned off), in which case, min need not be
set.
-x max
The password for loginname is valid for max days at the most. If
max is set to -1, the aging for loginname is immediately turned
off. If max is set to 0, aging is turned off and the user is
forced to change the password at the next login (attention: this
can only be carried out once within a 24-hour period).
-w warn
The user will be warned warn days before the password expires.
-a Lists the password attributes for all entries. You should use
this option only in conjunction with the -s option. You need not
specify the loginname in this case.
-f Forces the user to change the password at the next login by
invalidating the password for loginname.
loginname
Is the login name to which the new password is to be allocated.
This parameter is only useful for the system administrator. If
you are not the system administrator, you can only specify your
own login name.
loginname not specified:
passwd changes the password for the current login name.
EXIT STATUS
0 Successful completion.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
Page 4 Reliant UNIX 5.44 Printed 11/98
passwd(1) passwd(1)
4 Unexpected failure. Password file missing.
5 Password file in use. Try again later.
6 Invalid argument to option.
ERROR MESSAGES
passwd: xxx does not exist.
There is no entry for this login name in the /etc/passwd file.
passwd: Permission denied.
You are not permitted to change the password for the specified
login name. Only the system administrator is permitted to change
passwords for login names other than his/her own.
Sorry.
You did not enter the old password correctly when prompted for
it.
Password unchanged.
The password could not be changed.
Password must contain at least two alphabetic characters and at
least one numeric or special character.
The password must contain at least two non-numeric characters.
Password is too short - must be at least 6 characters.
You are required to enter a longer password.
Too many failures - try later.
You have made three unsuccessful attempts to change your pass-
word. The password entered by you does not meet the requirements.
Enter a new password.
Password must differ by at least 3 positions.
Your new password must differ from the old one by at least three
positions.
password file busy - try again.
The system administrator is currently working on the password
file. To avoid inconsistencies, you must wait until this file is
free again.
Page 5 Reliant UNIX 5.44 Printed 11/98
passwd(1) passwd(1)
LOCALE
The LCMESSAGES environment variable governs the language in which
message texts are displayed.
LCTYPE governs character classes and character conversion (shifting).
The LCTIME environment variable governs the format of date and time
strings.
If LCMESSAGES, LCCTYPE or LCTIME is undefined or is defined as the
null string, it defaults to the value of LANG. If LANG is likewise
undefined or null, the system acts as if it were not internationalized.
The LCALL environment variable governs the entire locale. LCALL
takes precedence over all the other environment variables which affect
internationalization.
If any of the locale variables has an invalid value, the system acts
as if none of the variables were set.
It is advisable to restrict the characters you use for login names and
passwords to those in the Portable Filename Character Set; 8-bit data
may not always be portable to non-internationalized systems.
EXAMPLES
User alibaba working on system thieves wishes to change his password
sesame!street. The new password is to be open!sesame:
$ passwd
passwd: Changing password for alibaba
Old password: Blanked input of sesame!street
New password: Blanked input of open!sesame
Re-enter new password: Repeated blanked input of open!sesame
FILES
/etc/passwd
File in which user accounts/login names are entered.
/etc/default/passwd
File containing the default settings for passwd(1).
/etc/default/checkpasswd
File containing additional settings for passwd(1).
/etc/shadow
"Hidden" password file containing the encrypted passwords. No
general read access.
SEE ALSO
id(1), login(1), su(1), makedict(1M), passmgmt(1M), pwconv(1M),
useradd(1M), userdel(1M), usermod(1M), crypt(3C), checkpasswd(4),
defaultpasswd(4), passwd(4), shadow(4).
Page 6 Reliant UNIX 5.44 Printed 11/98