Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ passwd(1) — UnixWare 2.01

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

crypt(3G)

id(1M)

login(1)

passwd(4)

pwconv(1M)

shadow(4)

su(1M)

useradd(1M)

userdel(1M)

usermod(1M)






       passwd(1)                                                  passwd(1)


       NAME
             passwd - change login password and password attributes

       SYNOPSIS
             passwd [login_name]
             passwd [-l | -d] [-f] [-x max] [-n min] [-w warn] login_name
             passwd -s [-a]
             passwd -s [login_name]

       DESCRIPTION
             The passwd command lets any user change the password or get a
             list of the current password attributes for his or her
             login_name.  Privileged users may run passwd to perform these
             functions for any user, and to set the password attributes for
             any user. The command can be used to change passwords in the
             Network Information Service (NIS) database.

             A password is usually assigned by an administrator while
             creating a user account for the owner of the login name
             login_name.  Later the user can change the password either by
             running the passwd command without any options or by invoking
             the -p option to the login procedure.

             To use the latter method, enter a -p immediately after the
             login prompt (before entering login_name):
                   login: -p login_name

             The login scheme then calls the passwd command.

             See login(1) for details.

          Command Syntax
             Any user may use the -s option:

             -s        Show password attributes for the user's own
                       login_name.

             Only a privileged user may use the following options:

             -l        Lock the password entry for login_name.

             -d        Delete the password for login_name so user
                       login_name is not prompted for a password.





                           Copyright 1994 Novell, Inc.               Page 1













      passwd(1)                                                  passwd(1)


            -f        Force the user to change the password at the next
                      login by expiring the password for login_name.

            -x max    Specify the number of days the password is valid for
                      user login_name.

            -n min    Specify the minimum number of days between password
                      changes for user login_name.  Always use this option
                      with the -x option unless max is set to -1 (aging
                      turned off).  In that case, min need not be set.

            -w warn   Specify the number of days (relative to max) on
                      which user login_name will be warned before the
                      password expires.

            -s        Show password attributes for login_name.

            -s -a     Show the password attributes for all users.

         Password Construction
            Passwords must be constructed to meet the following
            requirements:

                  Each password must have at least PASSLENGTH characters
                  as defined in /etc/default/passwd.  PASSLENGTH must be
                  at least 3.  Only the first eight characters are
                  significant.

                  Each password must contain at least two alphabetic
                  characters and at least one numeric or special
                  character.  (In this case, alphabetic includes all
                  uppercase and lowercase letters.)

                  Each password must differ from the user's login name and
                  any reverse or circular shift of that login name.
                  (Corresponding uppercase and lowercase letters are
                  considered equivalent.)

                  A new password must differ from the old one by at least
                  three characters.

            If a password generator program has been specified for a user
            through the useradd (or usermod) command, passwd calls the
            password generator program to generate possible passwords for
            the user to select; when a password generator is used, none of
            the normally required password construction rules are


                          Copyright 1994 Novell, Inc.               Page 2













       passwd(1)                                                  passwd(1)


             enforced.

          Operation
             When used to change a password, passwd prompts ordinary users
             for their old password, if any.  If sufficient time has passed
             since the old password was set, passwd then prompts the user
             twice for the new password; otherwise it terminates.  Next,
             passwd checks to make sure the new password meets construction
             requirements.  When the new password is entered a second time,
             the two copies of the new password are compared.  If the two
             copies are not identical, the cycle of prompting for the new
             password is repeated a maximum of twice.

             Privileged users may change any password; the passwd command
             does not prompt a privileged user for an old password.
             Privileged users are not forced to comply with password aging
             and password construction requirements.  Such users can create
             a null password by pressing RETURN in response to the prompt
             for a new password.  (This differs from passwd -d because the
             Password: prompt will still be displayed.)

          Local Passwords and NIS Passwords
             Passwords and information related to passwords are kept in two
             files on the system, /etc/passwd and /etc/shadow.  An NIS
             database containing passwords is also maintained for NIS
             users.  In the case where a user has entries in both the local
             /etc/passwd file and the NIS database, the password that will
             be updated is determined primarily by two factors:

       database:


             entries in the local Identification and Authentication (I&A)
                   if a user has an entry in this database, the local
                   password is always the one that is updated. This
                   database is usually created at boot time by
                   creatiadb(1M). Note that user logins that begin with a +
                   or - character are ignored by creatiadb and therefore do
                   not have corresponding entries in the I&A database.

             password specified in the local /etc/shadow file:
                   if a user has a password specified in the local
                   /etc/shadow file, this password will always be updated,
                   whether or not the same user has an entry in the NIS
                   passwd database. If the user has an /etc/shadow entry
                   with no password, then passwd will update the user's


                           Copyright 1994 Novell, Inc.               Page 3













      passwd(1)                                                  passwd(1)


                  entry in the NIS passwd database.

         Password Aging
            Passwords are valid for finite periods (defined by the system
            administrator), after which they must be changed.  Therefore a
            record must be kept of each password and the period for which
            it's active.  As the expiration date for a password
            approaches, its owner is warned to choose a new password
            before a specified number of days elapses.  The process of
            monitoring password schedules and notifying users about their
            passwords, when necessary, is called password aging.

            Information about the password for each user on the system is
            kept in /etc/shadow, which is readable only by privileged
            users.

            Each user's line in /etc/shadow has four parameters that
            affect password aging:

            lastchanged:
                      The date on which the password for the user was last
                      changed.  (Note that this date is determined using
                      Greenwich Mean Time and, therefore, may differ by as
                      much as a day in other time zones.)

            minimum:  The number of days that must elapse after the
                      lastchanged date before the password for the user
                      can be changed.

            maximum:  The number of days for which the password for the
                      user will be valid after the lastchanged date (after
                      which it will be necessary to change the password).
                      This number does not include the day on which the
                      password is set.

            warn:     The number of days the user will receive warnings
                      about the impending expiration of his or her
                      password.  Thus, for example, if the value of warn
                      is 7, the owner of login_name will start receiving
                      warnings a week before the password expires.

            The last three of these parameters may be set by the command
            line options -n, -x, and -w, respectively.  In the absence of
            command options, their values are set from the
            /etc/default/passwd file.  The Defaults section describes
            these parameters.


                          Copyright 1994 Novell, Inc.               Page 4













       passwd(1)                                                  passwd(1)


             If minimum is greater than maximum, the user may not change
             the password.  Aging for login_name is turned off immediately
             if maximum is set to -1.  If maximum is set to 0, the user is
             forced to change the password at the next login session after
             the lastchanged date, and aging is turned off at that time.

             Password aging is never turned off directly by the command
             line "passwd -x 0 login_name".  Instead, this command sets the
             maximum field to 0.  If the lastchanged field is not 0, the
             aging fields will be cleared the next time the passwd command
             is used to change the user's password.  If, however, the
             lastchanged field is set to 0, the aging fields are not
             changed.

             If you expect the aging fields to be cleared and they're not,
             the explanation could be that the lastchanged field has been
             set to 0 without your realizing it.  There are two possible
             explanations.

                   You (the administrator) may have expired a user's
                   password by running the command passwd -f login_name.
                   In this case, the value of lastchanged would have been
                   set to 0.

                   The maximum field may have been clear when you issued
                   the command passwd -x 0 login_name.  In this case, the
                   passwd command itself would have set the value of
                   lastchanged to 0.

          Displaying Password Attributes
             When the passwd command is used to show password attributes,
             the format of the display is:

                   login_name status lastchanged minimum maximum warn

             or, if password aging information is not present,

                   login_name status

             The fields are defined as follows:

             login_name  The login ID of the user.

             status      The password status of login_name: PS stands for
                         passworded, LK stands for locked, and NP stands
                         for no password.


                           Copyright 1994 Novell, Inc.               Page 5













      passwd(1)                                                  passwd(1)


            The last four fields are as defined under Password Aging.

         Defaults
            By assigning values to a set of parameters in the file
            /etc/default/passwd, an administrator can control the aging
            and length of passwords.  The following parameters are
            available.

            MINWEEKS  Minimum number of weeks before a password can be
                      changed.  In a delivered system, the value is 0.

            MAXWEEKS  Maximum number of weeks a password can be unchanged.
                      In a delivered system, the value is 24.

            WARNWEEKS Number of weeks before a password expires that the
                      user is to be warned.  In a delivered system, the
                      value is 1.

            PASSLENGTH
                      Minimum number of characters in a password.  In a
                      delivered system, the value is 6.

            Note that the passwd command option arguments min, max, and
            warn and the corresponding /etc/shadow fields minimum,
            maximum, and warn treat aging in terms of days; the
            corresponding /etc/default/passwd fields, MINWEEKS, MAXWEEKS,
            and WARNWEEKS, in terms of weeks.

            When password aging is off for a user but default aging values
            exist in /etc/default/passwd, then password aging will be
            turned on when the user's password is changed.

      DIAGNOSTICS
            The passwd command exits with a return code of 0 upon
            successful completion.  Following are reasons for failure:

                  permission denied

                  invalid combination of options

                  unexpected failure; password file unchanged

                  unexpected failure; password file(s) missing





                          Copyright 1994 Novell, Inc.               Page 6













       passwd(1)                                                  passwd(1)


                   password file(s) busy; try again later

                   invalid argument to option

                   unexpected failure

                   unknown ID

                   aging disabled

       FILES
            /etc/shadow
            /etc/passwd
            /etc/oshadow
            /etc/opasswd
            /etc/default/passwd
            /usr/lib/locale/locale/LC_MESSAGES/uxcore.abi
                              language-specific message file [See LANG on
                              environ(5).]
            /etc/security/ia/index
                              index into /etc/security/ia/master
            /etc/security/ia/master
                              contains all I&A information about users

       NOTES
             If root runs the passwd -d command to delete a password for a
             user for whom password aging is in effect, that user will not
             be allowed to add a new password until the NULL password has
             been aged.  This is true even if the PASSREQ flag in
             /etc/default/login is set to YES.  This results in a user
             without a password.  We recommend you use the -f option
             whenever you use -d to delete a password.  By doing so, you'll
             ensure the user is forced to change his or her password when
             he or she next logs in.

       REFERENCES
             crypt(3G), id(1M), login(1), passwd(4), pwconv(1M), shadow(4),
             su(1M), useradd(1M), userdel(1M), usermod(1M)










                           Copyright 1994 Novell, Inc.               Page 7








Typewritten Software • bear@typewritten.org • Edmonds, WA 98026