path: root/usr/src/man/man1/passwd.1

'\" te
.\" Copyright 1989 AT&T 
.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH passwd 1 "25 Feb 2009" "SunOS 5.11" "User Commands"
.SH NAME
passwd \- change login password and password attributes
.SH SYNOPSIS
.LP
.nf
\fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis | \fB-r\fR nisplus] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] 
     [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR nisplus [\fB-egh\fR] [\fB-D\fR \fIdomainname\fR] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR nisplus \fB-s\fR [\fB-a\fR]
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR nisplus [\fB-D\fR \fIdomainname\fR] \fB-s\fR [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR nisplus [\fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] [\fB-w\fR \fIwarn\fR] 
     [\fB-x\fR \fImax\fR] [\fB-D\fR \fIdomainname\fR] \fIname\fR
.fi

.SH DESCRIPTION
.sp
.LP
The \fBpasswd\fR command changes the password or lists password attributes
associated with the user's login \fIname\fR. Additionally, privileged users can
use \fBpasswd\fR to install or change passwords and attributes associated with
any login \fIname\fR.
.sp
.LP
When used to change a password, \fBpasswd\fR prompts everyone for their old
password, if any. It then prompts for the new password twice. When the old
password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If
\fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M),
\fBnistbladm\fR(1), and \fBshadow\fR(4) for additional information.
.sp
.LP
The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information
from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in
the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that
the password for the user is already in \fB/etc/shadow\fR and should not be
modified.
.sp
.LP
If aging is sufficient, a check is made to ensure that the new password meets
construction requirements. When the new password is entered a second time, the
two copies of the new password are compared. If the two copies are not
identical, the cycle of prompting for the new password is repeated for, at
most, two more times.
.sp
.LP
Passwords must be constructed to meet the following requirements:
.RS +4
.TP
.ie t \(bu
.el o
Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is
defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting
\fBPASSLENGTH\fR to more than eight characters requires configuring
\fBpolicy.conf\fR(4) with an algorithm that supports greater than eight
characters.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Each password must meet the configured complexity constraints specified in
\fB/etc/default/passwd\fR.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Each password must not be a member of the configured dictionary as specified in
\fB/etc/default/passwd\fR.
.RE
.RS +4
.TP
.ie t \(bu
.el o
For accounts in name services which support password history checking, if prior
password history is defined, new passwords must not be contained in the prior
password history.
.RE
.sp
.LP
If all requirements are met, by default, the \fBpasswd\fR command consults
\fB/etc/nsswitch.conf\fR to determine in which repositories to perform password
update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The
sources (repositories) associated with these entries are updated. However, the
password update configurations supported are limited to the following cases.
Failure to comply with the configurations prevents users from logging onto the
system. The password update configurations are:
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: files\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: files ldap\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: files nis\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: files nisplus\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: compat\fR (==> files nis)
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: compat\fR (==> files ldap)
.sp
\fBpasswd_compat: ldap\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd: compat\fR (==> files nisplus)
.sp
\fBpasswd_compat: nisplus\fR
.RE
.sp
.LP
You can add the \fBad\fR keyword to any of the \fBpasswd\fR configurations in
the above list. However, you cannot use the \fBpasswd\fR command to change the
password of an Active Directory (AD) user. If the \fBad\fR keyword is found in
the \fBpasswd\fR entry during a password update operation, it is ignored. To
update the password of an AD user, use the \fBkpasswd\fR(1) command.
.sp
.LP
Network administrators, who own the NIS+ password table, can change any
password attributes. The administrator configured for updating LDAP shadow
information can also change any password attributes. See \fBldapclient\fR(1M).
.sp
.LP
When a user has a password stored in one of the name services as well as a
local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible
to have different passwords in the name service and local files entry. Use
\fBpasswd\fR \fB-r\fR to change a specific password repository.
.sp
.LP
In the \fBfiles\fR case, super-users (for instance, real and effective uid
equal to \fB0\fR, see \fBid\fR(1M) and \fBsu\fR(1M)) can change any password.
Hence, \fBpasswd\fR does not prompt privileged users for the old password.
Privileged users are not forced to comply with password aging and password
construction requirements. A privileged user can create a null password by
entering a carriage return in response to the prompt for a new password. (This
differs from \fBpasswd\fR \fB-d\fR because the \fBpassword\fR prompt is still
displayed.) If NIS is in effect, superuser on the root master can change any
password without being prompted for the old NIS \fBpasswd\fR, and is not forced
to comply with password construction requirements.
.sp
.LP
If LDAP is in effect, superuser on any Native LDAP client system can change any
password without being prompted for the old LDAP passwd, and is not forced to
comply with password construction requirements.
.sp
.LP
Normally, \fBpasswd\fR entered with no arguments changes the password of the
current user. When a user logs in and then invokes \fBsu\fR(1M) to become
superuser or another user, \fBpasswd\fR changes the original user's password,
not the password of the superuser or the new user.
.sp
.LP
Any user can use the \fB-s\fR option to show password attributes for his or her
own login \fIname\fR, provided they are using the \fB-r\fR \fBnisplus\fR
argument. Otherwise, the \fB-s\fR argument is restricted to the superuser.
.sp
.LP
The format of the display is:
.sp
.in +2
.nf
\fIname status mm/dd/yy min max warn\fR
.fi
.in -2
.sp

.sp
.LP
or, if password aging information is not present,
.sp
.in +2
.nf
\fIname status\fR
.fi
.in -2
.sp

.sp
.LP
where
.sp
.ne 2
.mk
.na
\fB\fIname\fR\fR
.ad
.RS 12n
.rt  
The login \fBID\fR of the user.
.RE

.sp
.ne 2
.mk
.na
\fB\fIstatus\fR\fR
.ad
.RS 12n
.rt  
The password status of \fIname\fR.
.sp
The \fIstatus\fR field can take the following values:
.sp
.ne 2
.mk
.na
\fBLK\fR
.ad
.RS 6n
.rt  
This account is \fBlocked\fR account. See Security.
.RE

.sp
.ne 2
.mk
.na
\fBNL\fR
.ad
.RS 6n
.rt  
This account is a \fBno login\fR account. See \fBSecurity\fR.
.RE

.sp
.ne 2
.mk
.na
\fBNP\fR
.ad
.RS 6n
.rt  
This account has no password and is therefore open without authentication.
.RE

.sp
.ne 2
.mk
.na
\fBPS\fR
.ad
.RS 6n
.rt  
This account has a password.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fImm/dd/yy\fR\fR
.ad
.RS 12n
.rt  
The date password was last changed for \fIname\fR. All password aging dates are
determined using Greenwich Mean Time (Universal Time) and therefore can differ
by as much as a day in other time zones.
.RE

.sp
.ne 2
.mk
.na
\fB\fImin\fR\fR
.ad
.RS 12n
.rt  
The minimum number of days required between password changes for \fIname\fR.
\fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fImax\fR\fR
.ad
.RS 12n
.rt  
The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR
is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fIwarn\fR\fR
.ad
.RS 12n
.rt  
The number of days relative to \fImax\fR before the password expires and the
\fIname\fR are warned.
.RE

.SS "Security"
.sp
.LP
\fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a
service name \fBpasswd\fR and uses service module type \fBauth\fR for
authentication and password for password change.
.sp
.LP
Locking an account (\fB-l\fR option) does not allow its use for password based
login or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or
\fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based
login, while continuing to allow delayed execution.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-a\fR\fR
.ad
.RS 17n
.rt  
Shows password attributes for all entries. Use only with the \fB-s\fR option.
\fIname\fR must not be provided. For the \fBnisplus\fR repository, this shows
only the entries in the NIS+ password table in the local domain that the
invoker is authorized to read. For the \fBfiles\fR and \fBldap\fR repositories,
this is restricted to the superuser.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-D\fR \fIdomainname\fR\fR
.ad
.RS 17n
.rt  
Consults the \fBpasswd.org_dir\fR table in \fBdomainname\fR. If this option is
not specified, the default \fBdomainname\fR returned by
\fBnis_local_directory\fR(3NSL) are used. This domain name is the same as that
returned by \fBdomainname\fR(1M).
.RE

.sp
.ne 2
.mk
.na
\fB\fB-e\fR\fR
.ad
.RS 17n
.rt  
Changes the login shell. For the \fBfiles\fR repository, this only works for
the superuser. Normal users can change the \fBldap\fR, \fBnis\fR, or
\fBnisplus\fR repositories. The choice of shell is limited by the requirements
of \fBgetusershell\fR(3C). If the user currently has a shell that is not
allowed by \fBgetusershell\fR, only root can change it.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-g\fR\fR
.ad
.RS 17n
.rt  
Changes the gecos (finger) information. For the \fBfiles\fR repository, this
only works for the superuser. Normal users can change the \fBldap\fR,
\fBnis\fR, or \fBnisplus\fR repositories.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-h\fR\fR
.ad
.RS 17n
.rt  
Changes the home directory.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-r\fR\fR
.ad
.RS 17n
.rt  
Specifies the repository to which an operation is applied. The supported
repositories are \fBfiles\fR, \fBldap\fR, \fBnis\fR, or \fBnisplus\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fIname\fR\fR
.ad
.RS 17n
.rt  
Shows password attributes for the login \fIname\fR. For the \fBnisplus\fR
repository, this works for everyone. However for the \fBfiles\fR and \fBldap\fR
repositories, this only works for the superuser. It does not work at all for
the \fBnis\fR repository which does not support password aging.
.sp
The output of this option, and only this option is Stable and parsable. The
format is \fIusername\fR followed by white space followed by one of the
following codes.
.sp
New codes might be added in the future so code that parses this must be
flexible in the face of unknown codes. While all existing codes are two
characters in length that might not always be the case.
.sp
The following are the current status codes:
.sp
.ne 2
.mk
.na
\fB\fBLK\fR\fR
.ad
.RS 6n
.rt  
Account is locked for UNIX authenitcation. \fBpasswd -l\fR was run or the
authentication failed \fBRETRIES\fR times.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNL\fR\fR
.ad
.RS 6n
.rt  
The account is a no login account. \fBpasswd -N\fR has been run.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNP\fR\fR
.ad
.RS 6n
.rt  
Account has no password. \fBpasswd -d\fR was run.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPS\fR\fR
.ad
.RS 6n
.rt  
The account probably has a valid password.
.RE

.sp
.ne 2
.mk
.na
\fB\fBUN\fR\fR
.ad
.RS 6n
.rt  
The data in the password field is unknown. It is not a recognizable hashed
password or any of the above entries. See \fBcrypt\fR(3C) for valid password
hashes.
.RE

.RE

.SS "Privileged User Options"
.sp
.LP
Only a privileged user can use the following options:
.sp
.ne 2
.mk
.na
\fB\fB-d\fR\fR
.ad
.RS 11n
.rt  
Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR
is not prompted for password. It is only applicable to the \fBfiles\fR and
\fBldap\fR repositories.
.sp
If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is
not able to login. \fBPASSREQ=YES\fR is the delivered default.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-f\fR\fR
.ad
.RS 11n
.rt  
Forces the user to change password at the next login by expiring the password
for \fIname\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-l\fR\fR
.ad
.RS 11n
.rt  
Locks password entry for \fIname\fR. See the \fB-d\fR or \fB-u\fR option for
unlocking the account.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-N\fR\fR
.ad
.RS 11n
.rt  
Makes the password entry for name a value that cannot be used for login, but
does not lock the account. See the \fB-d\fR option for removing the value, or
to set a password to allow logins.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-n\fR \fImin\fR\fR
.ad
.RS 11n
.rt  
Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum
number of days between password changes for \fIname\fR. If \fImin\fR is greater
than \fImax\fR, the user can not change the password. Always use this option
with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned
off). In that case, \fImin\fR need not be set.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-u\fR\fR
.ad
.RS 11n
.rt  
Unlocks a locked password for entry name. See the \fB-d\fR option for removing
the locked password, or to set a password to allow logins.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-w\fR \fIwarn\fR\fR
.ad
.RS 11n
.rt  
Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of
days before the password expires and the user is warned. This option is not
valid if password aging is disabled.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-x\fR \fImax\fR\fR
.ad
.RS 11n
.rt  
Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of
days that the password is valid for \fIname\fR. The aging for \fIname\fR is
turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&.
.RE

.SH OPERANDS
.sp
.LP
The following operand is supported:
.sp
.ne 2
.mk
.na
\fB\fIname\fR\fR
.ad
.RS 8n
.rt  
User login name.
.RE

.SH ENVIRONMENT VARIABLES
.sp
.LP
If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR,
\fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see
\fBenviron\fR(5)), are not set in the environment, the operational behavior of
\fBpasswd\fR for each corresponding locale category is determined by the value
of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents
are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If
none of the above variables is set in the environment, the \fBC\fR (U.S. style)
locale determines how \fBpasswd\fR behaves.
.sp
.ne 2
.mk
.na
\fB\fBLC_CTYPE\fR\fR
.ad
.RS 15n
.rt  
Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a
valid value, \fBpasswd\fR can display and handle text and filenames containing
valid characters for that locale. \fBpasswd\fR can display and handle Extended
Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or
3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or
more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are
valid.
.RE

.sp
.ne 2
.mk
.na
\fB\fBLC_MESSAGES\fR\fR
.ad
.RS 15n
.rt  
Determines how diagnostic and informative messages are presented. This includes
the language and style of the messages, and the correct form of affirmative and
negative responses. In the \fBC\fR locale, the messages are presented in the
default form found in the program itself (in most cases, U.S. English).
.RE

.SH EXIT STATUS
.sp
.LP
The \fBpasswd\fR command exits with one of the following values:
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.RS 6n
.rt  
Success.
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.RS 6n
.rt  
Permission denied.
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.RS 6n
.rt  
Invalid combination of options.
.RE

.sp
.ne 2
.mk
.na
\fB\fB3\fR\fR
.ad
.RS 6n
.rt  
Unexpected failure. Password file unchanged.
.RE

.sp
.ne 2
.mk
.na
\fB\fB4\fR\fR
.ad
.RS 6n
.rt  
Unexpected failure. Password file(s) missing.
.RE

.sp
.ne 2
.mk
.na
\fB\fB5\fR\fR
.ad
.RS 6n
.rt  
Password file(s) busy. Try again later.
.RE

.sp
.ne 2
.mk
.na
\fB\fB6\fR\fR
.ad
.RS 6n
.rt  
Invalid argument to option.
.RE

.sp
.ne 2
.mk
.na
\fB\fB7\fR\fR
.ad
.RS 6n
.rt  
Aging option is disabled.
.RE

.sp
.ne 2
.mk
.na
\fB\fB8\fR\fR
.ad
.RS 6n
.rt  
No memory.
.RE

.sp
.ne 2
.mk
.na
\fB\fB9\fR\fR
.ad
.RS 6n
.rt  
System error.
.RE

.sp
.ne 2
.mk
.na
\fB\fB10\fR\fR
.ad
.RS 6n
.rt  
Account expired.
.RE

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/default/passwd\fR\fR
.ad
.RS 23n
.rt  
Default values can be set for the following flags in \fB/etc/default/passwd\fR.
For example: \fBMAXWEEKS=26\fR
.sp
.ne 2
.mk
.na
\fB\fBDICTIONDBDIR\fR\fR
.ad
.RS 16n
.rt  
The directory where the generated dictionary databases reside. Defaults to
\fB/var/passwd\fR.
.sp
If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
does not perform a dictionary check.
.RE

.sp
.ne 2
.mk
.na
\fB\fBDICTIONLIST\fR\fR
.ad
.RS 16n
.rt  
DICTIONLIST can contain list of comma separated dictionary files such as
\fBDICTIONLIST=\fR\fIfile1\fR, \fIfile2\fR, \fIfile3\fR. Each dictionary file
contains multiple lines and each line consists of a word and a NEWLINE
character (similar to \fB/usr/share/lib/dict/words\fR.) You must specify full
pathnames. The words from these files are merged into a database that is used
to determine whether a password is based on a dictionary word.
.sp
If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system
does not perform a dictionary check.
.sp
To pre-build the dictionary database, see \fBmkpwdict\fR(1M).
.RE

.sp
.ne 2
.mk
.na
\fB\fBHISTORY\fR\fR
.ad
.RS 16n
.rt  
Maximum number of prior password history to keep for a user. Setting the
\fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior
password history of all users to be discarded at the next password change by
any user. The default is not to define the \fBHISTORY\fR flag. The maximum
value is \fB26.\fR Currently, this functionality is enforced only for user
accounts defined in the \fBfiles\fR name service (local
\fBpasswd\fR(4)/\fBshadow\fR(4)).
.RE

.sp
.ne 2
.mk
.na
\fB\fBMAXREPEATS\fR\fR
.ad
.RS 16n
.rt  
Maximum number of allowable consecutive repeating characters. If
\fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks
.RE

.sp
.ne 2
.mk
.na
\fB\fBMAXWEEKS\fR\fR
.ad
.RS 16n
.rt  
Maximum time period that password is valid.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINALPHA\fR\fR
.ad
.RS 16n
.rt  
Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the
default is \fB2\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINDIFF\fR\fR
.ad
.RS 16n
.rt  
Minimum differences required between an old and a new password. If
\fBMINDIFF\fR is not set, the default is \fB3\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINDIGIT\fR\fR
.ad
.RS 16n
.rt  
Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to
zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR
if \fBMINNONALPHA\fR is also specified.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINLOWER\fR\fR
.ad
.RS 16n
.rt  
Minimum number of lower case letters required. If not set or zero (0), the
default is no checks.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINNONALPHA\fR\fR
.ad
.RS 16n
.rt  
Minimum number of non-alpha (including numeric and special) required. If
\fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify
\fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINWEEKS\fR\fR
.ad
.RS 16n
.rt  
Minimum time period before the password can be changed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINSPECIAL\fR\fR
.ad
.RS 16n
.rt  
Minimum number of special (non-alpha and non-digit) characters required. If
\fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You
cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINUPPER\fR\fR
.ad
.RS 16n
.rt  
Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or
is zero (\fB0\fR), the default is no checks.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNAMECHECK\fR\fR
.ad
.RS 16n
.rt  
Enable/disable checking or the login name. The default is to do login name
checking. A case insensitive value of \fBno\fR disables this feature.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPASSLENGTH\fR\fR
.ad
.RS 16n
.rt  
Minimum length of password, in characters.
.RE

.sp
.ne 2
.mk
.na
\fB\fBWARNWEEKS\fR\fR
.ad
.RS 16n
.rt  
Time period until warning of date of password's ensuing expiration.
.RE

.sp
.ne 2
.mk
.na
\fB\fBWHITESPACE\fR\fR
.ad
.RS 16n
.rt  
Determine if white space characters are allowed in passwords. Valid values are
\fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR,
white space characters are allowed.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/oshadow\fR\fR
.ad
.RS 23n
.rt  
Temporary file used by \fBpasswd\fR, \fBpassmgmt\fR and \fBpwconv\fR to update
the real shadow file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/passwd\fR\fR
.ad
.RS 23n
.rt  
Password file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/shadow\fR\fR
.ad
.RS 23n
.rt  
Shadow password file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/shells\fR\fR
.ad
.RS 23n
.rt  
Shell database.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
CSIEnabled
_
Interface StabilitySee below.
.TE

.sp
.LP
The human readable output is Uncommitted. The options are Committed.
.SH SEE ALSO
.sp
.LP
\fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBkpasswd\fR(1), \fBlogin\fR(1),
\fBnistbladm\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M),
\fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpassmgmt\fR(1M),
\fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M),
\fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C),
\fBgetusershell\fR(3C), \fBnis_local_directory\fR(3NSL), \fBpam\fR(3PAM),
\fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4),
\fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBattributes\fR(5),
\fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
\fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5),
\fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5)
.SH NOTES
.sp
.LP
The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
provided by \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
\fBpam_unix_session\fR(5), \fBpam_authtok_check\fR(5),
\fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), and
\fBpam_passwd_auth\fR(5).
.sp
.LP
The \fBnispasswd\fR and \fBypasswd\fR commands are wrappers around
\fBpasswd\fR. Use of \fBnispasswd\fR and \fBypasswd\fR is discouraged. Use
\fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead.
.sp
.LP
NIS+ might not be supported in future releases of the Solaris operating system.
Tools to aid the migration from NIS+ to LDAP are available in the current
Solaris release. For more information, visit
http://www.sun.com/directory/nisplus/transition.html.
.sp
.LP
Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the
failed login count.
.sp
.LP
Changing a password reactivates an account deactivated for inactivity for the
length of the inactivity period.
.sp
.LP
Input terminal processing might interpret some key sequences and not pass them
to the \fBpasswd\fR command.
.sp
.LP
An account with no password, status code \fBNP\fR, might not be able to login.
See the \fBlogin\fR(1) \fBPASSREQ\fR option.