passwd(1) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨 페이지 이름
검색(S)

passwd(1)

passwd(1)                        User Commands                       passwd(1)



NAME
       passwd - change login password and password attributes

SYNOPSIS
       passwd [-r files | -r ldap | -r nis] [name]


       passwd [-r files] [-egh] [name]


       passwd [-r files] -s [-a]


       passwd [-r files] -s [name]


       passwd [-r files] [-d | -l | -u | -N | -p hash] [-f] [-n min]
            [-w warn] [-x max] name


       passwd -r ldap [-egh] [name]


       passwd [-r ldap ] -s [-a]


       passwd [-r ldap ] -s [name]


       passwd -r ldap [-d | -l | -u | -N | -p hash] [-f] [-n min]
            [-w warn] [-x max] name


       passwd -r nis [-egh] [name]

DESCRIPTION
       The  passwd  command  changes the password or lists password attributes
       associated with the user's login name. Additionally,  authorized  users
       can use passwd to install or change passwords and attributes associated
       with any login name, as described in the Authorized User  Options  sec‐
       tion below.


       When  used  by  a user to change their own password, passwd prompts the
       user for their old password, if any. It then prompts for the new  pass‐
       word  twice.  The  passwd  command does not prompt for the old password
       when used by a user who is authorized to change other users passwords.


       If LDAP is one of the configured nameservices, an  authorized  user  on
       any  LDAP  client system can change any password without being prompted
       for the old LDAP password.


       When the old password is entered, passwd checks to see if it  has  aged
       sufficiently.  If  aging  is insufficient, passwd terminates. For addi‐
       tional information, see the shadow(5) man page.


       If aging is sufficient, a check is made to ensure that the new password
       meets  construction  requirements.  When  the new password is entered a
       second time, the two copies of the new password are  compared.  If  the
       two  copies are not identical, the cycle of prompting for the new pass‐
       word is repeated for, at most, two more times.


       Passwords must be constructed to meet the following requirements:

           o      Each password must  have  at  least  PASSLENGTH  characters,
                  where  PASSLENGTH  is  defined in /etc/default/passwd and is
                  set to 8 by default. PASSLENGTH may  be  set  to  more  than
                  eight characters as long as policy.conf(5) has not been con‐
                  figured to use an algorithm that only supports eight charac‐
                  ters, such as the legacy crypt_unix(7).


           o      Each  password  must  meet  the  configured  complexity con‐
                  straints specified in /etc/default/passwd.


           o      Each password must not be a member of the configured dictio‐
                  nary as specified in /etc/default/passwd.


           o      For accounts in name services which support password history
                  checking, if prior password history is  defined,  new  pass‐
                  words must not be contained in the prior password history.



       By default, even users authorized to change the password of other users
       must comply  with  the  configured  password  policy.  Users  with  the
       solaris.passwd.nocheck  authorization may bypass these checks. For more
       information, see pam_authtok_check(7).


       If all requirements are met, by default, the  passwd  command  consults
       nsswitch.conf(5) to determine in which repositories to perform password
       update. The sources (repositories) associated with the passwd entry are
       updated. However, the password update configurations supported are lim‐
       ited and should follow these rules:

           o      passwd line must have one, two, or three entries


           o      First passwd entry should be files.


           o      passwd entries other than files, NIS, and LDAP, are  ignored
                  and skipped during password update. It is necessary to use a
                  source-specific tool to update passwords in such other data‐
                  bases.



       Network  administrators,  who  own  the  password table, can change any
       password attributes. The administrator  configured  for  updating  LDAP
       shadow  information  can  also change any password attributes. For more
       information, see the ldapclient(8) man page.


       When a user has a password stored in one of the name services  as  well
       as a local files entry, the passwd command updates both. It is possible
       to have different passwords in the name service and local files  entry.
       Use passwd  -r to change a specific password repository.


       Normally,  passwd entered with no arguments changes the password of the
       current user. When a user logs in and then invokes su(8)  to  assume  a
       role  or  become another user, passwd changes the original user's pass‐
       word, not the password of the role or the new user.

   Security
       passwd uses pam(3PAM) for password change. It calls PAM with a  service
       name  passwd  and  uses service module type auth for authentication and
       password for password change.


       Locking an account (-l option) does not allow its use for any logins or
       delayed  execution (such as at(1), batch(1), or cron(8)). The -N option
       can be used to disallow password-based login, while continuing to allow
       delayed execution or login with non-UNIX authentication methods.


       Locked accounts that have never had a password cannot have their status
       changed directly to an active password. See -d. Changing a password  on
       a locked account that had a password prior to being locked, changes the
       password without unlocking the account. See -u to unlock  the  account.
       An  authorized  administrator  can  activate  an account in the not yet
       activated state by giving it a password or running passwd  -N to  acti‐
       vate it for non-UNIX authentication or delayed execution only.


       An  account  can  become locked following inactivity. To unlock such an
       account use the -u or -f options. With -u, the password is not changed;
       the use of -f forces a password change.

OPTIONS
       The following options are supported:

       -a

           Shows  password  attributes  for  all entries. Use only with the -s
           option. name must not be provided. For the files and ldap reposito‐
           ries,  this is restricted to users with the solaris.account.setpol‐
           icy authorization.


       -e

           Changes the login shell. The choice of  shell  is  limited  by  the
           requirements of getusershell(3C). If the user currently has a shell
           that is not allowed by getusershell(), usermod -s must be  used  to
           change it.


       -g

           Changes the gecos (finger) information.


       -h

           This  option  formerly  changed  the  home  directory, but now just
           prints a message to use usermod -d instead.


       -r

           Specifies the repository to which an operation is applied. The sup‐
           ported repositories are files, ldap, or nis.


       -s name

           Shows  password  attributes  for  the login name. For the files and
           ldap  repositories,  this   only   works   for   users   with   the
           solaris.account.setpolicy  authorization.  It  does not work at all
           for the nis repository, which does not support password aging.

           The output of this option, and only this option, is  Committed  and
           parsable.  New  codes  might  be  added  in the future so code that
           parses this must be flexible in the face of  unknown  codes.  While
           all  existing  codes  are  two  characters in length that might not
           always be the case.

           The format of the display is:


             name status mm/dd/yy min max warn

           or, if password aging information is not present,


             name status

           where

           name

               The login ID of the user.


           status

               The password status of name.

               The status field can take the following values:

               AL

                   The account was automatically locked due to the  number  of
                   authentication  failures  reaching  the  configured maximum
                   allowed. See policy.conf(5) and user_attr(5) and the "Secu‐
                   rity" section.


               LK

                   The  account  is  locked. passwd  -l was run or the account
                   was automatically locked due to the number  of  authentica‐
                   tion  failures reaching the configured maximum allowed. See
                   policy.conf(5) and user_attr(5) and the "Security" section.


               NL

                   The account is a non-UNIX  authentication  account.  passwd
                   -N has been run. See "Security". Accounts in this state are
                   not automatically locked when the system or per-user policy
                   is LOCK_AFTER_RETRIES=YES.


               NP

                   This  account has no password and is therefore open without
                   authentication. passwd -d was run.


               PS

                   The account probably has a valid password.


               UN

                   The data in the password field is unknown. It is not a rec‐
                   ognizable  hashed password or any of the above entries. See
                   crypt(3C) for valid password hashes.


               UP

                   This account has not yet been activated by the  administra‐
                   tor and cannot be used. See Security.




       mm/dd/yy

           The  date  password  was  last changed for name. All password aging
           dates are determined using Coordinated  Universal  Time  (UTC)  and
           therefore can differ by as much as a day in other time zones.


       min

           The  minimum  number  of days required between password changes for
           name. MINWEEKS is found in /etc/default/passwd and is set to NULL.


       max

           The maximum number of days the password is valid for name. MAXWEEKS
           is found in /etc/default/passwd and is set to NULL.


       warn

           The  number of days relative to max before the password expires and
           the name are warned.

           The default password aging policy can be specified in  either  days
           or  in  weeks.  When  the  default  values are specified for either
           MAXWEEKS or MINWEEKS the shadow(5) database is updated using  units
           of  days. It is an error to set both the WEEKS and the DAYS variant
           for a given MIN/MAX/WARN variable. The MIN and  WARN  policies  are
           only active if a MAX policy is also set.


   Authorized User Options
       An  administrator  needs  to be granted the User Security profile to be
       able to lock and unlock an existing account. That profile also provides
       the  ability  to  activate  a newly created account, set password aging
       options and view password attributes. The  following  lists  shows  the
       authorizations required to perform the various operations.


       Only an authorized user can use the following options:

       -d

           Deletes  password  for name and unlocks the account. The login name
           is not prompted for password. It is only applicable  to  the  files
           and ldap repositories.

           If  the  login(1)  option PASSREQ=YES is configured, the account is
           not able to login. PASSREQ=YES is the delivered default.


       -f

           Forces the user to change password at the next  login  by  expiring
           the password for name. This option is useful for unlocking accounts
           that have become locked due to inactivity.


       -l

           Locks account for name unless it is  already  locked.  See  the  -u
           option for unlocking the account. Only accounts that are marked for
           non-UNIX authentication or delayed execution can be locked and will
           return to the same state when unlocked.


       -N

           Makes  the  password entry for name a value that cannot be used for
           login with UNIX authentication, but does not lock the account.  See
           the -d option for removing the value, or -l to lock the account.


       -p hash

           Specifies  the  exact string value to be placed in the shadow pass‐
           word field. Strings may be generated using the  pwhash(1)  command.
           The   user   must   have   both   the   solaris.passwd.assign   and
           solaris.passwd.nocheck authorizations. It is intended  to  be  used
           for  scripting password hash updates. Its use is generally discour‐
           aged, as the hashed password is visible  through  ps(1)  and  other
           proc(5) tools while the command runs.


       -n min

           Sets  minimum  field  for  name. The min field contains the minimum
           number of days between password changes for name. If min is greater
           than  max,  the  user  can not change the password. Always use this
           option with the -x option, unless max is set to  −1  (aging  turned
           off). In that case, min need not be set.


       -u

           Unlocks  a  locked password for entry name. The -u option is useful
           for unlocking accounts  that  have  become  locked  due  to  failed
           attempts  or  were  administratively  locked with the -l option. An
           account that is marked as a non-UNIX authentication account (passwd
           -N) returns to that state when it is unlocked.


       -w warn

           Sets  warn  field  for  name. The warn field contains the number of
           days before the password expires  and  the  user  is  warned.  This
           option is not valid if password aging is disabled.


       -x max

           Sets  maximum  field for name. The max field contains the number of
           days that the password is valid for name. The  aging  for  name  is
           turned off immediately if max is set to −1.



       The  authorizations,  as defined in user_attr(5), which are required to
       perform restricted operations are as follows:


       tab()  box;  lw(0.55i)  |lw(2.75i)   |lw(2.2i)   lw(0.55i)   |lw(2.75i)
       |lw(2.2i)    OptionOperationAuthorization    _   -dDelete   passwordso‐
       laris.passwd.assign _ -NSet nologinsolaris.passwd.assign _  Change  any
       passwordsolaris.passwd.assign    _     Bypass    complexity   checksso‐
       laris.passwd.nocheck _ -lLock accountsolaris.account.setpolicy _  -uUn‐
       lock  accountsolaris.account.setpolicy  _  -nSet  min field for nameso‐
       laris.account.setpolicy _ -wSet warn field for namesolaris.account.set‐
       policy  _ -fForce password expirationsolaris.account.setpolicy _ -sDis‐
       play password attributessolaris.account.setpolicy _ -aT{ Display  pass‐
       word  attributes for all entries T}solaris.account.setpolicy _ -eChange
       login  shellsolaris.user.manage   _   -gChange   gecos   informationso‐
       laris.user.manage  _  -hChange  home directorysolaris.user.manage _  T{
       Set a  password  for  the  first  time  for  a  newly  created  account
       T}solaris.account.activate


OPERANDS
       The following operand is supported:

       name

           User login name.


ENVIRONMENT VARIABLES
       If  any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
       LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(7)), are  not  set
       in  the environment, the operational behavior of passwd for each corre‐
       sponding locale category is determined by the value of the  LANG  envi‐
       ronment  variable.  If LC_ALL is set, its contents are used to override
       both the LANG and the other LC_* variables. If none of the above  vari‐
       ables  is  set in the environment, the C (U.S. style) locale determines
       how passwd behaves.

       LC_CTYPE

           Determines how passwd handles characters. When LC_CTYPE is set to a
           valid  value, passwd can display and handle text and filenames con‐
           taining valid characters for that locale. passwd  can  display  and
           handle  Extended  UNIX  Code  (EUC) characters where any individual
           character can be 1, 2, or 3 bytes wide. passwd can also handle  EUC
           characters  of  1,  2, or more column widths. In the C locale, only
           characters from ISO 8859-1 are valid.


       LC_MESSAGES

           Determines how diagnostic and informative messages  are  presented.
           This  includes the language and style of the messages, and the cor‐
           rect form of affirmative and negative responses. In the  C  locale,
           the messages are presented in the default form found in the program
           itself (in most cases, U.S. English).


EXIT STATUS
       The passwd command exits with one of the following values:

       0     Success.


       1     Permission denied.


       2     Invalid combination of options.


       3     Unexpected failure. Password file unchanged.


       4     Unexpected failure. Password file(s) missing.


       5     Password file(s) busy. Try again later.


       6     Invalid argument to option.


       7     Aging option is disabled.


       8     No memory.


       9     System error.


       10    Account expired.


       11    Password information unchanged.


FILES
       /etc/default/passwd

           The /etc/default/passwd file is obsolete. However, you can use  the
           svc:/system/account-policy:default service to set the corresponding
           SMF properties.

           The following table lists the mapping between the properties in the
           /etc/default/passwd and the SMF properties:



           tab();    lw(NaNi)   lw(NaNi)   lw(NaNi)   lw(NaNi)   Property   in
           /etc/default/passwdCorresponding SMF Property  _  DICTIONDBDIRpass‐
           word/dictionary/db_dir     DICTIONLISTpassword/dictionary/word_list
           DICTIONMINWORDLENGTHpassword/dictionary/min_word_length    HISTORY‐
           password/history   MAXREPEATSpassword/complexity/max_repeats   MAX‐
           DAYSpassword/aging_defaults/max_days      MAXWEEKSpassword/complex‐
           ity/max_days   MINALPHApassword/complexity/min_alpha   MINDIFFpass‐
           word/complexity/min_diff MINDIGITpassword/complexity/min_digit MIN‐
           LOWERpassword/complexity/min_lower     MINNONALPHApassword/complex‐
           ity/min_nonalpha MINDAYS MINWEEKSpassword/complexity/min_days  MIN‐
           SPECIALpassword/complexity/min_special    MINUPPERpassword/complex‐
           ity/min_upper  NAMECHECKpassword/complexity/namecheck   PASSLENGTH‐
           password/complexity/passlength                        WARNDAYSpass‐
           word/aging_defaults/warn_days            WARNWEEKSpassword/complex‐
           ity/warn_days WHITESPACEpassword/complexity/whitespace

           For  information  on  managing the SMF properties, see the account-
           policy(8S) man page.

           The descriptions of the properties in the /etc/default/passwd  file
           are as follows:

           DICTIONDBDIR

               The  directory where the generated dictionary databases reside.
               Defaults to /var/passwd.

               If neither DICTIONLIST nor DICTIONDBDIR is specified, the  sys‐
               tem does not perform a dictionary check.


           DICTIONLIST

               DICTIONLIST  can  contain  list  of  comma separated dictionary
               files such as DICTIONLIST=file1, file2, file3. Each  dictionary
               file  contains  multiple lines and each line consists of a word
               and a NEWLINE character. You must specify full path names.  The
               words  from these files are merged into a database that is used
               to determine whether a password is based on a dictionary word.

               Spell-checking         dictionary          (similar          to
               /usr/share/lib/dict/words)  can  be  listed  in DICTIONLIST but
               need to be pre-processed first. See DICTIONMINWORDLENGTH  below
               for an easy way.

               If  neither DICTIONLIST nor DICTIONDBDIR is specified, the sys‐
               tem does not perform a dictionary check.

               To pre-build the dictionary database, see mkpwdict(8).


           DICTIONMINWORDLENGTH

               DICTIONMINWORDLENGTH can contain a number specifying the  mini‐
               mum  word  length  for  the  source files in DICTIONLIST. Words
               shorter than the specified length  will  be  omitted  from  the
               password dictionary.

               The  minimum  value  allowed is 2 [letters]; default value is 3
               [letters].


           HISTORY

               Maximum number of prior password history to keep  for  a  user.
               Setting  the  HISTORY  value to zero (0), or removing the flag,
               causes the prior password history of all users to be  discarded
               at  the next password change by any user. The default is not to
               define the HISTORY flag. The maximum value  is  26.  Currently,
               this  functionality  is enforced only for user accounts defined
               in the files name service (local passwd(5)/shadow(5)).


           MAXREPEATS

               Maximum number of allowable consecutive  repeating  characters.
               If  MAXREPEATS  is  not  set  or is zero (0), the default is no
               checks


           MAXDAYS

               Maximum time period in days that password is valid.


           MAXWEEKS

               Maximum time period in weeks that password is valid.


           MINALPHA

               Minimum number of alpha character required. If MINALPHA is  not
               set, the default is 2.


           MINDIFF

               Minimum differences required between an old and a new password.
               If MINDIFF is not set, the default is 3.


           MINDIGIT

               Minimum number of digits required. If MINDIGIT is not set or is
               set  to zero (0), the default is no checks. You cannot be spec‐
               ify MINDIGIT if MINNONALPHA is also specified.


           MINLOWER

               Minimum number of lowercase letters required.  If  not  set  or
               zero (0), the default is no checks.


           MINNONALPHA

               Minimum  number  of  non-alpha  (including numeric and special)
               required. If MINNONALPHA is not set, the default is 1. You can‐
               not specify MINNONALPHA if MINDIGIT or MINSPECIAL is also spec‐
               ified.


           MINDAYS

               Minimum time period in days before the password can be changed.


           MINWEEKS

               Minimum time  period  in  weeks  before  the  password  can  be
               changed.


           MINSPECIAL

               Minimum  number of special (non-alpha and non-digit) characters
               required. If MINSPECIAL is not set or is zero (0), the  default
               is no checks. You cannot specify MINSPECIAL if you also specify
               MINNONALPHA.


           MINUPPER

               Minimum number of uppercase letters required.  If  MINUPPER  is
               not set or is zero (0), the default is no checks.


           NAMECHECK

               Enable/disable checking or the login name. The default is to do
               login name checking. A case insensitive value  of  no  disables
               this feature.


           PASSLENGTH

               Minimum length of password, in characters.


           WARNDAYS

               Time period in days until warning of date of password's ensuing
               expiration.


           WARNWEEKS

               Time period in weeks until warning of date of password's  ensu‐
               ing expiration.


           WHITESPACE

               Determine  if  white space characters are allowed in passwords.
               Valid values are YES and NO. If WHITESPACE is not set or is set
               to YES, white space characters are allowed.



       /etc/oshadow

           Temporary  file used by passwd and pwconv to update the real shadow
           file.


       /etc/passwd

           Password file.


       /etc/shadow

           Shadow password file.


       /etc/shells

           Shell database.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE  TYPEAT‐
       TRIBUTE  VALUE  _  Availabilitysystem/core-os  _ CSIEnabled _ Interface
       StabilitySee below.



       The human readable output is Uncommitted. The options are Committed, as
       is the parsable output of the -s option.

SEE ALSO
       at(1),    batch(1),    finger(1),   login(1),   pwhash(1),   crypt(3C),
       getpwnam(3C), getspnam(3C), getusershell(3C), pam(3PAM), crypt.conf(5),
       loginlog(5),  nsswitch.conf(5), pam.conf(5), passwd(5), policy.conf(5),
       shadow(5),  shells(5),  user_attr(5),   attributes(7),   crypt_unix(7),
       environ(7),          pam_authtok_check(7),          pam_authtok_get(7),
       pam_authtok_store(7), pam_dhkeys(7), pam_ldap(7),  pam_unix_account(7),
       pam_unix_auth(7),  pam_unix_session(7),  rbac(7),  cron(8),  eeprom(8),
       id(8),  ldapclient(8),  mkpwdict(8),  pwconv(8),   su(8),   useradd(8),
       userdel(8), usermod(8), account-policy(8S)


       Managing User Accounts and User Environments in Oracle Solaris 11.4

NOTES
       The  yppasswd  command  is  a wrapper around passwd. Use of yppasswd is
       discouraged. Use passwd  -r  repository_name instead.


       Changing a password in the  files  and  ldap  repositories  clears  the
       failed login count.


       Changing  a  password reactivates an account deactivated for inactivity
       for the length of the inactivity period.


       Input terminal processing might interpret some key  sequences  and  not
       pass them to the passwd command.


       An  account  with  no  password,  status  code NP, might not be able to
       login. See the login(1)  PASSREQ option.


       All password hash algorithms provided with Oracle Solaris 11.4,  except
       for   crypt_unix(7),  have  a  maximum  password  length  of  255.  See
       crypt.conf(5) and account-policy(8S) for information on configuring the
       algorithm to use.


       The  unlock_after user attribute only applies to accounts locked due to
       exceeding a failed login count.

HISTORY
       The AL status code; the properties MAXDAYS, MINDAYS, and WARNDAYS;  and
       the  use  of  the  account-policy(8S) SMF service to store the property
       values were added to Oracle Solaris in Solaris 11.4.0.


       The -p option was added to Oracle Solaris in Solaris 11.3.4.


       The DICTIONMINWORDLENGTH  property  was  added  to  Oracle  Solaris  in
       Solaris 11.1.17 and a Solaris 10 patch.


       Support  for  NIS+, including the -D option, and the nisplus repository
       argument for the -r option, was removed in Solaris 11.0.0.


       Support for the -h option was removed in Solaris 11.0.0.


       The -N and -u options; and the  properties  DICTIONDBDIR,  DICTIONLIST,
       HISTORY,  MAXREPEATS,  MINALPHA, MINDIFF, MINDIGIT, MINLOWER, MINNONAL‐
       PHA, MINSPECIAL, MINUPPER, NAMECHECK, and  WHITESPACE;  were  added  to
       Oracle Solaris in Solaris 10 3/05.


       Support  for password encryption algorithms beyond the traditional UNIX
       crypt(3C), via the crypt.conf(5) configuration, was added to Solaris in
       Solaris 9 12/02 (Update 2).


       Support  for  LDAP,  including  the ldap repository argument for the -r
       option, was added in Solaris 8.


       The options -r (with the files, nis, and nisplus repositories), -e, -g,
       -h, and -D were added to Solaris in Solaris 2.5.


       The   options   -d,   -f,   -l,   -s,  and  -w,  and  support  for  the
       /etc/default/passwd  file,  with  the  properties  MAXWEEKS,  MINWEEKS,
       PASSLENGTH, and WARNWEEKS, were added to Solaris in Solaris 2.0.


       The  options  -a,  -n,  and  -x  were  added in SunOS 4.1 and have been
       present in all releases of Solaris.


       The passwd command has been included  in  all  releases  of  SunOS  and
       Solaris.



Oracle Solaris 11.4               3 Nov 2021                         passwd(1)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3