svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
passwd(1)
passwd(1) User Commands passwd(1)
NAME
passwd - change login password and password attributes
SYNOPSIS
passwd [-r files | -r ldap | -r nis] [name]
passwd [-r files] [-egh] [name]
passwd [-r files] -s [-a]
passwd [-r files] -s [name]
passwd [-r files] [-d | -l | -u | -N | -p hash] [-f] [-n min]
[-w warn] [-x max] name
passwd -r ldap [-egh] [name]
passwd [-r ldap ] -s [-a]
passwd [-r ldap ] -s [name]
passwd -r ldap [-d | -l | -u | -N | -p hash] [-f] [-n min]
[-w warn] [-x max] name
passwd -r nis [-egh] [name]
DESCRIPTION
The passwd command changes the password or lists password attributes
associated with the user's login name. Additionally, authorized users
can use passwd to install or change passwords and attributes associated
with any login name, as described in the Authorized User Options sec‐
tion below.
When used by a user to change their own password, passwd prompts the
user for their old password, if any. It then prompts for the new pass‐
word twice. The passwd command does not prompt for the old password
when used by a user who is authorized to change other users passwords.
If LDAP is one of the configured nameservices, an authorized user on
any LDAP client system can change any password without being prompted
for the old LDAP password.
When the old password is entered, passwd checks to see if it has aged
sufficiently. If aging is insufficient, passwd terminates. For addi‐
tional information, see the shadow(5) man page.
If aging is sufficient, a check is made to ensure that the new password
meets construction requirements. When the new password is entered a
second time, the two copies of the new password are compared. If the
two copies are not identical, the cycle of prompting for the new pass‐
word is repeated for, at most, two more times.
Passwords must be constructed to meet the following requirements:
o Each password must have at least PASSLENGTH characters,
where PASSLENGTH is defined in /etc/default/passwd and is
set to 8 by default. PASSLENGTH may be set to more than
eight characters as long as policy.conf(5) has not been con‐
figured to use an algorithm that only supports eight charac‐
ters, such as the legacy crypt_unix(7).
o Each password must meet the configured complexity con‐
straints specified in /etc/default/passwd.
o Each password must not be a member of the configured dictio‐
nary as specified in /etc/default/passwd.
o For accounts in name services which support password history
checking, if prior password history is defined, new pass‐
words must not be contained in the prior password history.
By default, even users authorized to change the password of other users
must comply with the configured password policy. Users with the
solaris.passwd.nocheck authorization may bypass these checks. For more
information, see pam_authtok_check(7).
If all requirements are met, by default, the passwd command consults
nsswitch.conf(5) to determine in which repositories to perform password
update. The sources (repositories) associated with the passwd entry are
updated. However, the password update configurations supported are lim‐
ited and should follow these rules:
o passwd line must have one, two, or three entries
o First passwd entry should be files.
o passwd entries other than files, NIS, and LDAP, are ignored
and skipped during password update. It is necessary to use a
source-specific tool to update passwords in such other data‐
bases.
Network administrators, who own the password table, can change any
password attributes. The administrator configured for updating LDAP
shadow information can also change any password attributes. For more
information, see the ldapclient(8) man page.
When a user has a password stored in one of the name services as well
as a local files entry, the passwd command updates both. It is possible
to have different passwords in the name service and local files entry.
Use passwd -r to change a specific password repository.
Normally, passwd entered with no arguments changes the password of the
current user. When a user logs in and then invokes su(8) to assume a
role or become another user, passwd changes the original user's pass‐
word, not the password of the role or the new user.
Security
passwd uses pam(3PAM) for password change. It calls PAM with a service
name passwd and uses service module type auth for authentication and
password for password change.
Locking an account (-l option) does not allow its use for any logins or
delayed execution (such as at(1), batch(1), or cron(8)). The -N option
can be used to disallow password-based login, while continuing to allow
delayed execution or login with non-UNIX authentication methods.
Locked accounts that have never had a password cannot have their status
changed directly to an active password. See -d. Changing a password on
a locked account that had a password prior to being locked, changes the
password without unlocking the account. See -u to unlock the account.
An authorized administrator can activate an account in the not yet
activated state by giving it a password or running passwd -N to acti‐
vate it for non-UNIX authentication or delayed execution only.
An account can become locked following inactivity. To unlock such an
account use the -u or -f options. With -u, the password is not changed;
the use of -f forces a password change.
OPTIONS
The following options are supported:
-a
Shows password attributes for all entries. Use only with the -s
option. name must not be provided. For the files and ldap reposito‐
ries, this is restricted to users with the solaris.account.setpol‐
icy authorization.
-e
Changes the login shell. The choice of shell is limited by the
requirements of getusershell(3C). If the user currently has a shell
that is not allowed by getusershell(), usermod -s must be used to
change it.
-g
Changes the gecos (finger) information.
-h
This option formerly changed the home directory, but now just
prints a message to use usermod -d instead.
-r
Specifies the repository to which an operation is applied. The sup‐
ported repositories are files, ldap, or nis.
-s name
Shows password attributes for the login name. For the files and
ldap repositories, this only works for users with the
solaris.account.setpolicy authorization. It does not work at all
for the nis repository, which does not support password aging.
The output of this option, and only this option, is Committed and
parsable. New codes might be added in the future so code that
parses this must be flexible in the face of unknown codes. While
all existing codes are two characters in length that might not
always be the case.
The format of the display is:
name status mm/dd/yy min max warn
or, if password aging information is not present,
name status
where
name
The login ID of the user.
status
The password status of name.
The status field can take the following values:
AL
The account was automatically locked due to the number of
authentication failures reaching the configured maximum
allowed. See policy.conf(5) and user_attr(5) and the "Secu‐
rity" section.
LK
The account is locked. passwd -l was run or the account
was automatically locked due to the number of authentica‐
tion failures reaching the configured maximum allowed. See
policy.conf(5) and user_attr(5) and the "Security" section.
NL
The account is a non-UNIX authentication account. passwd
-N has been run. See "Security". Accounts in this state are
not automatically locked when the system or per-user policy
is LOCK_AFTER_RETRIES=YES.
NP
This account has no password and is therefore open without
authentication. passwd -d was run.
PS
The account probably has a valid password.
UN
The data in the password field is unknown. It is not a rec‐
ognizable hashed password or any of the above entries. See
crypt(3C) for valid password hashes.
UP
This account has not yet been activated by the administra‐
tor and cannot be used. See Security.
mm/dd/yy
The date password was last changed for name. All password aging
dates are determined using Coordinated Universal Time (UTC) and
therefore can differ by as much as a day in other time zones.
min
The minimum number of days required between password changes for
name. MINWEEKS is found in /etc/default/passwd and is set to NULL.
max
The maximum number of days the password is valid for name. MAXWEEKS
is found in /etc/default/passwd and is set to NULL.
warn
The number of days relative to max before the password expires and
the name are warned.
The default password aging policy can be specified in either days
or in weeks. When the default values are specified for either
MAXWEEKS or MINWEEKS the shadow(5) database is updated using units
of days. It is an error to set both the WEEKS and the DAYS variant
for a given MIN/MAX/WARN variable. The MIN and WARN policies are
only active if a MAX policy is also set.
Authorized User Options
An administrator needs to be granted the User Security profile to be
able to lock and unlock an existing account. That profile also provides
the ability to activate a newly created account, set password aging
options and view password attributes. The following lists shows the
authorizations required to perform the various operations.
Only an authorized user can use the following options:
-d
Deletes password for name and unlocks the account. The login name
is not prompted for password. It is only applicable to the files
and ldap repositories.
If the login(1) option PASSREQ=YES is configured, the account is
not able to login. PASSREQ=YES is the delivered default.
-f
Forces the user to change password at the next login by expiring
the password for name. This option is useful for unlocking accounts
that have become locked due to inactivity.
-l
Locks account for name unless it is already locked. See the -u
option for unlocking the account. Only accounts that are marked for
non-UNIX authentication or delayed execution can be locked and will
return to the same state when unlocked.
-N
Makes the password entry for name a value that cannot be used for
login with UNIX authentication, but does not lock the account. See
the -d option for removing the value, or -l to lock the account.
-p hash
Specifies the exact string value to be placed in the shadow pass‐
word field. Strings may be generated using the pwhash(1) command.
The user must have both the solaris.passwd.assign and
solaris.passwd.nocheck authorizations. It is intended to be used
for scripting password hash updates. Its use is generally discour‐
aged, as the hashed password is visible through ps(1) and other
proc(5) tools while the command runs.
-n min
Sets minimum field for name. The min field contains the minimum
number of days between password changes for name. If min is greater
than max, the user can not change the password. Always use this
option with the -x option, unless max is set to −1 (aging turned
off). In that case, min need not be set.
-u
Unlocks a locked password for entry name. The -u option is useful
for unlocking accounts that have become locked due to failed
attempts or were administratively locked with the -l option. An
account that is marked as a non-UNIX authentication account (passwd
-N) returns to that state when it is unlocked.
-w warn
Sets warn field for name. The warn field contains the number of
days before the password expires and the user is warned. This
option is not valid if password aging is disabled.
-x max
Sets maximum field for name. The max field contains the number of
days that the password is valid for name. The aging for name is
turned off immediately if max is set to −1.
The authorizations, as defined in user_attr(5), which are required to
perform restricted operations are as follows:
tab() box; lw(0.55i) |lw(2.75i) |lw(2.2i) lw(0.55i) |lw(2.75i)
|lw(2.2i) OptionOperationAuthorization _ -dDelete passwordso‐
laris.passwd.assign _ -NSet nologinsolaris.passwd.assign _ Change any
passwordsolaris.passwd.assign _ Bypass complexity checksso‐
laris.passwd.nocheck _ -lLock accountsolaris.account.setpolicy _ -uUn‐
lock accountsolaris.account.setpolicy _ -nSet min field for nameso‐
laris.account.setpolicy _ -wSet warn field for namesolaris.account.set‐
policy _ -fForce password expirationsolaris.account.setpolicy _ -sDis‐
play password attributessolaris.account.setpolicy _ -aT{ Display pass‐
word attributes for all entries T}solaris.account.setpolicy _ -eChange
login shellsolaris.user.manage _ -gChange gecos informationso‐
laris.user.manage _ -hChange home directorysolaris.user.manage _ T{
Set a password for the first time for a newly created account
T}solaris.account.activate
OPERANDS
The following operand is supported:
name
User login name.
ENVIRONMENT VARIABLES
If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(7)), are not set
in the environment, the operational behavior of passwd for each corre‐
sponding locale category is determined by the value of the LANG envi‐
ronment variable. If LC_ALL is set, its contents are used to override
both the LANG and the other LC_* variables. If none of the above vari‐
ables is set in the environment, the C (U.S. style) locale determines
how passwd behaves.
LC_CTYPE
Determines how passwd handles characters. When LC_CTYPE is set to a
valid value, passwd can display and handle text and filenames con‐
taining valid characters for that locale. passwd can display and
handle Extended UNIX Code (EUC) characters where any individual
character can be 1, 2, or 3 bytes wide. passwd can also handle EUC
characters of 1, 2, or more column widths. In the C locale, only
characters from ISO 8859-1 are valid.
LC_MESSAGES
Determines how diagnostic and informative messages are presented.
This includes the language and style of the messages, and the cor‐
rect form of affirmative and negative responses. In the C locale,
the messages are presented in the default form found in the program
itself (in most cases, U.S. English).
EXIT STATUS
The passwd command exits with one of the following values:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
7 Aging option is disabled.
8 No memory.
9 System error.
10 Account expired.
11 Password information unchanged.
FILES
/etc/default/passwd
The /etc/default/passwd file is obsolete. However, you can use the
svc:/system/account-policy:default service to set the corresponding
SMF properties.
The following table lists the mapping between the properties in the
/etc/default/passwd and the SMF properties:
tab(); lw(NaNi) lw(NaNi) lw(NaNi) lw(NaNi) Property in
/etc/default/passwdCorresponding SMF Property _ DICTIONDBDIRpass‐
word/dictionary/db_dir DICTIONLISTpassword/dictionary/word_list
DICTIONMINWORDLENGTHpassword/dictionary/min_word_length HISTORY‐
password/history MAXREPEATSpassword/complexity/max_repeats MAX‐
DAYSpassword/aging_defaults/max_days MAXWEEKSpassword/complex‐
ity/max_days MINALPHApassword/complexity/min_alpha MINDIFFpass‐
word/complexity/min_diff MINDIGITpassword/complexity/min_digit MIN‐
LOWERpassword/complexity/min_lower MINNONALPHApassword/complex‐
ity/min_nonalpha MINDAYS MINWEEKSpassword/complexity/min_days MIN‐
SPECIALpassword/complexity/min_special MINUPPERpassword/complex‐
ity/min_upper NAMECHECKpassword/complexity/namecheck PASSLENGTH‐
password/complexity/passlength WARNDAYSpass‐
word/aging_defaults/warn_days WARNWEEKSpassword/complex‐
ity/warn_days WHITESPACEpassword/complexity/whitespace
For information on managing the SMF properties, see the account-
policy(8S) man page.
The descriptions of the properties in the /etc/default/passwd file
are as follows:
DICTIONDBDIR
The directory where the generated dictionary databases reside.
Defaults to /var/passwd.
If neither DICTIONLIST nor DICTIONDBDIR is specified, the sys‐
tem does not perform a dictionary check.
DICTIONLIST
DICTIONLIST can contain list of comma separated dictionary
files such as DICTIONLIST=file1, file2, file3. Each dictionary
file contains multiple lines and each line consists of a word
and a NEWLINE character. You must specify full path names. The
words from these files are merged into a database that is used
to determine whether a password is based on a dictionary word.
Spell-checking dictionary (similar to
/usr/share/lib/dict/words) can be listed in DICTIONLIST but
need to be pre-processed first. See DICTIONMINWORDLENGTH below
for an easy way.
If neither DICTIONLIST nor DICTIONDBDIR is specified, the sys‐
tem does not perform a dictionary check.
To pre-build the dictionary database, see mkpwdict(8).
DICTIONMINWORDLENGTH
DICTIONMINWORDLENGTH can contain a number specifying the mini‐
mum word length for the source files in DICTIONLIST. Words
shorter than the specified length will be omitted from the
password dictionary.
The minimum value allowed is 2 [letters]; default value is 3
[letters].
HISTORY
Maximum number of prior password history to keep for a user.
Setting the HISTORY value to zero (0), or removing the flag,
causes the prior password history of all users to be discarded
at the next password change by any user. The default is not to
define the HISTORY flag. The maximum value is 26. Currently,
this functionality is enforced only for user accounts defined
in the files name service (local passwd(5)/shadow(5)).
MAXREPEATS
Maximum number of allowable consecutive repeating characters.
If MAXREPEATS is not set or is zero (0), the default is no
checks
MAXDAYS
Maximum time period in days that password is valid.
MAXWEEKS
Maximum time period in weeks that password is valid.
MINALPHA
Minimum number of alpha character required. If MINALPHA is not
set, the default is 2.
MINDIFF
Minimum differences required between an old and a new password.
If MINDIFF is not set, the default is 3.
MINDIGIT
Minimum number of digits required. If MINDIGIT is not set or is
set to zero (0), the default is no checks. You cannot be spec‐
ify MINDIGIT if MINNONALPHA is also specified.
MINLOWER
Minimum number of lowercase letters required. If not set or
zero (0), the default is no checks.
MINNONALPHA
Minimum number of non-alpha (including numeric and special)
required. If MINNONALPHA is not set, the default is 1. You can‐
not specify MINNONALPHA if MINDIGIT or MINSPECIAL is also spec‐
ified.
MINDAYS
Minimum time period in days before the password can be changed.
MINWEEKS
Minimum time period in weeks before the password can be
changed.
MINSPECIAL
Minimum number of special (non-alpha and non-digit) characters
required. If MINSPECIAL is not set or is zero (0), the default
is no checks. You cannot specify MINSPECIAL if you also specify
MINNONALPHA.
MINUPPER
Minimum number of uppercase letters required. If MINUPPER is
not set or is zero (0), the default is no checks.
NAMECHECK
Enable/disable checking or the login name. The default is to do
login name checking. A case insensitive value of no disables
this feature.
PASSLENGTH
Minimum length of password, in characters.
WARNDAYS
Time period in days until warning of date of password's ensuing
expiration.
WARNWEEKS
Time period in weeks until warning of date of password's ensu‐
ing expiration.
WHITESPACE
Determine if white space characters are allowed in passwords.
Valid values are YES and NO. If WHITESPACE is not set or is set
to YES, white space characters are allowed.
/etc/oshadow
Temporary file used by passwd and pwconv to update the real shadow
file.
/etc/passwd
Password file.
/etc/shadow
Shadow password file.
/etc/shells
Shell database.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ CSIEnabled _ Interface
StabilitySee below.
The human readable output is Uncommitted. The options are Committed, as
is the parsable output of the -s option.
SEE ALSO
at(1), batch(1), finger(1), login(1), pwhash(1), crypt(3C),
getpwnam(3C), getspnam(3C), getusershell(3C), pam(3PAM), crypt.conf(5),
loginlog(5), nsswitch.conf(5), pam.conf(5), passwd(5), policy.conf(5),
shadow(5), shells(5), user_attr(5), attributes(7), crypt_unix(7),
environ(7), pam_authtok_check(7), pam_authtok_get(7),
pam_authtok_store(7), pam_dhkeys(7), pam_ldap(7), pam_unix_account(7),
pam_unix_auth(7), pam_unix_session(7), rbac(7), cron(8), eeprom(8),
id(8), ldapclient(8), mkpwdict(8), pwconv(8), su(8), useradd(8),
userdel(8), usermod(8), account-policy(8S)
Managing User Accounts and User Environments in Oracle Solaris 11.4
NOTES
The yppasswd command is a wrapper around passwd. Use of yppasswd is
discouraged. Use passwd -r repository_name instead.
Changing a password in the files and ldap repositories clears the
failed login count.
Changing a password reactivates an account deactivated for inactivity
for the length of the inactivity period.
Input terminal processing might interpret some key sequences and not
pass them to the passwd command.
An account with no password, status code NP, might not be able to
login. See the login(1) PASSREQ option.
All password hash algorithms provided with Oracle Solaris 11.4, except
for crypt_unix(7), have a maximum password length of 255. See
crypt.conf(5) and account-policy(8S) for information on configuring the
algorithm to use.
The unlock_after user attribute only applies to accounts locked due to
exceeding a failed login count.
HISTORY
The AL status code; the properties MAXDAYS, MINDAYS, and WARNDAYS; and
the use of the account-policy(8S) SMF service to store the property
values were added to Oracle Solaris in Solaris 11.4.0.
The -p option was added to Oracle Solaris in Solaris 11.3.4.
The DICTIONMINWORDLENGTH property was added to Oracle Solaris in
Solaris 11.1.17 and a Solaris 10 patch.
Support for NIS+, including the -D option, and the nisplus repository
argument for the -r option, was removed in Solaris 11.0.0.
Support for the -h option was removed in Solaris 11.0.0.
The -N and -u options; and the properties DICTIONDBDIR, DICTIONLIST,
HISTORY, MAXREPEATS, MINALPHA, MINDIFF, MINDIGIT, MINLOWER, MINNONAL‐
PHA, MINSPECIAL, MINUPPER, NAMECHECK, and WHITESPACE; were added to
Oracle Solaris in Solaris 10 3/05.
Support for password encryption algorithms beyond the traditional UNIX
crypt(3C), via the crypt.conf(5) configuration, was added to Solaris in
Solaris 9 12/02 (Update 2).
Support for LDAP, including the ldap repository argument for the -r
option, was added in Solaris 8.
The options -r (with the files, nis, and nisplus repositories), -e, -g,
-h, and -D were added to Solaris in Solaris 2.5.
The options -d, -f, -l, -s, and -w, and support for the
/etc/default/passwd file, with the properties MAXWEEKS, MINWEEKS,
PASSLENGTH, and WARNWEEKS, were added to Solaris in Solaris 2.0.
The options -a, -n, and -x were added in SunOS 4.1 and have been
present in all releases of Solaris.
The passwd command has been included in all releases of SunOS and
Solaris.
Oracle Solaris 11.4 3 Nov 2021 passwd(1)