 |
Index for
Section 1 |
|
 |
Alphabetical
listing for P |
|
 |
Bottom of
page |
|
passwd(1)
NAME
passwd, chfn, chsh - Changes password file information
SYNOPSIS
passwd [-f | -s] [username]
passwd -q [username]
passwd -q -a
chfn [username]
chsh [username]
OPTIONS
-a Displays the password attributes of all users. This option may only be
used with the -q option and you must be root.
-f Invokes the chfn command when given with the passwd command.
-q [username]
Displays the password status of PS if the user has a password, LK if
the user has an administrative lock, or NP if the user has no password.
Users other than root may only use the -q option on themselves. If a
username is not specified, the password status of the current username
is displayed.
-s Invokes the chsh command when given with the passwd command.
-chfn
Prompts the user to change their general user information, such as full
name, office phone, office number, and home phone number. Phone numbers
can be entered with or without dashes. Included in each prompt is a
default value enclosed in [ ] (brackets). Press the Enter key to accept
the default value or enter a new value or the word none to leave a
field blank and press the Enter key.
To display general information for a user, enter the finger username
command.
A superuser can change any user's general information; other users can
only change their own. Superusers can also run the account management
interfaces, dxaccounts, and usermod to modify passwords.
-chsh
Prompts the user to change the login shell. The new login shell must be
one of the approved shells listed in the /etc/shells file unless you
have superuser privileges. If the /etc/shells file does not exist, the
only shells that can be specified are /usr/bin/sh and /usr/bin/csh. If
you abbreviate the shell name, the first entry in the /etc/shells file
that matches the shell abbreviation is used. For example, if you
specify ksh, and both the /bin/ksh and /usr/bin/ksh shells are in the
/etc/shells file, the shell is changed to the shell that is listed.
A superuser can change any user's login shell; other users can only
change their own.
DESCRIPTION
The passwd command changes the password associated with your username (by
default) or the specified username.
A password must have at least six characters and can be up to eight
characters. If you enter more than eight characters when creating a
password, the passwd command ignores any characters after the eighth. A
password can include digits, symbols, and the letters of your alphabet. It
is strongly suggested that you include unusual punctuation, control
characters, or digits in your password. Use of only lowercase letters is
discouraged.
This passwd command uses the Security Integration Architecture (SIA)
routine as an interface to the security modules. When entering the passwd
command, a user is either prompted for password information or a menu is
displayed from which the user chooses a password to change. The menu is
displayed if the user's name is recognized by more than one registered
security module in the SIA.
When using the menu, users can synchronize all their passwords at once to
the same new password. However, passwords of all security mechanisms must
already be same at the start of the synchronizing process. If the password
for each security mechanisms is different, users must first change them
individually to be the same.
If your system is configured into a Kerberos realm, you can use the passwd
command to change your Kerberos password because Kerberos is a registered
security module in the SIA.
If a user's passwords are not synchronized and they are operating in a
Kerberos realm and need to use the Kerberos enhancement commands, such as
rsh, rlogin, and rcp, then they must first enter the kinit command to
obtain a Kerberos Ticket Granting Ticket (TGT).
ENHANCED SECURITY
Under enhanced security the passwd -q command gathers information from the
enhanced security password and system defaults databases, and displays the
data as follows:
name status date min_change max_change
The status field is PS if the user has a password, LK if the user has an
administrative lock, or NP if the user has no password. The date is the day
of the last successful password change in mm/dd/yy format.
The min_change field is the period in days, measured from the date of last
password change, which must pass before a user can change his user account
password. A value of 0 means the password may be changed at any time. The
max_change field is the period in days, measured from the date of last
password change, for which the password is valid. Adding this value to the
date of last password change gives the date at which the password expires
and a change will be required. A value of 0 means that the password will
never expire.
When you use the passwd command with enhanced security installed, the
system prompts for the existing password, and begins a password
solicitation dialog that depends on the options for password generation the
administrator has enabled for your account. There are four possible
options:
Random syllables
A pronounceable password made up of meaningless syllables.
Random characters
An unpronounceable password made up of random characters from the
character set.
Random letters
An unpronounceable password made up of random letters from the
alphabet.
User supplied
A user specified password, which is subject to length and triviality
restrictions.
A maximum length is specified for all user passwords. The minimum password
length depends on several parameters set in the authentication databases.
The system requires a minimum time to elapse before you can change your
password. This stops you from reusing an old password too soon.
A password expires after a period of time known as the expiration time. The
system warns you when the expiration time is drawing near.
A password dies after a period of time known as the password lifetime.
After the lifetime passes, your account is locked until the administrator
re-enables it. After your user account is unlocked, you must change your
password again before you can use your account.
When you successfully type your old password, the system prints the last
successful and unsuccessful password change times. Make sure that these
times are accurate; use them to detect attempted password changes by an
unauthorized user.
You can change your own password if the administrator has enabled any of
the password generation options for your account.
Using the passwd command to reset a user's password does not unlock the
user's account if the account is locked for a reason other than an expired
password.
If a password longer than 8 characters was entered under base security and
then enhanced security is installed, you must use only the first 8
characters of the original password. This is because base security only
used the first 8 characters of the password and the enhanced password is
created from the base password.
EXAMPLES
1. To change your password, enter:
$ passwd
You are prompted for your old password (if it exists). You are then
prompted twice for the new password.
2. To change general user information, enter:
$ chfn
The current user values are displayed. Press the Enter key to accept
the default value or enter a new value or the word none to leave a
field blank, and press the Enter key.
Name [User Name]:
Room Number [3A-41]: 4A-43
Office Phone [3-1234]:
Home Phone [555-1234]:
3. To change only your Kerberos password when your system is configured
into a Kerberos realm, enter:
$ passwd
The following menu is displayed:
You are registered with the following security mechanisms
1 Kerberos
2 BSD
3 Synchronized update for the above-listed mechanisms
[Default selection: 3]
Select ONE item by number: 1
You have selected:
Kerberos
Old Kerberos password:
New Kerberos password:
Verify Kerberos password:
FILES
/etc/passwd
Contains user information.
/etc/shells
The list of approved shells.
matrix.conf
Provides the matrix that selects the appropriate installed security
module.
/tcb/files/auth.db
Enhanced security password database for system accounts.
/var/tcb/files/auth.db
Enhanced security password database for user accounts.
/etc/auth/system/default
Enhanced security's system defaults database.
SEE ALSO
Commands: finger(1), kinit(1), kdestroy(1), klist(1), login(1), vipw(8),
dxaccounts(8), usermod(8)
Files: matrix.conf(4), prpasswd(4), passwd(4)
Guides: Security Administration
|
Index for
Section 1 |
|
|
Alphabetical
listing for P |
|
 |
Top of
page |
|