pwdadm [ -f Flags | -q | -c ] User
The pwdadm command administers users' passwords. The root user or a member of the security group can supply or change the password of the user specified by the User parameter. The invoker of the command must provide a password when queried before being allowed to change the other user's password. When the command executes, it sets the ADMCHG attribute. This forces the user to change the password the next time a login command or an su command is given for the user.
Root users and members of the security group should not change their personal password with this command. The ADMCHG attribute would require them to change their password again the next time a login command or an su command is given for the user. Only the root user or a user with PasswdAdmin authorization can change password information for administrative users, who have the admin attribute set to true in the /etc/security/user file.
Only the root user, a member of the security group, or a user with PasswdManage authorization can supply or change the password of the user specified by the User parameter.
When this command is executed, the password field for the user in the /etc/passwd file is set to ! (exclamation point), indicating that an encrypted version of the password is in the /etc/security/passwd file. The ADMCHG attribute is set when the root user or a member of the security group changes a user's password with the pwdadm command.
A new password must be defined according to the rules in the /etc/security/user file, unless the -f NOCHECK flag is included. Only 7-bit characters are supported in passwords. By including the -f flag with the pwdadm command, the root user or a member of the security group can set attributes that change the password rules. If there is no password entry in the /etc/security/passwd file when the -f flag is used, the password field in the /etc/passwd file is set to ! (exclamation point) and an * (asterisk) appears in the password= field to indicate that no password has been set.
The -q flag permits the root user or members of the security group to query password information. Only the status of the lastupdate attribute and the flags attribute appear. The encrypted password remains hidden.
The -c flag clears all flags set in the /etc/security/passwd file.
Access Control: Only the root user and members of the security group should have execute (x) access to this command. The command should have the trusted computing base attribute and be setuid to the root user to have write (w) access to the /etc/passwd file, the /etc/security/passwd file, and other user database files.
Mode | File |
---|---|
rw | /etc/passwd |
rw | /etc/security/passwd |
r | /etc/security/user |
Event | Information |
---|---|
PASSWORD_Change | user |
PASSWORD_Flags | user, flags |
pwdadm susan
When prompted, the user who invoked the command is prompted for a password before Susan's password can be changed.
pwdadm -q susan
This command displays values for the lastupdate attribute and the flags attribute. The following example shows what appears when the NOCHECK and ADMCHG flags attributes are in effect:
susan: lastupdate= flags= NOCHECK,ADMCHG
/usr/bin/pwdadm | Contains the pwdadm command. |
/etc/passwd | |
Contains the basic user attributes. | |
/etc/security/passwd | |
Contains password information. | |
/etc/security/login.cfg | |
Contains configuration information. |
The passwd command.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.