Commands Reference, Volume 4

passwd Command

Purpose

Changes a user's password.

Syntax

passwd [ -R load_module ] [ -f | -s ] [ User ]

Description

The passwd command sets and changes passwords for users. Use this command to change your own password or another user's password. You can also use the passwd command to change the full name (gecos) associated with your login name and the shell you use as an interface to the operating system.

Depending on how the user is defined, the user's password can exist locally or remotely. Local passwords exist in the /etc/security/passwd database. Remote passwords exist in the Network Information Service (NIS) or Distributed Computing Environment (DCE) database.

To change your own password, enter the passwd command. The passwd command prompts the nonroot user for the old password (if one exists) and then prompts for the new password twice. (The password is never displayed on the screen.) If the two entries of the new password do not match, the passwd command prompts for the new password again.

Note

The passwd command uses only the first eight characters of your password for local and NIS passwords. Only 7-bit characters are supported in passwords. For this reason, National Language Support (NLS) code points are not allowed in passwords.

To change another user's password, enter the passwd command and the user's login name (the User parameter). Only the root user or a member of the security group is permitted to change the password for another user. The passwd command prompts you for the old password of the user as well as the new password. However, the passwd command does not prompt the root user for either the old user password or the root password or enforce any password restrictions upon the root user.

The /etc/passwd file records your full name and the path name of the shell that you use. To change your recorded name, enter the passwd -f command. To change your login shell, enter the passwd -s command.

Construct locally-defined passwords according to the password restrictions in the /etc/security/user configuration file. This file contains the following restrictions:

minalpha	Specifies the minimum number of alphabetic characters.
minother	Specifies the minimum number of other characters.
minlen	Specifies the minimum number of characters. Note This value is determined by either the `minalpha` value plus the `minother` value or the `minlen` value, whichever is greater.
mindiff	Specifies the minimum number of characters in the new password that are not in the old password. Note This restriction does not consider position. If the new password is `abcd` and the old password is `edcb`, the number of different characters is 1.
maxrepeats	Specifies the maximum number of times a single character can be used in a password.
minage	Specifies the minimum age at which a password can be changed. Passwords must be kept for a minimum period. This value is measured in weeks.
maxage	Specifies the maximum age of a password. A password must be changed after a specified amount of time measured in weeks.
maxexpired	Specifies the maximum number of weeks beyond the `maxage` value that a password can be changed by the user.
histexpire	Specifies the number of weeks that a user cannot reuse a password.
histsize	Specifies the number of previous passwords that the user cannot reuse.
dictionlist	Specifies the list of dictionary files checked when a password is changed.
pwdchecks	Specifies the list of external password restriction methods invoked when a password is changed.

If the root user adds the NOCHECK attribute to your flags entry in the /etc/security/passwd file, your password does not need to meet these restrictions. Also, the root user can assign new passwords to other users without following the password restrictions.

If the root user adds the ADMIN attribute to your flags entry or if the password field in the /etc/passwd file contains an * (asterisk), only the root user can change your password. The root user also has the exclusive privilege of changing your password if the password field in /etc/passwd contains an ! (exclamation point) and the password field in the /etc/security/passwd file contains an * (asterisk).

If the root user changes your password, the ADMCHG attribute is automatically added to your flags entry in the /etc/security/passwd file. In this case, you must change the password the next time you log in.

If the user's registry value in the /etc/security/user file is either DCE or NIS, the password change can only occur in the specified database.

Flags

-f	Changes the user information accessed by the finger command. You can use this flag to provide your full name in the /etc/passwd file.
-s	Changes the login shell.
-R load_module	Specifies the loadable I&A module used to change a user's password.

Security

Access Control: Install this program as part of the Trusted Computing Base with execute access for all users. In addition, this program should run setuid to the root user to get write access to the password files.

Files Accessed:

Mode	File
r	/etc/security/user
rx	/usr/lib/security/DCE
rx	/usr/lib/security/NIS
rw	/etc/passwd
rw	/etc/security/passwd
r	/etc/security/login.cfg

Auditing Events:

Event	Information
PASSWORD_Change	user

Examples

To change your password, type:
```
passwd
```
The passwd command prompts you for your old password, if it exists and you are not the root user. After you enter the old password, the command prompts you twice for the new password.
To change your full name in the /etc/passwd file, type:
passwd -f
The passwd command displays the name stored for your user ID. For example, for login name sam, the passwd command could display this message:
```
sam's current gecos:
             "Sam Smith"
Change (yes) or no)? >
```
If you type a Y for yes, the passwd command prompts you for the new name. The passwd command records the name you enter in the /etc/passwd file.
To use a different shell the next time you log in, type:
passwd - s
The passwd command lists the path names of the available shells and the shell you are currently using. The command also displays a prompt:
```
Change (yes) or (no)? >
```
If you type a Y for yes, the passwd command prompts you for the shell to use. The next time you log in, the system provides the shell that you specify here.

Files

/usr/bin/passwd	Contains the passwd command.
/etc/passwd	Contains user IDs, user names, home directories, login shell, and finger information.
/etc/security/passwd	Contains encrypted passwords and security information.

Related Information

The chfn command, chsh command, login command, pwdadm command, pwdck command.

The getpass subroutine, newpass subroutine.

Users, Groups, and Passwords in AIX 5L Version 5.2 Security Guide.

Installing and Configuring the Trusted Computing Base in AIX 5L Version 5.2 Security Guide.

Shells Overview in AIX 5L Version 5.2 System User's Guide: Operating System and Devices to learn more about the available shells.