'\" te
.\" Copyright 1989 AT&T 
.\" Portions Copyright (c) 2010, 2015, Oracle and/or its affiliates. All       rights reserved.
.TH passwd 1 "27 Nov 2015" "SunOS 5.11" "User Commands"
.SH NAME
passwd \- change login password and password attributes
.SH SYNOPSIS
.LP
.nf
\fBpasswd\fR [\fB-r\fR files | \fB-r\fR ldap | \fB-r\fR nis] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] [\fB-egh\fR] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fB-a\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] \fB-s\fR [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR files] [\fB-d\fR | \fB-l\fR | \fB-u\fR | \fB-N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] 
     [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR ldap [\fB-egh\fR] [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fB-a\fR]
.fi

.LP
.nf
\fBpasswd\fR [\fB-r\fR ldap ] \fB-s\fR [\fIname\fR]
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR ldap [\fB-d | -l | -u | -N\fR] [\fB-f\fR] [\fB-n\fR \fImin\fR] 
     [\fB-w\fR \fIwarn\fR] [\fB-x\fR \fImax\fR] \fIname\fR
.fi

.LP
.nf
\fBpasswd\fR \fB-r\fR nis [\fB-egh\fR] [\fIname\fR]
.fi

.SH DESCRIPTION
.sp
.LP
The \fBpasswd\fR command changes the password or lists password attributes associated with the user's login \fIname\fR. Additionally, authorized users can use \fBpasswd\fR to install or change passwords and attributes associated with any login \fIname\fR.
.sp
.LP
When used to change a password, \fBpasswd\fR prompts everyone for their old password, if any. It then prompts for the new password twice. When the old password is entered, \fBpasswd\fR checks to see if it has aged sufficiently. If \fBaging\fR is insufficient, \fBpasswd\fR terminates; see \fBpwconv\fR(1M) and \fBshadow\fR(4) for additional information.
.sp
.LP
The \fBpwconv\fR command creates and updates \fB/etc/shadow\fR with information from \fB/etc/passwd\fR. \fBpwconv\fR relies on a special value of \fBx\fR in the password field of \fB/etc/passwd\fR. This value of \fBx\fRindicates that the password for the user is already in \fB/etc/shadow\fR and should not be modified.
.sp
.LP
If aging is sufficient, a check is made to ensure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical, the cycle of prompting for the new password is repeated for, at most, two more times.
.sp
.LP
Passwords must be constructed to meet the following requirements:
.RS +4
.TP
.ie t \(bu
.el o
Each password must have \fBPASSLENGTH\fR characters, where \fBPASSLENGTH\fR is defined in \fB/etc/default/passwd\fR and is set to \fB6\fR. Setting \fBPASSLENGTH\fR to more than eight characters requires configuring \fBpolicy.conf\fR(4) with an algorithm that supports greater than eight characters.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Each password must meet the configured complexity constraints specified in \fB/etc/default/passwd\fR.
.RE
.RS +4
.TP
.ie t \(bu
.el o
Each password must not be a member of the configured dictionary as specified in \fB/etc/default/passwd\fR.
.RE
.RS +4
.TP
.ie t \(bu
.el o
For accounts in name services which support password history checking, if prior password history is defined, new passwords must not be contained in the prior password history.
.RE
.sp
.LP
If all requirements are met, by default, the \fBpasswd\fR command consults \fB/etc/nsswitch.conf\fR to determine in which repositories to perform password update. It searches the \fBpasswd\fR and \fBpasswd_compat\fR entries. The sources (repositories) associated with these entries are updated. However, the password update configurations supported are limited and must follow those rules:
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd\fR line must have 1, 2 or 3 entries
.RE
.RS +4
.TP
.ie t \(bu
.el o
First \fBpasswd\fR entry must be files
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd\fR entries other than files, \fBnis\fR, \fBldap\fR and \fBcompat\fR are ignored and skipped during password update.
.RE
.RS +4
.TP
.ie t \(bu
.el o
It is necessary to use a source-specific tool to update password in such database.
.RE
.sp
.LP
When a user has a password stored in one of the name services as well as a local \fBfiles\fR entry, the \fBpasswd\fR command updates both. It is possible to have different passwords in the name service and local files entry. Use \fBpasswd\fR \fB-r\fR to change a specific password repository. 
.sp
.LP
The \fBpasswd\fR command does not prompt authorized users for the old password.
.sp
.LP
If LDAP is in effect, an authorized user on any Native LDAP client system can change any password without being prompted for the old LDAP password.
.sp
.LP
By default, even users authorized to change the password of other users must comply with the configured password policy. See \fBpam_authtok_check\fR(5).
.sp
.LP
Normally, \fBpasswd\fR entered with no arguments changes the password of the current user. When a user logs in and then invokes \fBsu\fR(1M) to become role or another user, \fBpasswd\fR changes the original user's password, not the password of the role or the new user.
.sp
.LP
The \fB-s\fR argument is restricted to an authorized user.
.sp
.LP
The format of the display is:
.sp
.in +2
.nf
\fIname status mm/dd/yy min max warn\fR
.fi
.in -2
.sp

.sp
.LP
or, if password aging information is not present,
.sp
.in +2
.nf
\fIname status\fR
.fi
.in -2
.sp

.sp
.LP
where
.sp
.ne 2
.mk
.na
\fB\fIname\fR\fR
.ad
.sp .6
.RS 4n
The login \fBID\fR of the user.
.RE

.sp
.ne 2
.mk
.na
\fB\fIstatus\fR\fR
.ad
.sp .6
.RS 4n
The password status of \fIname\fR. 
.sp
The \fIstatus\fR field can take the following values:
.sp
.ne 2
.mk
.na
\fB\fBLK\fR\fR
.ad
.sp .6
.RS 4n
The account is locked. \fBpasswd -l\fR was run or the account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See \fBpolicy.conf\fR(4) and \fBuser_attr\fR(4) and the "Security" section.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNL\fR\fR
.ad
.sp .6
.RS 4n
The account is a \fBnon UNIX authentication\fR account. \fBpasswd\fR \fB-N\fR has been run. See "Security". Accounts in this state are not automatically locked when the system or per user policy is \fBLOCK_AFTER_RETRIES=YES\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNP\fR\fR
.ad
.sp .6
.RS 4n
This account has no password and is therefore open without authentication.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPS\fR\fR
.ad
.sp .6
.RS 4n
This account has a password.
.RE

.sp
.ne 2
.mk
.na
\fB\fBUN\fR\fR
.ad
.sp .6
.RS 4n
The data in the password field is unknown. It is not a recognizable hashed password or any of the above entries. See \fBcrypt\fR(3C) for valid password hashes.
.RE

.sp
.ne 2
.mk
.na
\fB\fBUP\fR\fR
.ad
.sp .6
.RS 4n
This account has not yet been activated by the administrator and cannot be used. See \fBSecurity\fR.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fImm/dd/yy\fR\fR
.ad
.sp .6
.RS 4n
The date password was last changed for \fIname\fR. All password aging dates are determined using Greenwich Mean Time (Universal Time) and therefore can differ by as much as a day in other time zones.
.RE

.sp
.ne 2
.mk
.na
\fB\fImin\fR\fR
.ad
.sp .6
.RS 4n
The minimum number of days required between password changes for \fIname\fR. \fBMINWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fImax\fR\fR
.ad
.sp .6
.RS 4n
The maximum number of days the password is valid for \fIname\fR. \fBMAXWEEKS\fR is found in \fB/etc/default/passwd\fR and is set to \fBNULL\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fIwarn\fR\fR
.ad
.sp .6
.RS 4n
The number of days relative to \fImax\fR before the password expires and the \fIname\fR are warned.
.RE

.SS "Security"
.sp
.LP
\fBpasswd\fR uses \fBpam\fR(3PAM) for password change. It calls PAM with a service name \fBpasswd\fR and uses service module type \fBauth\fR for authentication and password for password change.
.sp
.LP
Locking an account (\fB-l\fR option) does not allow its use for any logins or delayed execution (such as \fBat\fR(1), \fBbatch\fR(1), or \fBcron\fR(1M)). The \fB-N\fR option can be used to disallow password based login, while continuing to allow delayed execution or login with non UNIX authentication methods.
.sp
.LP
Locked accounts that have never had a password cannot have their status changed directly to an active password. See \fB-d\fR. Changing a password on a locked account that had a password prior to being locked, changes the password without unlocking the account. See \fB-u\fR to unlock the account. An authorized administrator can activate an account in the not yet activated state by giving it a password or running \fBpasswd\fR \fB-N\fR to activate it for non UNIX authentication or delayed execution only.
.sp
.LP
An account can become locked following inactivity. To unlock such an account use the \fB-u\fR or \fB-f\fR options. With \fB-u\fR, the password is not changed; the use of \fB-f\fR forces a password change.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-a\fR\fR
.ad
.sp .6
.RS 4n
Shows password attributes for all entries. Use only with the \fB-s\fR option. \fIname\fR must not be provided. For the \fBfiles\fR and \fBldap\fR repositories, this is restricted to the authorized user.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-e\fR\fR
.ad
.sp .6
.RS 4n
Changes the login shell. For the files repository, this only works for the superuser. Normal users can change the \fBldap\fR, \fBnis\fR, or \fBnisplus\fR repositories. The choice of shell is limited by the requirements of \fBgetusershell\fR(3C). If the user currently has a shell that is not allowed by \fBgetusershell\fR, only root can change it.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-g\fR\fR
.ad
.sp .6
.RS 4n
Changes the \fBgecos\fR (finger)  information. For the files repository, this only works for the superuser. Normal users can  change the \fBldap\fR, \fBnis\fR, or \fBnisplus\fR repositories.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-h\fR\fR
.ad
.sp .6
.RS 4n
Changes the home directory.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-r\fR\fR
.ad
.sp .6
.RS 4n
Specifies the repository to which an operation is applied. The supported repositories are \fBfiles\fR, \fBldap\fR, or \fBnis\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fIname\fR\fR
.ad
.sp .6
.RS 4n
Shows password attributes for the login \fIname\fR. For the \fBfiles\fR and \fBldap\fR repositories, this only works for the authorized user. It does not work at all for the \fBnis\fR repository, which does not support password aging.
.sp
The output of this option, and only this option, is Committed and parsable. The format is \fIusername\fR followed by white space followed by one of the following codes. 
.sp
New codes might be added in the future so code that parses this must be flexible in the face of unknown codes. While all existing codes are two characters in length that might not always be the case. 
.sp
The following are the current status codes:
.sp
.ne 2
.mk
.na
\fB\fBLK\fR\fR
.ad
.sp .6
.RS 4n
The account is locked. \fBpasswd -l\fR was run or the account was automatically locked due to the number of authentication failures reaching the configured maximum allowed. See \fBpolicy.conf\fR(4) and \fBuser_attr\fR(4) and the "Security" section.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNL\fR\fR
.ad
.sp .6
.RS 4n
The account is a \fBnon UNIX authentication\fR account. \fBpasswd\fR \fB-N\fR has been run. See "Security". Accounts in this state are not automatically locked when the system or per user policy is \fBLOCK_AFTER_RETRIES=YES\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBNP\fR\fR
.ad
.sp .6
.RS 4n
Account has no password. \fBpasswd -d\fR was run.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPS\fR\fR
.ad
.sp .6
.RS 4n
The account probably has a valid password.
.RE

.sp
.ne 2
.mk
.na
\fB\fBUN\fR\fR
.ad
.sp .6
.RS 4n
The data in the password field is unknown. It is not a recognizable hashed password or any of the above entries. See \fBcrypt\fR(3C) for valid password hashes.
.RE

.sp
.ne 2
.mk
.na
\fB\fBUP\fR\fR
.ad
.sp .6
.RS 4n
This account has not yet been activated by the administrator and cannot be used. See \fBSecurity\fR.
.RE

.RE

.SS "Authorized User Options"
.sp
.LP
An administrator needs to be granted the User Security profile to be able to lock and unlock an existing account. That profile also provides the ability to activate a newly created account, set password aging options and view password attributes. The following lists shows the authorizations required to perform the various operations.
.sp
.LP
Only an authorized user can use the following options:
.sp
.ne 2
.mk
.na
\fB\fB-d\fR\fR
.ad
.sp .6
.RS 4n
Deletes password for \fIname\fR and unlocks the account. The login \fIname\fR is not prompted for password. It is only applicable to the \fBfiles\fR and \fBldap\fR repositories.
.sp
If the \fBlogin\fR(1) option \fBPASSREQ=YES\fR is configured, the account is not able to login. \fBPASSREQ=YES\fR is the delivered default.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-f\fR\fR
.ad
.sp .6
.RS 4n
Forces the user to change password at the next login by expiring the password for \fIname\fR. This option is useful for unlocking accounts that have become locked due to inactivity.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-l\fR\fR
.ad
.sp .6
.RS 4n
Locks account for \fIname\fR unless it is already locked. See the \fB-u\fR option for unlocking the account. Accounts that are marked for non UNIX authentication or delayed execution only can be locked and will return to the same state when unlocked.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-N\fR\fR
.ad
.sp .6
.RS 4n
Makes the password entry for \fIname\fR a value that cannot be used for login with UNIX authentication, but does not lock the account. See the \fB-d\fR option for removing the value, or \fB-l\fR to lock the account.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-p\fR \fIhash\fR\fR
.ad
.sp .6
.RS 4n
Specifies the exact string value to be placed in the shadow password field. The user must have both the \fBsolaris.passwd.assign\fR and \fBsolaris.passwd.nocheck\fR authorizations. It is intended to be used for scripting password hash updates. Its use is generally discouraged, as the hashed password is visible through \fBps\fR(1) while the command runs.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-n\fR \fImin\fR\fR
.ad
.sp .6
.RS 4n
Sets minimum field for \fIname\fR. The \fImin\fR field contains the minimum number of days between password changes for \fIname\fR. If \fImin\fR is greater than \fImax\fR, the user can not change the password. Always use this option with the \fB-x\fR option, unless \fImax\fR is set to \fB\(mi1\fR (aging turned off). In that case, \fImin\fR need not be set.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-u\fR\fR
.ad
.sp .6
.RS 4n
Unlocks a locked password for entry \fIname\fR. The \fB-u\fR option is useful for unlocking accounts that have become locked due to failed attempts or were administratively locked with the \fB-l\fR option. An account that is marked as a non UNIX authentication account (\fBpasswd\fR \fB-N\fR) returns to that state when it is unlocked.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-w\fR \fIwarn\fR\fR
.ad
.sp .6
.RS 4n
Sets warn field for \fIname\fR. The \fIwarn\fR field contains the number of days before the password expires and the user is warned. This option is not valid if password aging is disabled.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-x\fR \fImax\fR\fR
.ad
.sp .6
.RS 4n
Sets maximum field for \fIname\fR. The \fImax\fR field contains the number of days that the password is valid for \fIname\fR. The aging for \fIname\fR is turned off immediately if \fImax\fR is set to \fB\(mi1\fR\&.
.RE

.SH OPERANDS
.sp
.LP
The following operand is supported:
.sp
.ne 2
.mk
.na
\fB\fIname\fR\fR
.ad
.sp .6
.RS 4n
User login name.
.RE

.SH ENVIRONMENT VARIABLES
.sp
.LP
If any of the \fBLC_*\fR variables, that is, \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR, \fBLC_TIME\fR, \fBLC_COLLATE\fR, \fBLC_NUMERIC\fR, and \fBLC_MONETARY\fR (see \fBenviron\fR(5)), are not set in the environment, the operational behavior of \fBpasswd\fR for each corresponding locale category is determined by the value of the \fBLANG\fR environment variable. If \fBLC_ALL\fR is set, its contents are used to override both the \fBLANG\fR and the other \fBLC_*\fR variables. If none of the above variables is set in the environment, the \fBC\fR (U.S. style) locale determines how \fBpasswd\fR behaves.
.sp
.ne 2
.mk
.na
\fB\fBLC_CTYPE\fR\fR
.ad
.sp .6
.RS 4n
Determines how \fBpasswd\fR handles characters. When \fBLC_CTYPE\fR is set to a valid value, \fBpasswd\fR can display and handle text and filenames containing valid characters for that locale. \fBpasswd\fR can display and handle Extended Unix Code (\fBEUC\fR) characters where any individual character can be 1, 2, or 3 bytes wide. \fBpasswd\fR can also handle \fBEUC\fR characters of 1, 2, or more column widths. In the \fBC\fR locale, only characters from ISO 8859-1 are valid.
.RE

.sp
.ne 2
.mk
.na
\fB\fBLC_MESSAGES\fR\fR
.ad
.sp .6
.RS 4n
Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the \fBC\fR locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English).
.RE

.SH EXIT STATUS
.sp
.LP
The \fBpasswd\fR command exits with one of the following values:
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.sp .6
.RS 4n
Success.
.RE

.sp
.ne 2
.mk
.na
\fB\fB1\fR\fR
.ad
.sp .6
.RS 4n
Permission denied.
.RE

.sp
.ne 2
.mk
.na
\fB\fB2\fR\fR
.ad
.sp .6
.RS 4n
Invalid combination of options.
.RE

.sp
.ne 2
.mk
.na
\fB\fB3\fR\fR
.ad
.sp .6
.RS 4n
Unexpected failure. Password file unchanged.
.RE

.sp
.ne 2
.mk
.na
\fB\fB4\fR\fR
.ad
.sp .6
.RS 4n
Unexpected failure. Password file(s) missing.
.RE

.sp
.ne 2
.mk
.na
\fB\fB5\fR\fR
.ad
.sp .6
.RS 4n
Password file(s) busy. Try again later.
.RE

.sp
.ne 2
.mk
.na
\fB\fB6\fR\fR
.ad
.sp .6
.RS 4n
Invalid argument to option.
.RE

.sp
.ne 2
.mk
.na
\fB\fB7\fR\fR
.ad
.sp .6
.RS 4n
Aging option is disabled.
.RE

.sp
.ne 2
.mk
.na
\fB\fB8\fR\fR
.ad
.sp .6
.RS 4n
No memory.
.RE

.sp
.ne 2
.mk
.na
\fB\fB9\fR\fR
.ad
.sp .6
.RS 4n
System error.
.RE

.sp
.ne 2
.mk
.na
\fB\fB10\fR\fR
.ad
.sp .6
.RS 4n
Account expired.
.RE

.sp
.ne 2
.mk
.na
\fB\fB11\fR\fR
.ad
.sp .6
.RS 4n
Password information unchanged.
.RE

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/default/passwd\fR\fR
.ad
.sp .6
.RS 4n
Default values can be set for the following flags in \fB/etc/default/passwd\fR. For example: \fBMAXWEEKS=26\fR
.sp
.ne 2
.mk
.na
\fB\fBDICTIONDBDIR\fR\fR
.ad
.sp .6
.RS 4n
The directory where the generated dictionary databases reside. Defaults to \fB/var/passwd\fR. 
.sp
If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system does not perform a dictionary check. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBDICTIONLIST\fR\fR
.ad
.sp .6
.RS 4n
\fBDICTIONLIST\fR can contain list of comma separated dictionary files such as \fBDICTIONLIST=\fR\fIfile1\fR, \fI file2\fR, \fIfile3\fR. Each dictionary file contains multiple lines and each line consists of a word and a NEWLINE character. You must specify full path names. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word.
.sp
Spell-checking dictionary (similar to \fB/usr/share/lib/dict/words\fR) can be listed in \fBDICTIONLIST\fR but need to be pre-processed first. See \fBDICTIONMINWORDLENGTH\fR below for an easy way.
.sp
If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, the system does not perform a dictionary check.
.sp
To pre-build the dictionary database, see \fBmkpwdict\fR(1M).
.RE

.sp
.ne 2
.mk
.na
\fB\fBDICTIONMINWORDLENGTH\fR\fR
.ad
.sp .6
.RS 4n
\fBDICTIONMINWORDLENGTH\fR can contain a number specifying the minimum word length for the source files in \fBDICTIONLIST\fR. Words shorter than the specified length will be omitted from the password dictionary.
.sp
 The minimum value allowed is 2 [letters]; default value is 3 [letters].
.RE

.sp
.ne 2
.mk
.na
\fB\fBHISTORY\fR\fR
.ad
.sp .6
.RS 4n
Maximum number of prior password history to keep for a user. Setting the \fBHISTORY\fR value to zero (\fB0\fR), or removing the flag, causes the prior password history of all users to be discarded at the next password change by any user. The default is not to define the \fBHISTORY\fR flag. The maximum value is \fB26.\fR Currently, this functionality is enforced only for user accounts defined in the \fBfiles\fR name service (local \fBpasswd\fR(4)/\fBshadow\fR(4)).
.RE

.sp
.ne 2
.mk
.na
\fB\fBMAXREPEATS\fR\fR
.ad
.sp .6
.RS 4n
Maximum number of allowable consecutive repeating characters. If \fBMAXREPEATS\fR is not set or is zero (\fB0\fR), the default is no checks
.RE

.sp
.ne 2
.mk
.na
\fB\fBMAXWEEKS\fR\fR
.ad
.sp .6
.RS 4n
Maximum time period that password is valid.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINALPHA\fR\fR
.ad
.sp .6
.RS 4n
Minimum number of alpha character required. If \fBMINALPHA\fR is not set, the default is \fB2\fR. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINDIFF\fR\fR
.ad
.sp .6
.RS 4n
Minimum differences required between an old and a new password. If \fBMINDIFF\fR is not set, the default is \fB3\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINDIGIT\fR\fR
.ad
.sp .6
.RS 4n
Minimum number of digits required. If \fBMINDIGIT\fR is not set or is set to zero (\fB0\fR), the default is no checks. You cannot be specify \fBMINDIGIT\fR if \fBMINNONALPHA\fR is also specified. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINLOWER\fR\fR
.ad
.sp .6
.RS 4n
Minimum number of lower case letters required. If not set or zero (0), the default is no checks. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINNONALPHA\fR\fR
.ad
.sp .6
.RS 4n
Minimum number of non-alpha (including numeric and special) required. If \fBMINNONALPHA\fR is not set, the default is \fB1\fR. You cannot specify \fBMINNONALPHA\fR if \fBMINDIGIT\fR or \fBMINSPECIAL\fR is also specified.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINWEEKS\fR\fR
.ad
.sp .6
.RS 4n
Minimum time period before the password can be changed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINSPECIAL\fR\fR
.ad
.sp .6
.RS 4n
Minimum number of special (non-alpha and non-digit) characters required. If \fBMINSPECIAL\fR is not set or is zero (\fB0\fR), the default is no checks. You cannot specify \fBMINSPECIAL\fR if you also specify \fBMINNONALPHA\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBMINUPPER\fR\fR
.ad
.sp .6
.RS 4n
Minimum number of upper case letters required. If \fBMINUPPER\fR is not set or is zero (\fB0\fR), the default is no checks. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBNAMECHECK\fR\fR
.ad
.sp .6
.RS 4n
Enable/disable checking or the login name. The default is to do login name checking. A case insensitive value of \fBno\fR disables this feature.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPASSLENGTH\fR\fR
.ad
.sp .6
.RS 4n
Minimum length of password, in characters.
.RE

.sp
.ne 2
.mk
.na
\fB\fBWARNWEEKS\fR\fR
.ad
.sp .6
.RS 4n
Time period until warning of date of password's ensuing expiration.
.RE

.sp
.ne 2
.mk
.na
\fB\fBWHITESPACE\fR\fR
.ad
.sp .6
.RS 4n
Determine if white space characters are allowed in passwords. Valid values are \fBYES\fR and \fBNO\fR. If \fBWHITESPACE\fR is not set or is set to \fBYES\fR, white space characters are allowed.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/oshadow\fR\fR
.ad
.sp .6
.RS 4n
Temporary file used by \fBpasswd\fR and \fBpwconv\fR to update the real shadow file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/passwd\fR\fR
.ad
.sp .6
.RS 4n
Password file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/shadow\fR\fR
.ad
.sp .6
.RS 4n
Shadow password file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/shells\fR\fR
.ad
.sp .6
.RS 4n
Shell database.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
_
CSIEnabled
_
Interface StabilitySee below.
.TE

.sp
.LP
The human readable output is Uncommitted. The options are Committed.
.SH SEE ALSO
.sp
.LP
\fBat\fR(1), \fBbatch\fR(1), \fBfinger\fR(1), \fBlogin\fR(1), \fBcron\fR(1M), \fBdomainname\fR(1M), \fBeeprom\fR(1M), \fBid\fR(1M), \fBldapclient\fR(1M), \fBmkpwdict\fR(1M), \fBpwconv\fR(1M), \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M), \fBusermod\fR(1M), \fBcrypt\fR(3C), \fBgetpwnam\fR(3C), \fBgetspnam\fR(3C), \fBgetusershell\fR(3C), \fBpam\fR(3PAM), \fBloginlog\fR(4), \fBnsswitch.conf\fR(4), \fBpam.conf\fR(4), \fBpasswd\fR(4), \fBpolicy.conf\fR(4), \fBshadow\fR(4), \fBshells\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5), \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_ldap\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5), \fBcrypt_unix\fR(5)
.SH NOTES
.sp
.LP
The \fByppasswd\fR command is a wrapper around \fBpasswd\fR. Use of \fByppasswd\fR is discouraged. Use \fBpasswd\fR \fB-r\fR \fIrepository_name\fR instead.
.sp
.LP
Changing a password in the \fBfiles\fR and \fBldap\fR repositories clears the failed login count.
.sp
.LP
Changing a password reactivates an account deactivated for inactivity for the length of the inactivity period.
.sp
.LP
Input terminal processing might interpret some key sequences and not pass them to the \fBpasswd\fR command.
.sp
.LP
An account with no password, status code \fBNP\fR, might not be able to login. See the \fBlogin\fR(1) \fBPASSREQ\fR option.
.sp
.LP
Authorizations required to perform various options:
.sp
.in +2
.nf
-d     delete password               solaris.passwd.assign
-N     set nologin                   solaris.passwd.assign
       change any passwd             solaris.passwd.assign

-l     lock account                  solaris.account.setpolicy
-u     unlock account                solaris.account.setpolicy
-n     set min field for name        solaris.account.setpolicy
-w     set warn field for name       solaris.account.setpolicy
-x     set max field for name        solaris.account.setpolicy
-f     forces password expiration    solaris.account.setpolicy
-s     display password attributes   solaris.account.setpolicy  
-a     display password attributes   solaris.account.setpolicy  
       for all entries

-e     change login shell            solaris.user.manage
-g     change gecos information      solaris.user.manage
-h     change home directory         solaris.user.manage
       set a newly created account's 
         passwd for the first time   solaris.account.activate
.fi
.in -2
.sp

.sp
.LP
All password hash algorithms except \fBcrypt_unix\fR(5) have a maximum password length of \fB255\fR.