passwd, chfn, chsh - Changes password file information
passwd [-f | -s] [username]
passwd -q [username]
passwd -q -a
Displays the password attributes of all users. This option
may only be used with the -q option and you must be root.
Invokes the chfn command when given with the passwd command.
Displays the password status of PS if the user has
a password, LK if the user has an administrative lock, or
NP if the user has no password. Users other than root may
only use the -q option on themselves. If a username is not
specified, the password status of the current username is
displayed. Invokes the chsh command when given with the
passwd command. Prompts the user to change their general
user information, such as full name, office phone, office
number, and home phone number. Phone numbers can be
entered with or without dashes. Included in each prompt
is a default value enclosed in [ ] (brackets). Press the
Enter key to accept the default value or enter a new value
or the word none to leave a field blank and press the
To display general information for a user, enter
the finger username command.
A superuser can change any user's general information;
other users can only change their own. Superusers
can also run the account management interfaces,
dxaccounts, and usermod to modify passwords.
Prompts the user to change the login shell. The new
login shell must be one of the approved shells
listed in the /etc/shells file unless you have
superuser privileges. If the /etc/shells file does
not exist, the only shells that can be specified
are /usr/bin/sh and /usr/bin/csh. If you abbreviate
the shell name, the first entry in the /etc/shells
file that matches the shell abbreviation is used.
For example, if you specify ksh, and both the
/bin/ksh and /usr/bin/ksh shells are in the
/etc/shells file, the shell is changed to the shell
that is listed.
A superuser can change any user's login shell;
other users can only change their own.
The passwd command changes the password associated with
your username (by default) or the specified username.
A password must have at least six characters and can be up
to eight characters. If you enter more than eight characters
when creating a password, the passwd command ignores
any characters after the eighth. A password can include
digits, symbols, and the letters of your alphabet. It is
strongly suggested that you include unusual punctuation,
control characters, or digits in your password. Use of
only lowercase letters is discouraged.
This passwd command uses the Security Integration Architecture
(SIA) routine as an interface to the security modules.
When entering the passwd command, a user is either
prompted for password information or a menu is displayed
from which the user chooses a password to change. The menu
is displayed if the user's name is recognized by more than
one registered security module in the SIA.
When using the menu, users can synchronize all their passwords
at once to the same new password. However, passwords
of all security mechanisms must already be same at the
start of the synchronizing process. If the password for
each security mechanisms is different, users must first
change them individually to be the same.
If your system is configured into a Kerberos realm, you
can use the passwd command to change your Kerberos password
because Kerberos is a registered security module in
If a user's passwords are not synchronized and they are
operating in a Kerberos realm and need to use the Kerberos
enhancement commands, such as rsh, rlogin, and rcp, then
they must first enter the kinit command to obtain a Kerberos
Ticket Granting Ticket (TGT).
ENHANCED SECURITY [Toc] [Back]
Under enhanced security the passwd -q command gathers
information from the enhanced security password and system
defaults databases, and displays the data as follows: name
status date min_change max_change
The status field is PS if the user has a password, LK if
the user has an administrative lock, or NP if the user has
no password. The date is the day of the last successful
password change in mm/dd/yy format.
The min_change field is the period in days, measured from
the date of last password change, which must pass before a
user can change his user account password. A value of 0
means the password may be changed at any time. The
max_change field is the period in days, measured from the
date of last password change, for which the password is
valid. Adding this value to the date of last password
change gives the date at which the password expires and a
change will be required. A value of 0 means that the
password will never expire.
When you use the passwd command with enhanced security
installed, the system prompts for the existing password,
and begins a password solicitation dialog that depends on
the options for password generation the administrator has
enabled for your account. There are four possible
options: A pronounceable password made up of meaningless
syllables. An unpronounceable password made up of random
characters from the character set. An unpronounceable
password made up of random letters from the alphabet. A
user specified password, which is subject to length and
A maximum length is specified for all user passwords. The
minimum password length depends on several parameters set
in the authentication databases.
The system requires a minimum time to elapse before you
can change your password. This stops you from reusing an
old password too soon.
A password expires after a period of time known as the
expiration time. The system warns you when the expiration
time is drawing near.
A password dies after a period of time known as the password
lifetime. After the lifetime passes, your account is
locked until the administrator re-enables it. After your
user account is unlocked, you must change your password
again before you can use your account.
When you successfully type your old password, the system
prints the last successful and unsuccessful password
change times. Make sure that these times are accurate;
use them to detect attempted password changes by an unauthorized
You can change your own password if the administrator has
enabled any of the password generation options for your
Using the passwd command to reset a user's password does
not unlock the user's account if the account is locked for
a reason other than an expired password.
If a password longer than 8 characters was entered under
base security and then enhanced security is installed, you
must use only the first 8 characters of the original password.
This is because base security only used the first 8
characters of the password and the enhanced password is
created from the base password.
To change your password, enter: $ passwd
You are prompted for your old password (if it
exists). You are then prompted twice for the new
password. To change general user information,
enter: $ chfn
The current user values are displayed. Press the
Enter key to accept the default value or enter a
new value or the word none to leave a field blank,
and press the Enter key. Name [User Name]: Room
Number [3A-41]: 4A-43 Office Phone [3-1234]: Home
Phone [555-1234]: To change only your Kerberos
password when your system is configured into a Kerberos
realm, enter: $ passwd
The following menu is displayed: You are registered
with the following security mechanisms
1 Kerberos 2 BSD 3 Synchronized update for the
[Default selection: 3]
Select ONE item by number: 1
You have selected: Kerberos
Old Kerberos password: New Kerberos password: Verify
Contains user information. The list of approved shells.
Provides the matrix that selects the appropriate installed
security module. Enhanced security password database for
system accounts. Enhanced security password database for
user accounts. Enhanced security's system defaults
Commands: finger(1), kinit(1), kdestroy(1), klist(1),
login(1), vipw(8), dxaccounts(8), usermod(8)
Files: matrix.conf(4), prpasswd(4), passwd(4)
Guides: Security Administration
[ Back ]