passwd Command
Purpose
Changes a user's password.
Syntax
Description
The passwd command sets and changes passwords for users. Use this command to change your own password or another user's password. You can also use the passwd command to change the full name (gecos) associated with your login name and the shell you use as an interface to the operating system.
Depending on how the user is defined, the user's password can exist locally or remotely. Local passwords exist in the /etc/security/passwd database. Remote passwords are stored in the database provided by the remote domain.
To change another user's password, enter the passwd command and the user's login name (the User parameter). Only the root user or a member of the security group is permitted to change the password for another user. The passwd command prompts you for the old password of the user as well as the new password. For local passwords, the passwd command does not prompt the root user for either the old user password or the root password. For remote passwords, by default the root user will be prompted to input the old password so the remote domain can make the decision to use the password or ignore it. To change this behavior, see the rootrequiresopw option in the /usr/lib/security/methods.cfg file. The passwd command does not enforce any password restrictions upon the root user.
The /etc/passwd file records your full name and the path name of the shell that you use. To change your recorded name, enter the passwd -f command. To change your login shell, enter the passwd -s command.
| Item | Description |
|---|---|
| dictionlist | Specifies the list of dictionary files checked when a password is changed. |
| histexpire | Specifies the number of weeks that a user cannot reuse a password. |
| histsize | Specifies the number of previous passwords that the user cannot reuse. |
| maxage | Specifies the maximum age of a password. A password must be changed after a specified amount of time measured in weeks. |
| maxexpired | Specifies the maximum number of weeks beyond the maxage value that a password can be changed by the user. |
| maxrepeats | Specifies the maximum number of times a single character can be used in a password. |
| minalpha | Specifies the minimum number of alphabetic characters. |
| minother | Specifies the minimum number of other characters. |
| minlen | Specifies the minimum number of characters. Note: This value
is determined by either the minalpha value plus the minother value
or the minlen value, whichever is greater.
|
| mindiff | Specifies the minimum number of characters in the new password
that are not in the old password. Note: This restriction does not
consider position. If the new password is abcd and the old
password is edcb, the number of different characters is 1.
|
| minage | Specifies the minimum age at which a password can be changed. Passwords must be kept for a minimum period. This value is measured in weeks. |
| minloweralpha | Specifies the minimum number of lower case alphabetic characters. |
| minupperalpha | Specifies the minimum number of upper case alphabetic characters. |
| mindigit | Specifies the minimum number of digits. |
| minspecialchar | Specifies the minimum number of special characters. |
| pwdchecks | Specifies the list of external password restriction methods invoked when a password is changed. |
If the root user adds the NOCHECK attribute to your flags entry in the /etc/security/passwd file, your password does not need to meet these restrictions. Also, the root user can assign new passwords to other users without following the password restrictions.
If the root user adds the ADMIN attribute to your flags entry or if the password field in the /etc/passwd file contains an * (asterisk), only the root user can change your password. The root user also has the exclusive privilege of changing your password if the password field in /etc/passwd contains an ! (exclamation point) and the password field in the /etc/security/passwd file contains an * (asterisk).
If the root user changes your password, the ADMCHG attribute is automatically added to your flags entry in the /etc/security/passwd file. In this case, you must change the password the next time you log in.
If the user's registry value in the /etc/security/user file is either DCE or NIS, the password change can only occur in the specified database.
The passwd command creates the user keystore, if the keystore does not exist and if the efs_keystore_access attribute value of the user is not none. The keystore is created with the Encrypted File System (EFS) attributes that are found in the /etc/security/user file. If the old password can open the keystore, it also changes the keystore password. That is to say, if the login and keystore passwords are same, then the passwd command changes both of the passwords. If the file system is an Encrypted File System (EFS), then the command performs as though the -a flag is specified. If you specify the -a flag, the result is that the EFS password is not synchronized with user login password after a password change. Therefore, the keystore is not be loaded automatically on next logins.
Flags
| Item | Description |
|---|---|
| -a | Changes a user's password in all modules (compat, LDAP, NIS, and so on). |
| -f | Changes the user information accessed by the finger command. You can use this flag to provide your full name in the /etc/passwd file. |
| -s | Changes the login shell. |
| -R load_module | Specifies the loadable I&A module used to change a user's password. |
Security
The passwd command is a
PAM-enabled application with a service name of passwd. System-wide
configuration to use PAM for authentication is set by modifying the
value of the auth_type attribute, in the usw stanza
of /etc/security/login.cfg, to PAM_AUTH as
the root user.
#
# AIX passwd configuration
#
passwd password required /usr/lib/security/pam_aixAttention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
- To change your password, type:
The passwd command prompts you for your old password, if it exists and you are not the root user. After you enter the old password, the command prompts you twice for the new password.passwd - To change your full name in the /etc/passwd file, type:
passwd -fThe passwd command displays the name stored for your user ID. For example, for login name sam, the passwd command could display this message:
If you type a Y for yes, the passwd command prompts you for the new name. The passwd command records the name you enter in the /etc/passwd file.sam's current gecos: "Sam Smith" Change (yes) or no)? > - To use a different shell the next time you log in, type: passwd -sThe passwd command lists the path names of the available shells and the shell you are currently using. The command also displays a prompt:
If you type a Y for yes, the passwd command prompts you for the shell to use. The next time you log in, the system provides the shell that you specify here.Change (yes) or (no)? >
Files
| Item | Description |
|---|---|
| /usr/bin/passwd | Contains the passwd command. |
| /etc/passwd | Contains user IDs, user names, home directories, login shell, and finger information. |
| /etc/security/passwd | Contains encrypted passwords and security information. |