Administers users' passwords.
The pwdadm command administers users' passwords. The root user or a member of the security group can supply or change the password of the user specified by the User parameter. The invoker of the command must provide a password when queried before being allowed to change the other user's password. When the command executes, it sets the ADMCHG attribute. This forces the user to change the password the next time a su command is given for the user.
Root users and members of the security group should not change their personal password with this command. The ADMCHG attribute would require them to change their password again the next time a login command or an su command is given for the user. Only the root user or a user with PasswdAdmin authorization can change password information for administrative users, who have the admin attribute set to true in the /etc/security/user file.
Only the root user, a member of the security group, or a user with PasswdManage authorization can supply or change the password of the user specified by the User parameter.
When this command is executed, the password field for the user in the /etc/passwd file is set to ! (exclamation point), indicating that an encrypted version of the password is in the /etc/security/passwd file. The ADMCHG attribute is set when the root user or a member of the security group changes a user's password with the pwdadm command.
A new password must be defined according to the rules in the /etc/security/user file, unless the -f NOCHECK flag is included. Only 7-bit characters are supported in passwords. By including the -f flag with the pwdadm command, the root user or a member of the security group can set attributes that change the password rules. If there is no password entry in the /etc/security/passwd file when the -f flag is used, the password field in the /etc/passwd file is set to ! (exclamation point) and an * (asterisk) appears in the password= field to indicate that no password has been set.
The -q flag permits the root user or members of the security group to query password information. Only the status of the lastupdate attribute and the flags attribute appear. The encrypted password remains hidden.
The -c flag clears all password flags for the user.
Item | Description |
---|---|
-c | Clears all password flags for the user. |
-f Flags | Specifies the flags attribute of a
password. The Flags variable must be from the following list
of comma-separated attributes:
|
-q | Queries the status of the password. The values of the lastupdate attribute and the flags attribute appear. |
-R load_module | Specifies the loadable I&A module that is used to change the user's attributes. |
Access Control: Only the root user and members of the security group should have execute (x) access to this command. The command should have the trusted computing base attribute and be setuid to the root user to have write (w) access to the /etc/passwd file, the /etc/security/passwd file, and other user database files.
Files Accessed:
Mode | File |
---|---|
rw | /etc/passwd |
rw | /etc/security/passwd |
r | /etc/security/user |
Auditing Events:
Event | Information |
---|---|
PASSWORD_Change | user |
PASSWORD_Flags | user, flags |
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
pwdadm susan
When prompted, the user who
invoked the command is prompted for a password before Susan's password
can be changed.pwdadm -q susan
This command
displays values for the lastupdate attribute and the flags attribute.
The following example shows what appears when the NOCHECK and ADMCHG flags attributes
are in effect: susan:
lastupdate=
flags= NOCHECK,ADMCHG
Item | Description |
---|---|
/usr/bin/pwdadm | Contains the pwdadm command. |
/etc/security/passwd | Contains password information. |
html |