Changes a user's password.
The passwd command sets and changes passwords for users. Use this command to change your own password or another user's password. You can also use the passwd command to change the full name (gecos) associated with your login name and the shell you use as an interface to the operating system.
Depending on how the user is defined, the user's password can exist locally or remotely. Local passwords exist in the /etc/security/passwd database. Remote passwords are stored in the database provided by the remote domain.
To change another user's password, enter the passwd command and the user's login name (the User parameter). Only the root user or a member of the security group is permitted to change the password for another user. The passwd command prompts you for the old password of the user as well as the new password. For local passwords, the passwd command does not prompt the root user for either the old user password or the root password. For remote passwords, by default the root user will be prompted to input the old password so the remote domain can make the decision to use the password or ignore it. To change this behavior, see the rootrequiresopw option in the /usr/lib/security/methods.cfg file. The passwd command does not enforce any password restrictions upon the root user.
The /etc/passwd file records your full name and the path name of the shell that you use. To change your recorded name, enter the passwd -f command. To change your login shell, enter the passwd -s command.
Item | Description |
---|---|
dictionlist | Specifies the list of dictionary files checked when a password is changed. |
histexpire | Specifies the number of weeks that a user cannot reuse a password. |
histsize | Specifies the number of previous passwords that the user cannot reuse. |
maxage | Specifies the maximum age of a password. A password must be changed after a specified amount of time measured in weeks. |
maxexpired | Specifies the maximum number of weeks beyond the maxage value that a password can be changed by the user. |
maxrepeats | Specifies the maximum number of times a single character can be used in a password. |
minalpha | Specifies the minimum number of alphabetic characters. |
minother | Specifies the minimum number of other characters. |
minlen | Specifies the minimum number of characters. Note: This value
is determined by either the minalpha value plus the minother value
or the minlen value, whichever is greater.
|
mindiff | Specifies the minimum number of characters in the new password
that are not in the old password. Note: This restriction does not
consider position. If the new password is abcd and the old
password is edcb, the number of different characters is 1.
|
minage | Specifies the minimum age at which a password can be changed. Passwords must be kept for a minimum period. This value is measured in weeks. |
minloweralpha | Specifies the minimum number of lowercase alphabetic characters. |
minupperalpha | Specifies the minimum number of uppercase alphabetic characters. |
mindigit | Specifies the minimum number of digits. |
minspecialchar | Specifies the minimum number of special characters. |
pwdchecks | Specifies the list of external password restriction methods invoked when a password is changed. |
If the root user adds the NOCHECK attribute to your flags entry in the /etc/security/passwd file, your password does not need to meet these restrictions. Also, the root user can assign new passwords to other users without following the password restrictions.
If the root user adds the ADMIN attribute to your flags entry or if the password field in the /etc/passwd file contains an * (asterisk), only the root user can change your password. The root user also has the exclusive privilege of changing your password if the password field in /etc/passwd contains an ! (exclamation point) and the password field in the /etc/security/passwd file contains an * (asterisk).
If the root user changes your password, the ADMCHG attribute is automatically added to your flags entry in the /etc/security/passwd file. In this case, you must change the password the next time you log in.
If the user's registry value in the /etc/security/user file is either DCE or NIS, the password change can only occur in the specified database.
The passwd command creates the user keystore, if the keystore does not exist and if the efs_keystore_access attribute value of the user is not none. The keystore is created with the Encrypted File System (EFS) attributes that are found in the /etc/security/user file. If the old password can open the keystore, it also changes the keystore password. That is to say, if the login and keystore passwords are same, then the passwd command changes both of the passwords. If the file system is an Encrypted File System (EFS), then the command performs as though the -a flag is specified. If you specify the -a flag, the result is that the EFS password is not synchronized with user login password after a password change. Therefore, the keystore is not be loaded automatically on next logins.
Item | Description |
---|---|
-a | Changes a user's password in all modules (compat, LDAP, NIS, and so on). |
-f | Changes the user information accessed by the finger command. You can use this flag to provide your full name in the /etc/passwd file. |
-s | Changes the login shell. |
-R load_module | Specifies the loadable I&A module used to change a user's password. |
The passwd command is a PAM-enabled application with a service name of passwd. System-wide configuration to use PAM for authentication is set by modifying the value of the auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.
#
# AIX passwd configuration
#
passwd password required /usr/lib/security/pam_aix
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
passwd
The passwd command
prompts you for your old password, if it exists and you are not the
root user. After you enter the old password, the command prompts you
twice for the new password.passwd -f
The passwd command displays the name stored for your user ID. For example, for login name sam, the passwd command could display this message:sam's current gecos:
"Sam Smith"
Change (yes) or no)? >
If you type a Y for
yes, the passwd command prompts you for the new name. The passwd command
records the name you enter in the /etc/passwd file.passwd -s
The passwd command lists the path names of the available shells and the shell you are currently using. The command also displays a prompt:Change (yes) or (no)? >
If
you type a Y for yes, the passwd command prompts you
for the shell to use. The next time you log in, the system provides
the shell that you specify here.Item | Description |
---|---|
/usr/bin/passwd | Contains the passwd command. |
/etc/passwd | Contains user IDs, user names, home directories, login shell, and finger information. |
/etc/security/passwd | Contains encrypted passwords and security information. |