passwd Command

Purpose

Changes a user's password.

Syntax

passwd [ -R load_module ] [  -f  |   -s  -a ] [ User ]

Description

The passwd command sets and changes passwords for users. Use this command to change your own password or another user's password. You can also use the passwd command to change the full name (gecos) associated with your login name and the shell you use as an interface to the operating system.

Depending on how the user is defined, the user's password can exist locally or remotely. Local passwords exist in the /etc/security/passwd database. Remote passwords are stored in the database provided by the remote domain.

To change your own password, enter the passwd command. The passwd command prompts the nonroot user for the old password (if one exists) and then prompts for the new password twice. (The password is never displayed on the screen.) If the two entries of the new password do not match, the passwd command prompts for the new password again.
Note: The passwd command uses only the first eight characters of your password for local and NIS passwords. Only 7-bit characters are supported in passwords. For this reason, National Language Support (NLS) code points are not allowed in passwords.

To change another user's password, enter the passwd command and the user's login name (the User parameter). Only the root user or a member of the security group is permitted to change the password for another user. The passwd command prompts you for the old password of the user as well as the new password. For local passwords, the passwd command does not prompt the root user for either the old user password or the root password. For remote passwords, by default the root user will be prompted to input the old password so the remote domain can make the decision to use the password or ignore it. To change this behavior, see the rootrequiresopw option in the /usr/lib/security/methods.cfg file. The passwd command does not enforce any password restrictions upon the root user.

The /etc/passwd file records your full name and the path name of the shell that you use. To change your recorded name, enter the passwd -f command. To change your login shell, enter the passwd -s command.

Construct locally-defined passwords according to the password restrictions in the /etc/security/user configuration file. This file contains the following restrictions:
The password restrictions that are defined in the /etc/security/user configuration file are:
Item Description
dictionlist Specifies the list of dictionary files checked when a password is changed.
histexpire Specifies the number of weeks that a user cannot reuse a password.
histsize Specifies the number of previous passwords that the user cannot reuse.
maxage Specifies the maximum age of a password. A password must be changed after a specified amount of time measured in weeks.
maxexpired Specifies the maximum number of weeks beyond the maxage value that a password can be changed by the user.
maxrepeats Specifies the maximum number of times a single character can be used in a password.
minalpha Specifies the minimum number of alphabetic characters.
minother Specifies the minimum number of other characters.
minlen Specifies the minimum number of characters.
Note: This value is determined by either the minalpha value plus the minother value or the minlen value, whichever is greater.
mindiff Specifies the minimum number of characters in the new password that are not in the old password.
Note: This restriction does not consider position. If the new password is abcd and the old password is edcb, the number of different characters is 1.
minage Specifies the minimum age at which a password can be changed. Passwords must be kept for a minimum period. This value is measured in weeks.
minloweralpha Specifies the minimum number of lowercase alphabetic characters.
minupperalpha Specifies the minimum number of uppercase alphabetic characters.
mindigit Specifies the minimum number of digits.
minspecialchar Specifies the minimum number of special characters.
pwdchecks Specifies the list of external password restriction methods invoked when a password is changed.

If the root user adds the NOCHECK attribute to your flags entry in the /etc/security/passwd file, your password does not need to meet these restrictions. Also, the root user can assign new passwords to other users without following the password restrictions.

If the root user adds the ADMIN attribute to your flags entry or if the password field in the /etc/passwd file contains an * (asterisk), only the root user can change your password. The root user also has the exclusive privilege of changing your password if the password field in /etc/passwd contains an ! (exclamation point) and the password field in the /etc/security/passwd file contains an * (asterisk).

If the root user changes your password, the ADMCHG attribute is automatically added to your flags entry in the /etc/security/passwd file. In this case, you must change the password the next time you log in.

If the user's registry value in the /etc/security/user file is either DCE or NIS, the password change can only occur in the specified database.

The passwd command creates the user keystore, if the keystore does not exist and if the efs_keystore_access attribute value of the user is not none. The keystore is created with the Encrypted File System (EFS) attributes that are found in the /etc/security/user file. If the old password can open the keystore, it also changes the keystore password. That is to say, if the login and keystore passwords are same, then the passwd command changes both of the passwords. If the file system is an Encrypted File System (EFS), then the command performs as though the -a flag is specified. If you specify the -a flag, the result is that the EFS password is not synchronized with user login password after a password change. Therefore, the keystore is not be loaded automatically on next logins.

Flags

Item Description
-a Changes a user's password in all modules (compat, LDAP, NIS, and so on).
-f Changes the user information accessed by the finger command. You can use this flag to provide your full name in the /etc/passwd file.
-s Changes the login shell.
-R load_module Specifies the loadable I&A module used to change a user's password.

Security

The passwd command is a PAM-enabled application with a service name of passwd. System-wide configuration to use PAM for authentication is set by modifying the value of the auth_type attribute, in the usw stanza of /etc/security/login.cfg, to PAM_AUTH as the root user.

The authentication mechanisms used when PAM is enabled depend on the configuration for the passwd service in /etc/pam.conf. The passwd command requires /etc/pam.conf entries for the password module type. Listed below is a recommended configuration in /etc/pam.conf for the passwd service: 
#
# AIX passwd configuration
#

passwd password required /usr/lib/security/pam_aix

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To change your password, type: 
    passwd
    The passwd command prompts you for your old password, if it exists and you are not the root user. After you enter the old password, the command prompts you twice for the new password.
  2. To change your full name in the /etc/passwd file, type:

    passwd  -f

    The passwd command displays the name stored for your user ID. For example, for login name sam, the passwd command could display this message: 
    sam's current gecos:
             "Sam Smith"
Change (yes) or no)? >
    If you type a Y for yes, the passwd command prompts you for the new name. The passwd command records the name you enter in the /etc/passwd file.
  3. To use a different shell the next time you log in, type:

    passwd -s

    The passwd command lists the path names of the available shells and the shell you are currently using. The command also displays a prompt: 
    Change (yes) or (no)? >
    If you type a Y for yes, the passwd command prompts you for the shell to use. The next time you log in, the system provides the shell that you specify here.

Files

Item Description
/usr/bin/passwd Contains the passwd command.
/etc/passwd Contains user IDs, user names, home directories, login shell, and finger information.
/etc/security/passwd Contains encrypted passwords and security information.