Windows PowerShell command on Get-command passwd

Manual Pages for UNIX Operating System command usage for man passwd

User Commands passwd(1)

NAME

passwd - change login password and password attributes

SYNOPSIS

passwd [-r files | -r ldap | -r nis] [name]

passwd [-r files] [-egh] [name]

passwd [-r files] -s [-a]

passwd [-r files] -s [name]

passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]

[-w warn] [-x max] name

passwd -r ldap [-egh] [name]

passwd [-r ldap ] -s [-a]

passwd [-r ldap ] -s [name]

passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name

passwd -r nis [-egh] [name]

DESCRIPTION

The passwd command changes the password or lists password

attributes associated with the user's login name. Addition-

ally, privileged users can use passwd to install or change

passwords and attributes associated with any login name.

When used to change a password, passwd prompts everyone for

their old password, if any. It then prompts for the new

password twice. When the old password is entered, passwd

checks to see if it has aged sufficiently. If aging is

insufficient, passwd terminates; see pwconv(1M) and sha-

dow(4) for additional information. The pwconv command creates and updates /etc/shadow with

information from /etc/passwd. pwconv relies on a special

SunOS 5.11 Last change: 15 Mar 2010 1

User Commands passwd(1)

value of x in the password field of /etc/passwd. This value

of xindicates that the password for the user is already in /etc/shadow and should not be modified. If aging is sufficient, a check is made to ensure that the new password meets construction requirements. When the new password is entered a second time, the two copies of the new password are compared. If the two copies are not identical, the cycle of prompting for the new password is repeated for, at most, two more times.

Passwords must be constructed to meet the following require-

ments: o Each password must have PASSLENGTH characters,

where PASSLENGTH is defined in /etc/default/passwd

and is set to 6. Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters. o Each password must meet the configured complexity

constraints specified in /etc/default/passwd.

o Each password must not be a member of the config-

ured dictionary as specified in

/etc/default/passwd.

o For accounts in name services which support pass-

word history checking, if prior password history is defined, new passwords must not be contained in the prior password history.

If all requirements are met, by default, the passwd command

consults /etc/nsswitch.conf to determine in which reposi-

tories to perform password update. It searches the passwd

and passwd_compat entries. The sources (repositories) asso-

ciated with these entries are updated. However, the password update configurations supported are limited to the following cases. Failure to comply with the configurations prevents

users from logging onto the system. The password update con-

figurations are:

o passwd: files

o passwd: files ldap

o passwd: files nis

SunOS 5.11 Last change: 15 Mar 2010 2

User Commands passwd(1)

o passwd: compat (==> files nis)

o passwd: compat (==> files ldap)

passwd_compat: ldap

You can append the ad keyword to any of the passwd confi-

gurations in the above list. However, you cannot use the

passwd command to change the password of an Active Directory

(AD) user. If the ad keyword is found in the passwd entry

during a password update operation, it is ignored. To update

the password of an AD user, use the kpasswd(1) command.

Network administrators, who own the password table, can change any password attributes. The administrator configured for updating LDAP shadow information can also change any password attributes. See ldapclient(1M).

When a user has a password stored in one of the name ser-

vices as well as a local files entry, the passwd command

updates both. It is possible to have different passwords in

the name service and local files entry. Use passwd -r to

change a specific password repository.

In the files case, super-users (for instance, real and

effective uid equal to 0, see id(1M) and su(1M)) can change

any password. Hence, passwd does not prompt privileged users

for the old password. Privileged users are not forced to comply with password aging and password construction requirements. A privileged user can create a null password by entering a carriage return in response to the prompt for

a new password. (This differs from passwd -d because the

password prompt is still displayed.) If NIS is in effect, superuser on the root master can change any password without

being prompted for the old NIS passwd, and is not forced to

comply with password construction requirements. If LDAP is in effect, superuser on any Native LDAP client system can change any password without being prompted for

the old LDAP passwd, and is not forced to comply with pass-

word construction requirements.

Normally, passwd entered with no arguments changes the pass-

word of the current user. When a user logs in and then

invokes su(1M) to become superuser or another user, passwd

changes the original user's password, not the password of

SunOS 5.11 Last change: 15 Mar 2010 3

User Commands passwd(1)

the superuser or the new user.

The -s argument is restricted to the superuser.

The format of the display is: name status mm/dd/yy min max warn or, if password aging information is not present, name status where name The login ID of the user. status The password status of name. The status field can take the following values: LK This account is locked account. See Security. NL This account is a no login account. See Security. NP This account has no password and is therefore open without authentication. PS This account has a password.

SunOS 5.11 Last change: 15 Mar 2010 4

User Commands passwd(1)

mm/dd/yy

The date password was last changed for name. All pass-

word aging dates are determined using Greenwich Mean Time (Universal Time) and therefore can differ by as much as a day in other time zones. min The minimum number of days required between password changes for name. MINWEEKS is found in

/etc/default/passwd and is set to NULL.

max The maximum number of days the password is valid for

name. MAXWEEKS is found in /etc/default/passwd and is

set to NULL. warn The number of days relative to max before the password expires and the name are warned. Security

passwd uses pam(3PAM) for password change. It calls PAM with

a service name passwd and uses service module type auth for

authentication and password for password change.

Locking an account (-l option) does not allow its use for

password based login or delayed execution (such as at(1),

batch(1), or cron(1M)). The -N option can be used to disal-

low password based login, while continuing to allow delayed execution. OPTIONS The following options are supported:

-a

Shows password attributes for all entries. Use only with

the -s option. name must not be provided. For the files

and ldap repositories, this is restricted to the superuser.

SunOS 5.11 Last change: 15 Mar 2010 5

User Commands passwd(1)

-e

Changes the login shell. For the files repository, this only works for the superuser. Normal users can change the ldap or nis repositories. The choice of shell is limited by the requirements of getusershell(3C). If the user currently has a shell that is not allowed by getusershell, only root can change it.

-g

Changes the gecos (finger) information. For the files repository, this only works for the superuser. Normal users can change the ldap or nis repositories.

-h

Changes the home directory.

-r

Specifies the repository to which an operation is applied. The supported repositories are files, ldap, or nis.

-s name

Shows password attributes for the login name. For the files and ldap repositories, this only works for the

superuser. It does not work at all for the nis reposi-

tory, which does not support password aging.

The output of this option, and only this option, is Com-

mitted and parsable. The format is username followed by white space followed by one of the following codes. New codes might be added in the future so code that parses this must be flexible in the face of unknown codes. While all existing codes are two characters in length that might not always be the case. The following are the current status codes: LK

Account is locked for UNIX authenitcation. passwd -l

was run or the authentication failed RETRIES times.

SunOS 5.11 Last change: 15 Mar 2010 6

User Commands passwd(1)

The account is a no login account. passwd -N has

been run. NP

Account has no password. passwd -d was run.

PS The account probably has a valid password. UN The data in the password field is unknown. It is not a recognizable hashed password or any of the above entries. See crypt(3C) for valid password hashes. Privileged User Options Only a privileged user can use the following options:

-d

Deletes password for name and unlocks the account. The login name is not prompted for password. It is only applicable to the files and ldap repositories. If the login(1) option PASSREQ=YES is configured, the account is not able to login. PASSREQ=YES is the delivered default.

-f

Forces the user to change password at the next login by expiring the password for name.

-l

Locks password entry for name. See the -d or -u option

for unlocking the account.

-N

SunOS 5.11 Last change: 15 Mar 2010 7

User Commands passwd(1)

Makes the password entry for name a value that cannot be used for login, but does not lock the account. See the

-d option for removing the value, or to set a password

to allow logins.

-n min

Sets minimum field for name. The min field contains the minimum number of days between password changes for name. If min is greater than max, the user can not

change the password. Always use this option with the -x

option, unless max is set to -1 (aging turned off). In

that case, min need not be set.

-u

Unlocks a locked password for entry name. See the -d

option for removing the locked password, or to set a password to allow logins.

-w warn

Sets warn field for name. The warn field contains the number of days before the password expires and the user is warned. This option is not valid if password aging is disabled.

-x max

Sets maximum field for name. The max field contains the number of days that the password is valid for name. The aging for name is turned off immediately if max is set

to -1.

OPERANDS The following operand is supported: name User login name. ENVIRONMENT VARIABLES

If any of the LC_* variables, that is, LC_CTYPE,

LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and

LC_MONETARY (see environ(5)), are not set in the environ-

ment, the operational behavior of passwd for each

SunOS 5.11 Last change: 15 Mar 2010 8

User Commands passwd(1)

corresponding locale category is determined by the value of

the LANG environment variable. If LC_ALL is set, its con-

tents are used to override both the LANG and the other LC_*

variables. If none of the above variables is set in the

environment, the C (U.S. style) locale determines how passwd

behaves.

LC_CTYPE

Determines how passwd handles characters. When LC_CTYPE

is set to a valid value, passwd can display and handle

text and filenames containing valid characters for that

locale. passwd can display and handle Extended Unix Code

(EUC) characters where any individual character can be

1, 2, or 3 bytes wide. passwd can also handle EUC char-

acters of 1, 2, or more column widths. In the C locale,

only characters from ISO 8859-1 are valid.

LC_MESSAGES

Determines how diagnostic and informative messages are presented. This includes the language and style of the

messages, and the correct form of affirmative and nega-

tive responses. In the C locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English). EXIT STATUS

The passwd command exits with one of the following values:

0 Success. 1 Permission denied. 2 Invalid combination of options. 3 Unexpected failure. Password file unchanged.

SunOS 5.11 Last change: 15 Mar 2010 9

User Commands passwd(1)

4 Unexpected failure. Password file(s) missing. 5 Password file(s) busy. Try again later. 6 Invalid argument to option. 7 Aging option is disabled. 8 No memory. 9 System error. 10 Account expired. FILES

/etc/default/passwd

Default values can be set for the following flags in

/etc/default/passwd. For example: MAXWEEKS=26

DICTIONDBDIR

The directory where the generated dictionary data-

bases reside. Defaults to /var/passwd.

If neither DICTIONLIST nor DICTIONDBDIR is speci-

fied, the system does not perform a dictionary check.

SunOS 5.11 Last change: 15 Mar 2010 10

User Commands passwd(1)

DICTIONLIST

DICTIONLIST can contain list of comma separated dic-

tionary files such as DICTIONLIST=file1, file2, file3. Each dictionary file contains multiple lines

and each line consists of a word and a NEWLINE char-

acter (similar to /usr/share/lib/dict/words.) You must specify full pathnames. The words from these files are merged into a database that is used to

determine whether a password is based on a diction-

ary word.

If neither DICTIONLIST nor DICTIONDBDIR is speci-

fied, the system does not perform a dictionary check.

To pre-build the dictionary database, see

mkpwdict(1M). HISTORY Maximum number of prior password history to keep for a user. Setting the HISTORY value to zero (0), or removing the flag, causes the prior password history of all users to be discarded at the next password change by any user. The default is not to define the HISTORY flag. The maximum value is 26. Currently, this functionality is enforced only for user accounts defined in the files name service (local

passwd(4)/shadow(4)).

MAXREPEATS Maximum number of allowable consecutive repeating characters. If MAXREPEATS is not set or is zero (0), the default is no checks MAXWEEKS Maximum time period that password is valid. MINALPHA Minimum number of alpha character required. If MINALPHA is not set, the default is 2.

SunOS 5.11 Last change: 15 Mar 2010 11

User Commands passwd(1)

MINDIFF Minimum differences required between an old and a new password. If MINDIFF is not set, the default is 3. MINDIGIT Minimum number of digits required. If MINDIGIT is not set or is set to zero (0), the default is no

checks. You cannot be specify MINDIGIT if MINNONAL-

PHA is also specified. MINLOWER Minimum number of lower case letters required. If not set or zero (0), the default is no checks. MINNONALPHA

Minimum number of non-alpha (including numeric and

special) required. If MINNONALPHA is not set, the

default is 1. You cannot specify MINNONALPHA if MIN-

DIGIT or MINSPECIAL is also specified. MINWEEKS Minimum time period before the password can be changed. MINSPECIAL

Minimum number of special (non-alpha and non-digit)

characters required. If MINSPECIAL is not set or is zero (0), the default is no checks. You cannot specify MINSPECIAL if you also specify MINNONALPHA. MINUPPER Minimum number of upper case letters required. If MINUPPER is not set or is zero (0), the default is no checks.

NAMECHECK

SunOS 5.11 Last change: 15 Mar 2010 12

User Commands passwd(1)

Enable/disable checking or the login name. The

default is to do login name checking. A case insen-

sitive value of no disables this feature. PASSLENGTH Minimum length of password, in characters. WARNWEEKS Time period until warning of date of password's ensuing expiration. WHITESPACE Determine if white space characters are allowed in

passwords. Valid values are YES and NO. If WHI-

TESPACE is not set or is set to YES, white space characters are allowed. /etc/oshadow

Temporary file used by passwd and pwconv to update the

real shadow file.

/etc/passwd

Password file. /etc/shadow Shadow password file. /etc/shells Shell database.

ATTRIBUTES

See attributes(5) for descriptions of the following attri-

butes:

SunOS 5.11 Last change: 15 Mar 2010 13

User Commands passwd(1)

____________________________________________________________

| ATTRIBUTE TYPE | ATTRIBUTE VALUE |

|_____________________________|_____________________________|

| Availability | SUNWcs |

|_____________________________|_____________________________|

| CSI | Enabled |

|_____________________________|_____________________________|

| Interface Stability | See below. |

|_____________________________|_____________________________|

The human readable output is Uncommitted. The options are Committed.

at(1), batch(1), finger(1), kpasswd(1), login(1), cron(1M),

domainname(1M), eeprom(1M), id(1M), ldapclient(1M), mkpwdict(1M), pwconv(1M), su(1M), useradd(1M), userdel(1M), usermod(1M), crypt(3C), getpwnam(3C), getspnam(3C), getusershell(3C), pam(3PAM), loginlog(4), nsswitch.conf(4),

pam.conf(4), passwd(4), policy.conf(4), shadow(4),

shells(4), attributes(5), environ(5), pam_authtok_check(5),

pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),

pam_ldap(5), pam_unix_account(5), pam_unix_auth(5),

pam_unix_session(5)

NOTES

The pam_unix(5) module is no longer supported. Similar func-

tionality is provided by pam_unix_account(5),

pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),

pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and

pam_passwd_auth(5).

The ypasswd command is a wrapper around passwd. Use of

ypasswd is discouraged. Use passwd -r repository_name

instead. Changing a password in the files and ldap repositories clears the failed login count. Changing a password reactivates an account deactivated for inactivity for the length of the inactivity period. Input terminal processing might interpret some key sequences

and not pass them to the passwd command.

SunOS 5.11 Last change: 15 Mar 2010 14

User Commands passwd(1)

An account with no password, status code NP, might not be able to login. See the login(1) PASSREQ option.

SunOS 5.11 Last change: 15 Mar 2010 15