PASSWD(1) User Commands PASSWD(1)


passwd - change login password and password attributes


passwd [-r files | -r ldap | -r nis] [name]

passwd [-r files] [-egh] [name]

passwd [-r files] -s [-a]

passwd [-r files] -s [name]

passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]
[-w warn] [-x max] name

passwd -r ldap [-egh] [name]

passwd [-r ldap ] -s [-a]

passwd [-r ldap ] -s [name]

passwd -r ldap [-d | -l | -u | -N] [-f] [-n min] [-w warn] [-x max] name

passwd -r nis [-egh] [name]


The passwd command changes the password or lists password attributes
associated with the user's login name. Additionally, privileged users can
use passwd to install or change passwords and attributes associated with
any login name.

When used to change a password, passwd prompts everyone for their old
password, if any. It then prompts for the new password twice. When the
old password is entered, passwd checks to see if it has aged
sufficiently. If aging is insufficient, passwd terminates; see pwconv(8)
and shadow(5) for additional information.

The pwconv command creates and updates /etc/shadow with information from
/etc/passwd. pwconv relies on a special value of x in the password field
of /etc/passwd. This value of x indicates that the password for the user
is already in /etc/shadow and should not be modified.

If aging is sufficient, a check is made to ensure that the new password
meets construction requirements. When the new password is entered a
second time, the two copies of the new password are compared. If the two
copies are not identical, the cycle of prompting for the new password is
repeated for, at most, two more times.

Passwords must be constructed to meet the following requirements:

o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is set to 6.
Setting PASSLENGTH to more than eight characters requires
configuring policy.conf(5) with an algorithm that supports
greater than eight characters.

o Each password must meet the configured complexity constraints
specified in /etc/default/passwd.

o Each password must not be a member of the configured
dictionary as specified in /etc/default/passwd.

o For accounts in name services which support password history
checking, if prior password history is defined, new passwords
must not be contained in the prior password history.

If all requirements are met, by default, the passwd command consults
/etc/nsswitch.conf to determine in which repositories to perform password
update. It searches the passwd and passwd_compat entries. The sources
(repositories) associated with these entries are updated. However, the
password update configurations supported are limited to the following
cases. Failure to comply with the configurations prevents users from
logging onto the system. The password update configurations are:

o passwd: files

o passwd: files ldap

o passwd: files nis

o passwd: compat (==> files nis)

o passwd: compat (==> files ldap)

passwd_compat: ldap

You can add the ad keyword to any of the passwd configurations in the
above list. However, you cannot use the passwd command to change the
password of an Active Directory (AD) user. If the ad keyword is found in
the passwd entry during a password update operation, it is ignored. To
update the password of an AD user, use the kpasswd(1) command.

The administrator configured for updating LDAP shadow information can
change any password attributes. See ldapclient(8).

When a user has a password stored in one of the name services as well as
a local files entry, the passwd command updates both. It is possible to
have different passwords in the name service and local files entry. Use
passwd -r to change a specific password repository.

In the files case, super-users (for instance, real and effective uid
equal to 0, see id(8) and su(8)) can change any password. Hence, passwd
does not prompt privileged users for the old password. Privileged users
are not forced to comply with password aging and password construction
requirements. A privileged user can create a null password by entering a
carriage return in response to the prompt for a new password. (This
differs from passwd -d because the password prompt is still displayed.)
If NIS is in effect, superuser on the root master can change any password
without being prompted for the old NIS passwd, and is not forced to
comply with password construction requirements.

If LDAP is in effect, superuser on any Native LDAP client system can
change any password without being prompted for the old LDAP passwd, and
is not forced to comply with password construction requirements.

Normally, passwd entered with no arguments changes the password of the
current user. When a user logs in and then invokes su(8) to become
superuser or another user, passwd changes the original user's password,
not the password of the superuser or the new user.

Any user can use the -s option to show password attributes for his or her
own login name. Otherwise, the -s argument is restricted to the

The format of the display is:

name status mm/dd/yy min max warn

or, if password aging information is not present,

name status


The login ID of the user.

The password status of name.

The status field can take the following values:

This account is locked account. See Security.

This account is a no login account. See Security.

This account has no password and is therefore open
without authentication.

This account has a password.

The date password was last changed for name. All password
aging dates are determined using Greenwich Mean Time
(Universal Time) and therefore can differ by as much as a day
in other time zones.

The minimum number of days required between password changes
for name. MINWEEKS is found in /etc/default/passwd and is
set to NULL.

The maximum number of days the password is valid for name.
MAXWEEKS is found in /etc/default/passwd and is set to NULL.

The number of days relative to max before the password
expires and the name are warned.


passwd uses pam(3PAM) for password change. It calls PAM with a service
name passwd and uses service module type auth for authentication and
password for password change.

Locking an account (-l option) does not allow its use for password based
login or delayed execution (such as at(1), batch(1), or cron(8)). The -N
option can be used to disallow password based login, while continuing to
allow delayed execution.


The following options are supported:

Shows password attributes for all entries. Use only with
the -s option. name must not be provided. For the files
and ldap repositories, this is restricted to the

Changes the login shell. The choice of shell is limited
by the requirements of getusershell(3C). If the user
currently has a shell that is not allowed by
getusershell, only root can change it.

Changes the gecos (finger) information. For the files
repository, this only works for the superuser. Normal
users can change the ldap or nis repositories.

Changes the home directory.

Specifies the repository to which an operation is
applied. The supported repositories are files, ldap, or

-s name
Shows password attributes for the login name. For the
files and ldap repositories, this only works for the
superuser. It does not work at all for the nis
repository which does not support password aging.

The output of this option, and only this option is
Stable and parsable. The format is username followed by
white space followed by one of the following codes.

New codes might be added in the future so code that
parses this must be flexible in the face of unknown
codes. While all existing codes are two characters in
length that might not always be the case.

The following are the current status codes:

Account is locked for UNIX authentication. passwd
-l was run or the authentication failed RETRIES

The account is a no login account. passwd -N has
been run.

Account has no password. passwd -d was run.

The account probably has a valid password.

The data in the password field is unknown. It is
not a recognizable hashed password or any of the
above entries. See crypt(3C) for valid password

Privileged User Options

Only a privileged user can use the following options:

Deletes password for name and unlocks the account. The login
name is not prompted for password. It is only applicable to
the files and ldap repositories.

If the login(1) option PASSREQ=YES is configured, the account
is not able to login. PASSREQ=YES is the delivered default.

Forces the user to change password at the next login by
expiring the password for name.

Locks password entry for name. See the -d or -u option for
unlocking the account.

Makes the password entry for name a value that cannot be used
for login, but does not lock the account. See the -d option
for removing the value, or to set a password to allow logins.

-n min
Sets minimum field for name. The min field contains the
minimum number of days between password changes for name. If
min is greater than max, the user can not change the password.
Always use this option with the -x option, unless max is set
to -1 (aging turned off). In that case, min need not be set.

Unlocks a locked password for entry name. See the -d option
for removing the locked password, or to set a password to
allow logins.

-w warn
Sets warn field for name. The warn field contains the number
of days before the password expires and the user is warned.
This option is not valid if password aging is disabled.

-x max
Sets maximum field for name. The max field contains the number
of days that the password is valid for name. The aging for
name is turned off immediately if max is set to -1.


The following operand is supported:

User login name.


If any of the LC_* variables, that is, LC_CTYPE, LC_MESSAGES, LC_TIME,
LC_COLLATE, LC_NUMERIC, and LC_MONETARY (see environ(7)), are not set in
the environment, the operational behavior of passwd for each
corresponding locale category is determined by the value of the LANG
environment variable. If LC_ALL is set, its contents are used to override
both the LANG and the other LC_* variables. If none of the above
variables is set in the environment, the C (U.S. style) locale determines
how passwd behaves.

Determines how passwd handles characters. When LC_CTYPE is
set to a valid value, passwd can display and handle text
and filenames containing valid characters for that locale.
passwd can display and handle Extended Unix Code (EUC)
characters where any individual character can be 1, 2, or
3 bytes wide. passwd can also handle EUC characters of 1,
2, or more column widths. In the C locale, only characters
from ISO 8859-1 are valid.

Determines how diagnostic and informative messages are
presented. This includes the language and style of the
messages, and the correct form of affirmative and negative
responses. In the C locale, the messages are presented in
the default form found in the program itself (in most
cases, U.S. English).


The passwd command exits with one of the following values:


Permission denied.

Invalid combination of options.

Unexpected failure. Password file unchanged.

Unexpected failure. Password file(s) missing.

Password file(s) busy. Try again later.

Invalid argument to option.

Aging option is disabled.

No memory.

System error.

Account expired.


Default values can be set for the following flags
in /etc/default/passwd. For example: MAXWEEKS=26

The directory where the generated
dictionary databases reside.
Defaults to /var/passwd.

If neither DICTIONLIST nor
DICTIONDBDIR is specified, the
system does not perform a
dictionary check.

DICTIONLIST can contain list of
comma separated dictionary files
such as DICTIONLIST=file1, file2,
file3. Each dictionary file
contains multiple lines and each
line consists of a word and a
NEWLINE character (similar to
/usr/share/lib/dict/words.) You
must specify full pathnames. The
words from these files are merged
into a database that is used to
determine whether a password is
based on a dictionary word.

If neither DICTIONLIST nor
DICTIONDBDIR is specified, the
system does not perform a
dictionary check.

To pre-build the dictionary
database, see mkpwdict(8).

Maximum number of prior password
history to keep for a user.
Setting the HISTORY value to zero
(0), or removing the flag, causes
the prior password history of all
users to be discarded at the next
password change by any user. The
default is not to define the
HISTORY flag. The maximum value is
26. Currently, this functionality
is enforced only for user accounts
defined in the files name service
(local passwd(5)/shadow(5)).

Maximum number of allowable
consecutive repeating characters.
If MAXREPEATS is not set or is
zero (0), the default is no checks

Maximum time period that password
is valid.

Minimum number of alpha character
required. If MINALPHA is not set,
the default is 2.

Minimum differences required
between an old and a new password.
If MINDIFF is not set, the default
is 3.

Minimum number of digits required.
If MINDIGIT is not set or is set
to zero (0), the default is no
checks. You cannot be specify

Minimum number of lower case
letters required. If not set or
zero (0), the default is no

Minimum number of non-alpha
(including numeric and special)
required. If MINNONALPHA is not
set, the default is 1. You cannot
MINSPECIAL is also specified.

Minimum time period before the
password can be changed.

Minimum number of special (non-
alpha and non-digit) characters
required. If MINSPECIAL is not set
or is zero (0), the default is no
checks. You cannot specify
MINSPECIAL if you also specify

Minimum number of upper case
letters required. If MINUPPER is
not set or is zero (0), the
default is no checks.

Enable/disable checking or the
login name. The default is to do
login name checking. A case
insensitive value of no disables
this feature.

Minimum length of password, in

Time period until warning of date
of password's ensuing expiration.

Determine if white space
characters are allowed in
passwords. Valid values are YES
and NO. If WHITESPACE is not set
or is set to YES, white space
characters are allowed.

Temporary file used by passwd, passmgmt and pwconv
to update the real shadow file.

Password file.

Shadow password file.

Shell database.


See attributes(7) for descriptions of the following attributes:

|CSI | Enabled |
|Interface Stability | See below. |

The human readable output is Uncommitted. The options are Committed.


at(1), batch(1), finger(1), kpasswd(1), login(1), crypt(3C),
getpwnam(3C), getspnam(3C), getusershell(3C), pam(3PAM), loginlog(5),
nsswitch.conf(5), pam.conf(5), passwd(5), policy.conf(5), shadow(5),
shells(5), attributes(7), environ(7), pam_authtok_check(7),
pam_authtok_get(7), pam_authtok_store(7), pam_dhkeys(7), pam_ldap(7),
pam_unix_account(7), pam_unix_auth(7), pam_unix_session(7), cron(8),
domainname(8), eeprom(8), id(8), ldapclient(8), mkpwdict(8), passmgmt(8),
pwconv(8), su(8), useradd(8), userdel(8), usermod(8)


The pam_unix(7) module is no longer supported. Similar functionality is
provided by pam_unix_account(7), pam_unix_auth(7), pam_unix_session(7),
pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7),
pam_dhkeys(7), and pam_passwd_auth(7).

The yppasswd command is a wrapper around passwd. Use of yppasswd is
discouraged. Use passwd -r repository_name instead.

Changing a password in the files and ldap repositories clears the failed
login count.

Changing a password reactivates an account deactivated for inactivity for
the length of the inactivity period.

If /etc/shells is present, and is corrupted, it may provide an attack
vector that would compromise the system. The getusershell(3c) library
call has a pre-vetted list of shells, so /etc/shells should be used with

Input terminal processing might interpret some key sequences and not pass
them to the passwd command.

An account with no password, status code NP, might not be able to login.
See the login(1) PASSREQ option.

illumos February 25, 2017 PASSWD(1)