passwd, chfn, chsh - Changes password file information
SYNOPSISpasswd [-f | -s] [username]
Displays the password attributes of all users. This option may only be
used with the -q option and you must be root. Invokes the chfn command
when given with the passwd command. Displays the password status of PS
if the user has a password, LK if the user has an administrative lock,
or NP if the user has no password. Users other than root may only use
the -q option on themselves. If a username is not specified, the pass‐
word status of the current username is displayed. Invokes the chsh
command when given with the passwd command. Prompts the user to change
their general user information, such as full name, office phone, office
number, and home phone number. Phone numbers can be entered with or
without dashes. Included in each prompt is a default value enclosed in
[ ] (brackets). Press the Enter key to accept the default value or
enter a new value or the word none to leave a field blank and press the
To display general information for a user, enter the finger
A superuser can change any user's general information; other
users can only change their own. Superusers can also run the
account management interfaces, dxaccounts, and usermod to modify
passwords. Prompts the user to change the login shell. The new
login shell must be one of the approved shells listed in the
/etc/shells file unless you have superuser privileges. If the
/etc/shells file does not exist, the only shells that can be
specified are /usr/bin/sh and /usr/bin/csh. If you abbreviate
the shell name, the first entry in the /etc/shells file that
matches the shell abbreviation is used. For example, if you
specify ksh, and both the /bin/ksh and /usr/bin/ksh shells are
in the /etc/shells file, the shell is changed to the shell that
A superuser can change any user's login shell; other users can
only change their own.
The passwd command changes the password associated with your username
(by default) or the specified username.
A password must have at least six characters and can be up to eight
characters. If you enter more than eight characters when creating a
password, the passwd command ignores any characters after the eighth.
A password can include digits, symbols, and the letters of your alpha‐
bet. It is strongly suggested that you include unusual punctuation,
control characters, or digits in your password. Use of only lowercase
letters is discouraged.
This passwd command uses the Security Integration Architecture (SIA)
routine as an interface to the security modules. When entering the
passwd command, a user is either prompted for password information or a
menu is displayed from which the user chooses a password to change. The
menu is displayed if the user's name is recognized by more than one
registered security module in the SIA.
When using the menu, users can synchronize all their passwords at once
to the same new password. However, passwords of all security mechanisms
must already be same at the start of the synchronizing process. If the
password for each security mechanisms is different, users must first
change them individually to be the same.
If your system is configured into a Kerberos realm, you can use the
passwd command to change your Kerberos password because Kerberos is a
registered security module in the SIA.
If a user's passwords are not synchronized and they are operating in a
Kerberos realm and need to use the Kerberos enhancement commands, such
as rsh, rlogin, and rcp, then they must first enter the kinit command
to obtain a Kerberos Ticket Granting Ticket (TGT).
Under enhanced security the passwd-q command gathers information from
the enhanced security password and system defaults databases, and dis‐
plays the data as follows: name status date min_change max_change
The status field is PS if the user has a password, LK if the user has
an administrative lock, or NP if the user has no password. The date is
the day of the last successful password change in mm/dd/yy format.
The min_change field is the period in days, measured from the date of
last password change, which must pass before a user can change his user
account password. A value of 0 means the password may be changed at
any time. The max_change field is the period in days, measured from the
date of last password change, for which the password is valid. Adding
this value to the date of last password change gives the date at which
the password expires and a change will be required. A value of 0 means
that the password will never expire.
When you use the passwd command with enhanced security installed, the
system prompts for the existing password, and begins a password solici‐
tation dialog that depends on the options for password generation the
administrator has enabled for your account. There are four possible
options: A pronounceable password made up of meaningless syllables. An
unpronounceable password made up of random characters from the charac‐
ter set. An unpronounceable password made up of random letters from
the alphabet. A user specified password, which is subject to length
and triviality restrictions.
A maximum length is specified for all user passwords. The minimum
password length depends on several parameters set in the authentication
The system requires a minimum time to elapse before you can change your
password. This stops you from reusing an old password too soon.
A password expires after a period of time known as the expiration time.
The system warns you when the expiration time is drawing near.
A password dies after a period of time known as the password lifetime.
After the lifetime passes, your account is locked until the administra‐
tor re-enables it. After your user account is unlocked, you must
change your password again before you can use your account.
When you successfully type your old password, the system prints the
last successful and unsuccessful password change times. Make sure that
these times are accurate; use them to detect attempted password changes
by an unauthorized user.
You can change your own password if the administrator has enabled any
of the password generation options for your account.
Using the passwd command to reset a user's password does not unlock the
user's account if the account is locked for a reason other than an
If a password longer than 8 characters was entered under base security
and then enhanced security is installed, you must use only the first 8
characters of the original password. This is because base security
only used the first 8 characters of the password and the enhanced pass‐
word is created from the base password.
To change your password, enter: $ passwd
You are prompted for your old password (if it exists). You are
then prompted twice for the new password. To change general
user information, enter: $ chfn
The current user values are displayed. Press the Enter key to
accept the default value or enter a new value or the word none
to leave a field blank, and press the Enter key. Name [User
Name]: Room Number [3A-41]: 4A-43 Office Phone [3-1234]: Home
Phone [555-1234]: To change only your Kerberos password when
your system is configured into a Kerberos realm, enter: $ passwd
The following menu is displayed: You are registered with the
following security mechanisms
1 Kerberos 2 BSD 3 Synchronized update for the above-listed
[Default selection: 3]
Select ONE item by number: 1
You have selected: Kerberos
Old Kerberos password: New Kerberos password: Verify Kerberos
Contains user information. The list of approved shells. Provides the
matrix that selects the appropriate installed security module.
Enhanced security password database for system accounts. Enhanced
security password database for user accounts. Enhanced security's sys‐
tem defaults database.
Commands: finger(1), kinit(1), kdestroy(1), klist(1), login(1),
vipw(8), dxaccounts(8), usermod(8)
Files: matrix.conf(4), prpasswd(4), passwd(4)
Guides: Security Administration