Illustrated UNIX System V/BSD: Module 100 passwd

Module 100
passwd

DESCRIPTION

The external passwd command allows you to create or change the password associated with your user name. The super-user (system administrator) can change any user's password and is not prompted for the old password. As a user you can only change your password.

COMMAND FORMAT

Following is the general format for the passwd command.

     passwd [ user_name ]
     passwd [ -df ][ -n min ][ -x max ][ -w warn ]user_name
     passwd [ -fl ][ -n min ][ -x max ][ -w warn ]user_name
     passwd -s[-a ]
     passwd -s[ user_name ]

BSD (Berkeley)

	`passwd [ -fs ][ user_name ]`

Options

The following list describes the options used to control how passwd functions.

-d	Deletes the password for user_name. The user_name will not be prompted for a password.
-f	Force the password to expire. The user_name is forced to enter a new password at the next login.
-l	Lock the password entry for user_name. No changes may be made.
-n min	Set the minimum number of days between password changes.
-s	Display (show) password attributes for user user_name. If no user_name is specified, your login user_name is used. The format of the information is,

		`user-name status mm/dd/yy min max warn`
	or, if no password aging information is present
		`user-name status`
	where

		user_name	The login ID of a user
		status	The password status

		PS	Passworded
		LK	Locked
		NP	No password

	mm/dd/yy	The date the password was last changed
	min	The minimum number of days between password changes. The label MINWEEKS specifies the default. It is located in the /etc/default/passwd file and is set to NULL. If min is greater than max, the user may not change the password. Always use with the -x option.
	max	The maximum number of days the password is valid. The user is forced to change the password every max days. The label MAXWEEKS specifies the default. It is located in the /etc/default/passwd file and is set to NULL. If max is set to -1 then aging is turned off. If it is set to 0 then user_name is forced to change the password at the next login and aging is turned off.
	warn	The number of days before the password expires, based on max, that the user_name will be warned.
-a	Display password attributes for all entries in the password file.
-w warn	Set the number of days before the password expires to notify the user_name.
-x max	Set the maximum number of days the password is valid.

BSD(Berkeley)

-f	Allows you to change the information field of the /etc/passwd file for your login. Refer to chfn in Module 15 for further information.
-s	Allows you to change the login shell in the /etc/passwd file for your login.

Arguments

The following list describes the argument that may be passed to the passwd command.

user_name

A valid user name in the /etc/passwd file. The user name is the first column (colon-separated columns) of the /etc/passwd file. Only the super-user can change another user's password.

FURTHER DISCUSSION

The use of passwords and their implementation is highly dependent upon your company's security policy and your system administrator. Some system administrators don't require passwords, while others require passwords, perform full accounting on every user, and implement password aging. Check with you system administrator for the requirements placed on your account.

PASSWORD AGING

The passwd command is capable of checking the elapsed time since the password was last changed, referred to as password aging. If the elapsed time is sufficient, then the user is allowed to change the password. Password aging also requires that a user must change passwords after a specified amount of time. The system administrator decides if password aging is activated and how long each password is aged.

BSD (Berkeley)

Most BSD based systems do not provide password aging. You should check your reference manual for specific password implementations on your system.

PASSWORD REQUIREMENTS

The following is a list of requirements that a password must meet before passwd will allow it as your password.

1. Must contain six characters. Only the first 8 characters are significant. The label PASSLEN specifies the maximum length for a password. It is in the file /etc/default/passwd.

2. Must contain 2 alphabetic characters (upper or lowercase letters) and at least one special character or number.

3. Must not be any circular shift combination or reversal of the user name. For example, if your user name is bill, your password could not be lbil, llbi, illb, or llib, blli, ibll, libl.

4. New passwords must have at least 3 characters that differ from the old password.

BSD (Berkeley)

Berkeley is much more lenient about passwords. The following requirements must be met for a valid password.
	1. Must contain four characters. Upper and lowercase.
	2. Must contain six characters if only monocase.

RELATED COMMANDS

Refer to the login command described in Module 77 and the su command described in Module 127. To change your information field refer to the chfn command in Module 15.

RELATED FILES

The passwd utility reads the /etc/passwd file to retrieve the existing password and store the new password. The /etc/shadow file is used to store secure password information. Some BSD systems support a type of shadow file.

RETURN CODE

The passwd command returns the following return codes upon completion:

0	Successful
1	Permission denied
2	Invalid combination of options
3	Unexpected failure, the password file is left unchanged
4	Unexpected failure, the password file is missing
5	The password file is busy, try again later
6	Invalid argument to an option

The $? ($status-csh) shell variable contains the return code. So echo $? will display the return status.

APPLICATIONS

The passwd utility is used to create a new password for a user or change an existing password. It provides a means of user security on the system. By changing your password once or twice a month you reduce the chance of another user learning your current password. The use of passwords is dependent on your company's security policy and your system administrator's implementation of security features. It is advisable to use a password and change it every two weeks even if it's not required of you.

TIP: Your password should be some meaningless string of intermixed numbers, characters, and symbols. Names of friends, wives, husbands, etc. are easily guessed by the criminal/jerk next door, down the street, or around the world.

TYPICAL OPERATION

In this activity you use the passwd command to change your password. The prompts that are returned from different password programs may vary but the requested response is the same.

1. Type passwd and press Return at your shell prompt.

2. Type imauser2 and press Return. Notice your password is not displayed on your screen; UNIX is reading it but does not "echo" it onto your screen. If you do not have a password, you will not see the following prompt, because UNIX knows you don't have an old password.

    cj> passwd
    Enter old passwd:

3. After passwd verifies that you entered the correct old password it will prompt you for a new password. Type passwd2, your new password, and press Return. Again notice passwd does not echo your new password.

    cj> passwd
    Enter old passwd:
    Enter new passwd:

4. passwd will require you to repeat the new password so that you know you typed it correctly. Type wrong1 and press Return. This will cause passwd to fail.

    cj> passwd
    Enter old passwd:
    Enter new passwd:
    Re-enter new passwd:

If the new password you typed does not match, your password will not be created or updated. Notice the following message that passwd returns in this situation.

    Mismatch - passwd not updated!

5. Turn to Module 7 (SV), Module 15 (BSD) to continue the learning sequence.

Table of Contents