Wednesday, November 23, 2011

The passwd command- continued

To recollect the syntax of the passwd command is:
              passwd[-l |-d ][-f][-n min][ -x max][-w warn] name
              passwd -s [-a]
              passwd -g [name]

The following options can be used only by a privileged user:

  • -l: Locks password entry for name.
  • -d: Deletes password for name. The login name will not be prompted for password.
  • -n: Sets minimum field for name.  The  min field contains the minimum number of days between password changes for  name.  If value of  min  >value of  max, the user may not change the password.Always use this option with the -x option, unless max is set to -1(ageing turned off ). In that case, min need not be set.
  • -x: Sets maximum field for name. The max  field  contains the number of days that the password is valid for name. The ageing of name  will be turned off if max is set to -1.
  • -w: Sets  warn  field for name. The warn  field contains the number of days the user will be warned before the password expires.
  • -a:  Shows password attributes for all entries. Use only with -s option ; name  must not be provided.
  • -f:  Forces the user to change password at the next login by expiring the password for name.
 Any user may use the -s option to show password attributes for one's own login name.
The format of the output will be:
name status mm/dd/yy min max warn

 Or, if password ageing information is absent,
name status

Super users may change any password; hence; passwd does not prompt privileged users for the old password. Privileged users are not forced to comply with password ageing and password construction requirements. A privileged user can create a null password by entering a carriage return in response to the prompt for a new password.

The passwd command exits with one of the following values:
1 Permission denied
2 Invalid combination of options
3 Unexpected failure. Password file unchanged.
4 Unexpected failure .Password file is missing.
5 Password file(s) busy .Try again later
6 Invalid argument to option.

If root deletes a password for a user with the passwd -d command and password ageing is in effect for that user, the user will not be allowed to add a new password until the NULL password has been aged.This is true even if  the PASSREQ flag in /etc/login/default  is set to YES. This results in a  user without a password. It is recommended that the -f option be used with the  -d option so that the user is forced to change the password at the next login.

The next post will list the rules for choosing a password and the details of the files used by the passwd command.

No comments:

Post a Comment