passwd -l user_login_name
계정 상태 확인
passwd -S user_login_name
계정 unlock
passwd -u user_login_name
root@xena501:/] # man passwd
Reformatting page. Please Wait... done
User Commands passwd(1)
NAME
passwd - change login password and password attributes
SYNOPSIS
passwd [-r files | -r ldap | -r nis | -r nisplus]
[name]
passwd [-r files] [-egh] [name]
passwd [-r files] -s [-a]
passwd [-r files] -s [name]
passwd [-r files] [-d | -l | -u | -N] [-f] [-n min]
[-w warn] [-x max] name
passwd -r ldap [-egh] [name]
passwd -r nis [-egh] [name]
passwd -r nisplus [-egh] [-D domainname] [name]
passwd -r nisplus -s [-a]
passwd -r nisplus [-D domainname] -s [name]
passwd -r nisplus [-l | -u | -N] [-f] [-n min] [-w warn]
[-x max] [-D domainname] name
DESCRIPTION
The passwd command changes the password or lists password
attributes associated with the user's login name. Addition-
ally, privileged users can use passwd to install or change
passwords and attributes associated with any login name.
When used to change a password, passwd prompts everyone for
their old password, if any. It then prompts for the new
password twice. When the old password is entered, passwd
checks to see if it has aged sufficiently. If aging is
insufficient, passwd terminates; see pwconv(1M),
SunOS 5.10 Last change: 27 Aug 2007 1
User Commands passwd(1)
nistbladm(1), and shadow(4) for additional information.
The pwconv command creates and updates /etc/shadow with
information from /etc/passwd. pwconv relies on a special
value of 'x' in the password field of /etc/passwd. This
value of 'x' indicates that the password for the user is
already in /etc/shadow and should not be modified.
If aging is sufficient, a check is made to ensure that the
new password meets construction requirements. When the new
password is entered a second time, the two copies of the new
password are compared. If the two copies are not identical,
the cycle of prompting for the new password is repeated for,
at most, two more times.
Passwords must be constructed to meet the following require-
ments:
o Each password must have PASSLENGTH characters,
where PASSLENGTH is defined in /etc/default/passwd
and is set to 6. Setting PASSLENGTH to more than
eight characters requires configuring
policy.conf(4) with an algorithm that supports
greater than eight characters.
o Each password must meet the configured complexity
constraints specified in /etc/default/passwd.
o Each password must not be a member of the config-
ured dictionary as specified in
/etc/default/passwd.
o For accounts in name services which support pass-
word history checking, if prior password history is
defined, new passwords must not be contained in the
prior password history.
If all requirements are met, by default, the passwd command
consults /etc/nsswitch.conf to determine in which reposi-
tories to perform password update. It searches the passwd
and passwd_compat entries. The sources (repositories) asso-
ciated with these entries are updated. However, the password
update configurations supported are limited to the following
cases. Failure to comply with the configurations prevents
users from logging onto the system. The password update con-
figurations are:
o passwd: files
SunOS 5.10 Last change: 27 Aug 2007 2
User Commands passwd(1)
o passwd: files ldap
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files ldap)
passwd_compat: ldap
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
Network administrators, who own the NIS+ password table, can
change any password attributes.
When a user has a password stored in one of the name ser-
vices as well as a local files entry, the passwd command
updates both. It is possible to have different passwords in
the name service and local files entry. Use passwd -r to
change a specific password repository.
In the files case, super-users (for instance, real and
effective uid equal to 0, see id(1M) and su(1M)) can change
any password. Hence, passwd does not prompt privileged users
for the old password. Privileged users are not forced to
comply with password aging and password construction
requirements. A privileged user can create a null password
by entering a carriage return in response to the prompt for
a new password. (This differs from passwd -d because the
password prompt is still displayed.) If NIS is in effect,
superuser on the root master can change any password without
being prompted for the old NIS passwd, and is not forced to
comply with password construction requirements.
Normally, passwd entered with no arguments changes the pass-
word of the current user. When a user logs in and then
invokes su(1M) to become super-user or another user, passwd
changes the original user's password, not the password of
the super-user or the new user.
Any user can use the -s option to show password attributes
for his or her own login name, provided they are using the
-r nisplus argument. Otherwise, the -s argument is
SunOS 5.10 Last change: 27 Aug 2007 3
User Commands passwd(1)
restricted to the superuser.
The format of the display is:
name status mm/dd/yy min max warn
or, if password aging information is not present,
name status
where
name The login ID of the user.
status The password status of name.
The status field can take the following
values:
PS This account has a pass-
word.
NL This account is a no login
account. See Security.
LK This account is locked
account. See Security.
NP This account has no pass-
word and is therefore open
without authentication.
mm/dd/yy The date password was last changed for
name. All password aging dates are
determined using Greenwich Mean Time
(Universal Time) and therefore can
differ by as much as a day in other time
zones.
SunOS 5.10 Last change: 27 Aug 2007 4
User Commands passwd(1)
min The minimum number of days required
between password changes for name.
MINWEEKS is found in /etc/default/passwd
and is set to NULL.
max The maximum number of days the password
is valid for name. MAXWEEKS is found in
/etc/default/passwd and is set to NULL.
warn The number of days relative to max
before the password expires and the name
are warned.
Security
passwd uses pam(3PAM) for password change. It calls PAM with
a service name passwd and uses service module type auth for
authentication and password for password change.
Locking an account (-l option) does not allow its use for
password based login or delayed execution (such as at(1),
batch(1), or cron(1M)). The -N option can be used to disal-
low password based login, while continuing to allow delayed
execution.
OPTIONS
The following options are supported:
-a Shows password attributes for all
entries. Use only with the -s option.
name must not be provided. For the
nisplus repository, this shows only the
entries in the NIS+ password table in
the local domain that the invoker is
authorized to read. For the files repo-
sitory, this is restricted to the
superuser.
-D domainname Consults the passwd.org_dir table in
domainname. If this option is not speci-
fied, the default domainname returned by
nis_local_directory(3NSL) are used. This
domain name is the same as that returned
by domainname(1M).
-e Changes the login shell. For the files
repository, this only works for the
SunOS 5.10 Last change: 27 Aug 2007 5
User Commands passwd(1)
superuser. Normal users can change the
ldap, nis, or nisplus repositories. The
choice of shell is limited by the
requirements of getusershell(3C). If the
user currently has a shell that is not
allowed by getusershell, only root can
change it.
-g Changes the gecos (finger) information.
For the files repository, this only
works for the superuser. Normal users
can change the ldap, nis, or nisplus
repositories.
-h Changes the home directory.
-r Specifies the repository to which an
operation is applied. The supported
repositories are files, ldap, nis, or
nisplus.
-s name Shows password attributes for the login
name. For the nisplus repository, this
works for everyone. However for the
files repository, this only works for
the superuser. It does not work at all
for the nis repository which does not
support password aging.
Privileged User Options
Only a privileged user can use the following options:
-d Deletes password for name and unlocks
the account. The login name is not
prompted for password. It is only appli-
cable to the files repository.
-f Forces the user to change password at
the next login by expiring the password
for name.
-l Locks password entry for name. See the
-d or -u option for unlocking the
account.
SunOS 5.10 Last change: 27 Aug 2007 6
User Commands passwd(1)
-N Makes the password entry for name a
value that cannot be used for login, but
does not lock the account. See the -d
option for removing the value, or to set
a password to allow logins.
-n min Sets minimum field for name. The min
field contains the minimum number of
days between password changes for name.
If min is greater than max, the user can
not change the password. Always use this
option with the -x option, unless max is
set to -1 (aging turned off). In that
case, min need not be set.
-u Unlocks a locked password for entry
name. See the -d option for removing the
locked password, or to set a password to
allow logins.
-w warn Sets warn field for name. The warn field
contains the number of days before the
password expires and the user is warned.
This option is not valid if password
aging is disabled.
-x max Sets maximum field for name. The max
field contains the number of days that
the password is valid for name. The
aging for name is turned off immediately
if max is set to -1.
OPERANDS
The following operand is supported:
name User login name.
ENVIRONMENT VARIABLES
If any of the LC_* variables, that is, LC_CTYPE,
LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and
LC_MONETARY (see environ(5)), are not set in the environ-
ment, the operational behavior of passwd for each
corresponding locale category is determined by the value of
the LANG environment variable. If LC_ALL is set, its con-
tents are used to override both the LANG and the other LC_*
variables. If none of the above variables is set in the
SunOS 5.10 Last change: 27 Aug 2007 7
User Commands passwd(1)
environment, the C (U.S. style) locale determines how passwd
behaves.
LC_CTYPE Determines how passwd handles charac-
ters. When LC_CTYPE is set to a valid
value, passwd can display and handle
text and filenames containing valid
characters for that locale. passwd can
display and handle Extended Unix Code
(EUC) characters where any individual
character can be 1, 2, or 3 bytes wide.
passwd can also handle EUC characters of
1, 2, or more column widths. In the C
locale, only characters from ISO 8859-1
are valid.
LC_MESSAGES Determines how diagnostic and informa-
tive messages are presented. This
includes the language and style of the
messages, and the correct form of affir-
mative and negative responses. In the C
locale, the messages are presented in
the default form found in the program
itself (in most cases, U.S. English).
EXIT STATUS
The passwd command exits with one of the following values:
0 Success.
1 Permission denied.
2 Invalid combination of options.
3 Unexpected failure. Password file unchanged.
4 Unexpected failure. Password file(s) missing.
5 Password file(s) busy. Try again later.
6 Invalid argument to option.
SunOS 5.10 Last change: 27 Aug 2007 8
User Commands passwd(1)
7 Aging option is disabled.
8 No memory.
9 System error.
10 Account expired.
FILES
/etc/default/passwd
Default values can be set for the following flags in
/etc/default/passwd. For example: MAXWEEKS=26
DICTIONDBDIR The directory where the generated
dictionary databases reside.
Defaults to /var/passwd.
If neither DICTIONLIST nor DIC-
TIONDBDIR is specified, the system
does not perform a dictionary check.
DICTIONLIST DICTIONLIST can contain list of
comma separated dictionary files
such as DICTIONLIST=file1, file2,
file3. Each dictionary file contains
multiple lines and each line con-
sists of a word and a NEWLINE char-
acter (similar to
/usr/share/lib/dict/words.) You must
specify full pathnames. The words
from these files are merged into a
database that is used to determine
whether a password is based on a
dictionary word.
If neither DICTIONLIST nor DIC-
TIONDBDIR is specified, the system
does not perform a dictionary check.
To prebuild the dictionary database,
see mkpwdict(1M).
HISTORY Maximum number of prior password
history to keep for a user. Setting
the HISTORY value to zero (0), or
SunOS 5.10 Last change: 27 Aug 2007 9
User Commands passwd(1)
removing the flag, causes the prior
password history of all users to be
discarded at the next password
change by any user. The default is
not to define the HISTORY flag. The
maximum value is 26. Currently, this
functionality is enforced only for
user accounts defined in the files
name service (local
passwd(4)/shadow(4)).
MAXREPEATS Maximum number of allowable consecu-
tive repeating characters. If MAX-
REPEATS is not set or is zero (0),
the default is no checks
MAXWEEKS Maximum time period that password is
valid.
MINALPHA Minimum number of alpha character
required. If MINALPHA is not set,
the default is 2.
MINDIFF Minimum differences required between
an old and a new password. If MIN-
DIFF is not set, the default is 3.
MINDIGIT Minimum number of digits required.
If MINDIGIT is not set or is set to
zero (0), the default is no checks.
You cannot be specify MINDIGIT if
MINNONALPHA is also specified.
MINLOWER Minimum number of lower case letters
required. If not set or zero (0),
the default is no checks.
MINNONALPHA Minimum number of non-alpha (includ-
ing numeric and special) required.
If MINNONALPHA is not set, the
default is 1. You cannot specify
MINNONALPHA if MINDIGIT or MINSPE-
CIAL is also specified.
SunOS 5.10 Last change: 27 Aug 2007 10
User Commands passwd(1)
MINWEEKS Minimum time period before the pass-
word can be changed.
MINSPECIAL Minimum number of special (non-alpha
and non-digit) characters required.
If MINSPECIAL is not set or is zero
(0), the default is no checks. You
cannot specify MINSPECIAL if you
also specify MINNONALPHA.
MINUPPER Minimum number of upper case letters
required. If MINUPPER is not set or
is zero (0), the default is no
checks.
NAMECHECK Enable/disable checking or the login
name. The default is to do login
name checking. A case insensitive
value of no disables this feature.
PASSLENGTH Minimum length of password, in char-
acters.
WARNWEEKS Time period until warning of date of
password's ensuing expiration.
WHITESPACE Determine if whitespace characters
are allowed in passwords. Valid
values are YES and NO. If WHITESPACE
is not set or is set to YES, whi-
tespace characters are allowed.
/etc/oshadow
Temporary file used by passwd, passmgmt and pwconv to
update the real shadow file.
/etc/passwd
Password file.
SunOS 5.10 Last change: 27 Aug 2007 11
User Commands passwd(1)
/etc/shadow
Shadow password file.
/etc/shells
Shell database.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| CSI | Enabled |
|_____________________________|_____________________________|
| Interface Stability | See below. |
|_____________________________|_____________________________|
The human readable output is Unstable. The options are
Evolving.
SEE ALSO
at(1), batch(1), finger(1), login(1), nistbladm(1),
orcron(1M), domainname(1M), eeprom(1M), id(1M),
mkpwdict(1M), passmgmt(1M), pwconv(1M), su(1M), useradd(1M),
userdel(1M), usermod(1M), crypt(3C), getpwnam(3C),
getspnam(3C), getusershell(3C), nis_local_directory(3NSL),
pam(3PAM), loginlog(4), nsswitch.conf(4), pam.conf(4),
passwd(4), policy.conf(4), shadow(4), shells(4), attri-
butes(5), environ(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_ldap(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)
NOTES
The pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), and
pam_passwd_auth(5).
SunOS 5.10 Last change: 27 Aug 2007 12
User Commands passwd(1)
The nispasswd and ypasswd commands are wrappers around
passwd. Use of nispasswd and ypasswd is discouraged. Use
passwd -r repository_name instead.
NIS+ might not be supported in future releases of the
Solaris operating system. Tools to aid the migration from
NIS+ to LDAP are available in the current Solaris release.
For more information, visit
http://www.sun.com/directory/nisplus/transition.html.
Changing a password in the files repository clears the
failed login count.
Changing a password reactivates an account deactivated for
inactivity for the length of the inactivity period.
Input terminal processing might interpret some key sequences
and not pass them to the passwd command.
SunOS 5.10 Last change: 27 Aug 2007 13
'SUN' 카테고리의 다른 글
| [SUN] 패스워드 정책 (0) | 2013.04.29 |
|---|---|
| ssh root login (0) | 2013.04.29 |
