HP-UX Reference (11i v2 04/09) - 1 User Commands N-Z (vol 2)
p
passwd(1) passwd(1)
A Smart Card account can be shared among users. If one user modifies the password, other users must
use the scsync command to write the new password onto their cards.
The
scpin command is used to change the Smart Card PIN.
SECURITY FEATURES
This section applies only to trusted systems. It describes additional capabilities and restrictions.
When passwd is invoked on a trusted system, the existing password is requested (if one is present). This
initiates the password solicitation dialog which depends upon the type of password generation (format
policy) that has been enabled on the account doing the
passwd command. There are four possible
options for password generation:
Random syllables A pronounceable password made up of meaningless syllables.
Random characters An unpronounceable password made up of random characters from the
character set.
Random letters An unpronounceable password made up of random letters from the
alphabet.
User-supplied A user-supplied password, subject to length and triviality restrictions.
Passwords can be greater than eight characters, but it is recommended that they be less than 40 charac-
ters. System warnings are displayed if passwords lengths are either too long or short. The system
administrator can specify a maximum password length guideline for the system generated options (ran-
dom syllables, random characters, and random letters). The actual maximum password length depends
upon several parameters in the authentication database and in the algorithm.
The system requires a minimum time to elapse before a password can be changed. This prevents reuse of
an old password within an undesirable period of time.
A password expires after a period of time known as the expiration time. System warnings are displayed
as expiration time approaches.
A password dies after a time period known as the password lifetime . After the lifetime passes, the
account is locked until it is re-enabled by a system administrator. Once unlocked, the user is forced to
change the password before account use.
The system administrator can enable accounts without passwords. If a user account is allowed to func-
tion without a password, the user can choose a null password by typing a carriage-return when prompted
for a new password.
The system administrator can enable the password history feature to discourage users from reusing pre-
viously used passwords. Refer to the security (4) manual page for detailed information on configurable
parameters that affect the behavior of this command. The parameter for password history is:
PASSWORD_HISTORY_DEPTH
EXTERNAL INFLUENCES
International Code Set Support
Characters from single-byte character code sets are supported in passwords.
EXAMPLES
Change the password expiration date of
user to 42 days in the files repository:
passwd -r files -x 42 user
Modify the minimum time between password changes of user1 to 7 days in the nisplus repository:
passwd -r nisplus -n 7 user1
Force user2 to establish a new password on the next login which will expire in 70 days and prohibit the
user from changing the password until 7 days have transpired:
passwd -r files -f -x 70 -n 7 user2
DEPENDENCIES
Pluggable Authentication Modules (PAM)
PAM is an Open Group standard for user authentication, password modification, and account validation.
In particular, pam_chauthtok() is invoked to perform all functions related to passwd. This includes
establishing and changing a password, using passwd options, and displaying error messages.
Section 1−−712 Hewlett-Packard Company − 4 − HP-UX 11i Version 2: September 2004