Realistically, password aging forces users to adopt at least two passwords for their accounts. This is because, when password aging is enforced, most users alternate between two passwords that they find easy to remember rather than inventing new passwords every time their old ones expire. IRIX does not provide a utility that determines whether users are choosing from a set of passwords and, if so, then forces them to choose completely different passwords.
Note: Password aging is not supported for NIS entries (see passwd(4)).
passwd -x max namewhere max is the maximum number of days the password is valid for the user name. For example, this command forces user alice to change her password every two weeks (14 days):
passwd -x 14 aliceIf you set max to 0, the user must change her password when she next logs in, but thereafter password aging is not in effect for her. If you set -x to -1, password aging is turned off immediately for that user.
You can also set the minimum time that must elapse before users are allowed to change their passwords. This is useful to prevent users from changing their passwords, then changing them back to their old passwords immediately. For example:
passwd -x 14 -n 7 ralphThis forces user ralph to change his password every fourteen days and prevents him from changing it more frequently than once every seven days. Note that if you set the minimum value greater than the maximum value, the user may not ever change his or her password.
To force users to change their passwords immediately, use the -f option. For example:
passwd -f trixie
Password aging information is appended to the encrypted password field in the /etc/passwd file. The password aging information consists of a comma and up to four bytes (characters) in the format:
,MmwwThe meaning of these fields is as follows:
Character | Number of Weeks |
---|---|
. (period) | 0 (zero) |
/ (slash) | 1 |
0 through 9 | 2 through 11 |
A through Z | 12 through 37 |
a through z | 38 through 63 |
Two special cases apply for the character codes:
ralph:RSOE2m.E,0/:100:1:Ralph P. Cramden:/usr/people/ralph:
After ralph's first login following the change, the system automatically adds the two-character, "last-time-changed" information to the password field:
ralph:RSOE2m.E,0/W9:100:1:Ralph P. Cramden:/usr/people/ralph:
In this example, ralph changed his password in week W9. To force ralph to change his password at the next login (and to cause this only once), you can add the code ,.. to the password field:
ralph:RSOE2m.E,..:100:1:Ralph P. Cramden:/usr/people/ralph:
After ralph changes his password, the system automatically removes the aging code (,..) from the password field. To prevent ralph from changing his password, use the code ,./. Edit the /etc/passwd file and add a comma, period, and slash to the password field:
ralph:RSOE2m.E,./:100:1:Ralph P. Cramden:/usr/people/ralph:
Now only root can change the password for the ralph account. If ralph tries to change the password, he sees the message permission denied.