Change passwords non-interactively

With the chpasswd command, AIX offers the option of changing passwords both interactively and non-interactively. However, the use of the command is reserved for the root user.

In the simplest case, the administrator can start the command without arguments. The interactive input of the user name and associated password, separated by a colon “:”, is then expected. One user name and a plain text password are specified per line. The input must be terminated with Control-D:

# chpasswd
user01:hello19
<Control>-<D>
#

The ADMCHG flag for the user account is set by default:

# pwdadm -q user01
user01:
        lastupdate = 1650438240
        flags = ADMCHG

#

The user is aked to change the password the next time he logs in.

If you want to set the password non-interactively via a script, you can use a so-called “here” document, for example:

# chpasswd -c <<EOF
> user02:hello20
> EOF
#

This variant no longer requires manual input. The users and passwords to be entered can be specified directly in the script. To prevent users from being prompted to change their password at the next login, we used the “-c” (clear all password flags) option.

Alternatively, you could also use a pipe with an echo command, for example:

# echo user03:hello21 | chpasswd -c
#

If you use a bash, then there is the particularly elegant option of setting up an input redirection to a character string. For this purpose, 3 less-than characters “<<<” followed by a character string are used:

(bash)# chpasswd -c <<<user04:hello22
(bash)#

In all of the above examples, the password was given in clear text. This is generally not desired when setting the password non-interactively. You can also specify the password in encrypted form. All you have to do is to use the “-e” (encrypted password) option. The chpasswd command does not check whether the specified encrypted password has the correct length and syntax, or whether it is even valid!

However, one must now note that the encrypted password may contain special characters such as “$” or “!“, which are evaluated and possibly replaced by the shell. When using a “here” document, special characters in the input are interpreted by the shell. We demonstrate this by setting a variable VAR, which is then used in the encrypted password:

# VAR=hello
# chpasswd -e -c <<EOF
> user02:{ssha512}06TQ.$VAR
EOF
#

The specified encrypted password is far too short and therefore not valid, but there is no error message. The “$VAR” part is replaced by the shell with the value “hello“, as shown by the displaying the password set:

# lsuser -a spassword user02
user02 spassword={ssha512}06TQ.hello
#

Shell substitution can be avoided by enclosing the word “EOF” in quotation marks:

# VAR=hello
# chpasswd -e -c <<”EOF”
> user02:{ssha512}06TQ.$VAR
EOF
#

This time “$VAR” has not been replaced:

# lsuser -a spassword user02
user02 spassword={ssha512}06TQ.$VAR
#

(However, the encrypted password is still too short and therefore invalid.)