1.\" Copyright (c) 1988, 1990, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)chpass.1 8.2 (Berkeley) 12/30/93 33.\" $Id: chpass.1,v 1.7.2.4 1998/08/14 03:38:01 thepish Exp $ 34.\" 35.Dd December 30, 1993 36.Dt CHPASS 1 37.Os 38.Sh NAME 39.Nm chpass, chfn, chsh, ypchpass, ypchfn, ypchsh 40.Nd add or change user database information 41.Sh SYNOPSIS 42.Nm chpass 43.Op Fl a Ar list 44.Op Fl p Ar encpass 45.Op Fl s Ar newshell 46.Op user 47.Sh DESCRIPTION 48The 49.Nm chpass 50program 51allows editing of the user database information associated 52with 53.Ar user 54or, by default, the current user. 55The information is formatted and supplied to an editor for changes. 56.Pp 57Only the information that the user is allowed to change is displayed. 58.Pp 59The options are as follows: 60.Bl -tag -width flag 61.It Fl a 62The super-user is allowed to directly supply a user database 63entry, in the format specified by 64.Xr passwd 5 , 65as an argument. 66This argument must be a colon (``:'') separated list of all the 67user database fields, although they may be empty. 68.It Fl p 69The super-user is allowed to directly supply an encrypted password field, 70in the format used by 71.Xr crypt 3 , 72as an argument. 73.It Fl s 74The 75.Fl s 76option attempts to change the user's shell to 77.Ar newshell . 78.El 79.Pp 80Possible display items are as follows: 81.Pp 82.Bl -tag -width "Other Information:" -compact -offset indent 83.It Login: 84user's login name 85.It Password: 86user's encrypted password 87.It Uid: 88user's login 89.It Gid: 90user's login group 91.It Change: 92password change time 93.It Expire: 94account expiration time 95.It Class: 96user's general classification 97.It Home Directory: 98user's home directory 99.It Shell: 100user's login shell 101.It Full Name: 102user's real name 103.It Location: 104user's normal location 105.It Home Phone: 106user's home phone 107.It Office Phone: 108user's office phone 109.It Other Information: 110any locally defined parameters for user 111.El 112.Pp 113The 114.Ar login 115field is the user name used to access the computer account. 116.Pp 117The 118.Ar password 119field contains the encrypted form of the user's password. 120.Pp 121The 122.Ar uid 123field is the number associated with the 124.Ar login 125field. 126Both of these fields should be unique across the system (and often 127across a group of systems) as they control file access. 128.Pp 129While it is possible to have multiple entries with identical login names 130and/or identical user id's, it is usually a mistake to do so. Routines 131that manipulate these files will often return only one of the multiple 132entries, and that one by random selection. 133.Pp 134The 135.Ar group 136field is the group that the user will be placed in at login. 137Since BSD supports multiple groups (see 138.Xr groups 1 ) 139this field currently has little special meaning. 140This field may be filled in with either a number or a group name (see 141.Xr group 5 ) . 142.Pp 143The 144.Ar change 145field is the date by which the password must be changed. 146.Pp 147The 148.Ar expire 149field is the date on which the account expires. 150.Pp 151Both the 152.Ar change 153and 154.Ar expire 155fields should be entered in the form ``month day year'' where 156.Ar month 157is the month name (the first three characters are sufficient), 158.Ar day 159is the day of the month, and 160.Ar year 161is the year. 162.Pp 163The 164.Ar class 165field is currently unused. In the near future it will be a key to 166a 167.Xr termcap 5 168style database of user attributes. 169.Pp 170The user's 171.Ar home directory 172is the full UNIX path name where the user 173will be placed at login. 174.Pp 175The 176.Ar shell 177field is the command interpreter the user prefers. 178If the 179.Ar shell 180field is empty, the Bourne shell, 181.Pa /bin/sh , 182is assumed. 183When altering a login shell, and not the super-user, the user 184may not change from a non-standard shell or to a non-standard 185shell. 186Non-standard is defined as a shell not found in 187.Pa /etc/shells . 188.Pp 189The last five fields are for storing the user's 190.Ar full name , office location , 191.Ar work 192and 193.Ar home telephone 194numbers and finally 195.Ar other information 196which is a single comma delimited string to represent any additional 197gcos fields (typically used for site specific user information). 198.Pp 199Once the information has been verified, 200.Nm chpass 201uses 202.Xr pwd_mkdb 8 203to update the user database. 204.Sh ENVIRONMENT 205The 206.Xr vi 1 207editor will be used unless the environment variable EDITOR is set to 208an alternate editor. 209When the editor terminates, the information is re-read and used to 210update the user database itself. 211Only the user, or the super-user, may edit the information associated 212with the user. 213.Sh NIS INTERACTION 214.Nm Chpass 215can also be used in conjunction with NIS, however some restrictions 216apply. 217Currently, 218.Nm chpass 219can only make changes to the NIS passwd maps through 220.Xr rpc.yppasswdd 8 , 221which normally only permits changes to a user's password, shell and GECOS 222fields. Except when invoked by the super-user on the NIS master server, 223.Nm chpass 224(and, similarly, 225.Xr passwd 1 ) 226can not use the 227.Xr rpc.yppasswdd 8 228server to change other user information or 229add new records to the NIS passwd maps. 230Furthermore, 231.Xr rpc.yppasswdd 8 232requires password authentication before it will make any 233changes. The only user allowed to submit changes without supplying 234a password is the super-user on the NIS master server; all other users, 235including those with root privileges on NIS clients (and NIS slave 236servers) must enter a password. 237(The super-user on the NIS master is allowed to bypass these restrictions 238largely for convenience: a user with root access 239to the NIS master server already has the privileges required to make 240updates to the NIS maps, but editing the map source files by hand can 241be cumbersome. 242.Pp 243Note: these exceptions only apply when the NIS master server is a 244FreeBSD system.) 245.Pp 246Consequently, except where noted, the following restrictions apply when 247.Nm chpass 248is used with NIS: 249.Bl -enum -offset indent 250.It 251.Pa Only the shell and GECOS information may be changed. 252All other 253fields are restricted, even when 254.Nm chpass 255is invoked by the super-user. 256While support for 257changing other fields could be added, this would lead to 258compatibility problems with other NIS-capable systems. 259Even though the super-user may supply data for other fields 260while editing an entry, the extra information (other than the 261password -- see below) will be silently discarded. 262.Pp 263Exception: the super-user on the NIS master server is permitted to 264change any field. 265.Pp 266.It 267.Pa Password authentication is required. 268.Nm Chpass 269will prompt for the user's NIS password before effecting 270any changes. If the password is invalid, all changes will be 271discarded. 272.Pp 273Exception: the super-user on the NIS master server is allowed to 274submit changes without supplying a password. (The super-user may 275choose to turn off this feature using the 276.Fl o 277flag, described below.) 278.It 279.Pa Adding new records to the local 280.Pa password database is discouraged. 281.Nm Chpass 282will allow the administrator to add new records to the 283local password database while NIS is enabled, but this can lead to 284some confusion since the new records are appended to the end of 285the master password file, usually after the special NIS '+' entries. 286The administrator should use 287.Xr vipw 8 288to modify the local password 289file when NIS is running. 290.Pp 291The super-user on the NIS master server is permitted to add new records 292to the NIS password maps, provided the 293.Xr rpc.yppasswdd 8 294server has been started with the 295.Fl a 296flag to permitted additions (it refuses them by default). 297.Nm Chpass 298tries to update the local password database by default; to update the 299NIS maps instead, invoke chpass with the 300.Fl y 301flag. 302.It 303.Pa Password changes are not permitted. 304Users should use 305.Xr passwd 1 306or 307.Xr yppasswd 1 308to change their NIS passwords. The super-user is allowed to specify 309a new password (even though the ``Password:'' field does not show 310up in the editor template, the super-user may add it back by hand), 311but even the super-user must supply the user's original password 312otherwise 313.Xr rpc.yppasswdd 8 314will refuse to update the NIS maps. 315.Pp 316Exception: the super-user on the NIS master server is permitted to 317change a user's NIS password with 318.Nm chpass . 319.El 320.Pp 321There are also a few extra option flags that are available when 322.Nm chpass 323is compiled with NIS support: 324.Bl -tag -width flag 325.It Fl l 326The 327.Fl l 328flag forces 329.Nm chpass 330to modify the local copy of a user's password 331information in the even that a user exists in both 332the local and NIS databases. 333.It Fl y 334This flag has the opposite effect of 335.Fl l . 336This flag is largely redundant since 337.Nm chpass 338operates on NIS entries by default if NIS is enabled. 339.It Fl d Ar domain 340Specify a particular NIS domain. 341.Nm Chpass 342uses the system domain name by default, as set by the 343.Xr domainname 1 344command. The 345.Fl d 346option can be used to override a default, or to specify a domain 347when the system domain name is not set. 348.It Fl h Ar host 349Specify the name or address of an NIS server to query. Normally, 350.Nm chpass 351will communicate with the NIS master host specified in the 352.Pa master.passwd 353or 354.Pa passwd 355maps. On hosts that have not been configured as NIS clients, there is 356no way for the program to determine this information unless the user 357provides the hostname of a server. Note that the specified hostname need 358not be that of the NIS master server; the name of any server, master or 359slave, in a given NIS domain will do. 360.Pp 361When using the 362.Fl d 363option, the hostname defaults to ``localhost.'' The 364.Fl h 365option can be used in conjunction with the 366.Fl d 367option, in which case the user-specified hostname will override 368the default. 369.Pp 370.It Fl o 371Force the use of RPC-based updates when communicating with 372.Xr rpc.yppasswdd 8 373(``old-mode''). 374When invoked by the super-user on the NIS master server, 375.Nm chpass 376allows unrestricted changes to the NIS passwd maps using dedicated, 377non-RPC-based mechanism (in this case, a UNIX domain socket). The 378.Fl o 379flag can be used to force 380.Nm chpass 381to use the standard update mechanism instead. This option is provided 382mainly for testing purposes. 383.El 384.Pp 385.Sh FILES 386.Bl -tag -width /etc/master.passwd -compact 387.It Pa /etc/master.passwd 388The user database 389.It Pa /etc/passwd 390A Version 7 format password file 391.It Pa /etc/chpass.XXXXXX 392Temporary copy of the password file 393.It Pa /etc/shells 394The list of approved shells 395.El 396.Sh SEE ALSO 397.Xr finger 1 , 398.Xr login 1 , 399.Xr passwd 1 , 400.Xr getusershell 3 , 401.Xr passwd 5 , 402.Xr pwd_mkdb 8 , 403.Xr vipw 8 404.Rs 405.%A Robert Morris 406and 407.%A Ken Thompson 408.%T "UNIX Password security" 409.Re 410.Sh NOTES 411The 412.Xr chfn 1 , 413.Xr chsh 1 , 414.Xr ypchpass 1 , 415.Xr ypchfn 1 416and 417.Xr ypchsh 1 418commands are really only links to 419.Nm chpass . 420.Sh BUGS 421User information should (and eventually will) be stored elsewhere. 422.Sh HISTORY 423The 424.Nm 425command appeared in 426.Bx 4.3 Reno . 427