xref: /freebsd/usr.bin/passwd/passwd.1 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" Copyright (c) 1990, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. All advertising materials mentioning features or use of this software
13.\"    must display the following acknowledgement:
14.\"	This product includes software developed by the University of
15.\"	California, Berkeley and its contributors.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"	@(#)passwd.1	8.1 (Berkeley) 6/6/93
33.\" $FreeBSD$
34.\"
35.Dd June 6, 1993
36.Dt PASSWD 1
37.Os
38.Sh NAME
39.Nm passwd , yppasswd
40.Nd modify a user's password
41.Sh SYNOPSIS
42.Nm
43.Op Fl l
44.Op Ar user
45.Nm yppasswd
46.Op Fl l
47.Op Fl y
48.Op Fl d Ar domain
49.Op Fl h Ar host
50.Op Fl o
51.Sh DESCRIPTION
52The
53.Nm
54utility changes the user's local, Kerberos, or NIS password.
55If the user is not the super-user,
56.Nm
57first prompts for the current password and will not continue unless the correct
58password is entered.
59.Pp
60When entering the new password, the characters entered do not echo, in order to
61avoid the password being seen by a passer-by.
62The
63.Nm
64utility prompts for the new password twice in order to detect typing errors.
65.Pp
66The new password should be at least six characters long (which
67may be overridden using the
68.Xr login.conf 5
69.Dq minpasswordlen
70setting for a user's login class) and not purely alphabetic.
71Its total length must be less than
72.Dv _PASSWORD_LEN
73(currently 128 characters).
74.Pp
75The new password should contain a mixture of upper and lower case
76characters (which may be overridden using the
77.Xr login.conf 5
78.Dq mixpasswordcase
79setting for a user's login class).
80Allowing lower case passwords may
81be useful where the password file will be used in situations where only
82lower case passwords are permissible, such as when using Samba to
83authenticate Windows clients.
84In all other situations, numbers, upper
85case letters and meta characters are encouraged.
86.Pp
87Once the password has been verified,
88.Nm
89communicates the new password information to
90the Kerberos authenticating host.
91.Pp
92The following option is available:
93.Bl -tag -width indent
94.It Fl l
95Cause the password to be updated only in the local
96password file, and not with the Kerberos database.
97When changing only the local password,
98.Xr pwd_mkdb 8
99is used to update the password databases.
100.El
101.Pp
102When changing local or NIS password, the next password change date
103is set according to
104.Dq passwordtime
105capability in the user's login class.
106.Pp
107To change another user's Kerberos password, one must first
108run
109.Xr kinit 1
110followed by
111.Nm .
112The super-user is not required to provide a user's current password
113if only the local password is modified.
114.Sh NIS INTERACTION
115The
116.Nm
117utility has built-in support for NIS.
118If a user exists in the NIS password
119database but does not exist locally,
120.Nm
121automatically switches into
122.Nm yppasswd
123mode.
124If the specified
125user does not exist in either the local password database or the
126NIS password maps,
127.Nm
128returns an error.
129.Pp
130When changing an NIS password, unprivileged users are required to provide
131their old password for authentication (the
132.Xr rpc.yppasswdd 8
133daemon requires the original password before
134it will allow any changes to the NIS password maps).
135This restriction applies even to the
136super-user, with one important exception: the password authentication is
137bypassed for the super-user on the NIS master server.
138This means that
139the super-user on the NIS master server can make unrestricted changes to
140anyone's NIS password.
141The super-user on NIS client systems and NIS slave
142servers still needs to provide a password before the update will be processed.
143.Pp
144The following additional options are supported for use with NIS:
145.Bl -tag -width indent
146.It Fl y
147Override
148.Nm Ns 's
149checking heuristics and forces
150it into NIS mode.
151.It Fl l
152When NIS is enabled, the
153.Fl l
154flag can be used to force
155.Nm
156into
157.Dq local only
158mode.
159This flag can be used to change the entry
160for a local user when an NIS user exists with the same login name.
161For example, you will sometimes find entries for system
162.Dq placeholder
163users such as
164.Pa bin
165or
166.Pa daemon
167in both the NIS password maps and the local user database.
168By
169default,
170.Nm
171will try to change the NIS password.
172The
173.Fl l
174flag can be used to change the local password instead.
175.It Fl d Ar domain
176Specify what domain to use when changing an NIS password.
177By default,
178.Nm
179assumes that the system default domain should be used.
180This flag is
181primarily for use by the superuser on the NIS master server: a single
182NIS server can support multiple domains.
183It is also possible that the
184domainname on the NIS master may not be set (it is not necessary for
185an NIS server to also be a client) in which case the
186.Nm
187command needs to be told what domain to operate on.
188.It Fl h Ar host
189Specify the name of an NIS server.
190This option, in conjunction
191with the
192.Fl d
193option, can be used to change an NIS password on a non-local NIS
194server.
195When a domain is specified with the
196.Fl d
197option and
198.Nm
199is unable to determine the name of the NIS master server (possibly because
200the local domainname is not set), the name of the NIS master is assumed to
201be
202.Dq localhost .
203This can be overridden with the
204.Fl h
205flag.
206The specified hostname need not be the name of an NIS master: the
207name of the NIS master for a given map can be determined by querying any
208NIS server (master or slave) in a domain, so specifying the name of a
209slave server will work equally well.
210.It Fl o
211Do not automatically override the password authentication checks for the
212super-user on the NIS master server; assume
213.Dq old
214mode instead.
215This
216flag is of limited practical use but is useful for testing.
217.El
218.Sh FILES
219.Bl -tag -width /etc/master.passwd -compact
220.It Pa /etc/master.passwd
221the user database
222.It Pa /etc/passwd
223a Version 7 format password file
224.It Pa /etc/passwd.XXXXXX
225temporary copy of the password file
226.It Pa /etc/login.conf
227login class capabilities database
228.It Pa /etc/auth.conf
229configure authentication services
230.El
231.Sh SEE ALSO
232.Xr chpass 1 ,
233.Xr kinit 1 ,
234.Xr login 1 ,
235.Xr login.conf 5 ,
236.Xr passwd 5 ,
237.Xr kerberos 8 ,
238.Xr kpasswdd 8 ,
239.Xr pw 8 ,
240.Xr pwd_mkdb 8 ,
241.Xr vipw 8
242.Rs
243.%A Robert Morris
244.%A Ken Thompson
245.%T "UNIX password security"
246.Re
247.Sh NOTES
248The
249.Nm yppasswd
250command is really only a link to
251.Nm .
252.Sh HISTORY
253A
254.Nm
255command appeared in
256.At v6 .
257