1.\" Copyright (c) 1990, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)passwd.1 8.1 (Berkeley) 6/6/93 33.\" $FreeBSD$ 34.\" 35.Dd June 6, 1993 36.Dt PASSWD 1 37.Os 38.Sh NAME 39.Nm passwd , yppasswd 40.Nd modify a user's password 41.Sh SYNOPSIS 42.Nm 43.Op Fl l 44.Op Ar user 45.Nm yppasswd 46.Op Fl l 47.Op Fl y 48.Op Fl d Ar domain 49.Op Fl h Ar host 50.Op Fl o 51.Sh DESCRIPTION 52The 53.Nm 54utility changes the user's local, Kerberos, or NIS password. 55If the user is not the super-user, 56.Nm 57first prompts for the current password and will not continue unless the correct 58password is entered. 59.Pp 60When entering the new password, the characters entered do not echo, in order to 61avoid the password being seen by a passer-by. 62The 63.Nm 64utility prompts for the new password twice in order to detect typing errors. 65.Pp 66The new password should be at least six characters long (which 67may be overridden using the 68.Xr login.conf 5 69.Dq minpasswordlen 70setting for a user's login class) and not purely alphabetic. 71Its total length must be less than 72.Dv _PASSWORD_LEN 73(currently 128 characters). 74.Pp 75The new password should contain a mixture of upper and lower case 76characters (which may be overridden using the 77.Xr login.conf 5 78.Dq mixpasswordcase 79setting for a user's login class). 80Allowing lower case passwords may 81be useful where the password file will be used in situations where only 82lower case passwords are permissible, such as when using Samba to 83authenticate Windows clients. 84In all other situations, numbers, upper 85case letters and meta characters are encouraged. 86.Pp 87Once the password has been verified, 88.Nm 89communicates the new password information to 90the Kerberos authenticating host. 91.Pp 92The following option is available: 93.Bl -tag -width indent 94.It Fl l 95Cause the password to be updated only in the local 96password file, and not with the Kerberos database. 97When changing only the local password, 98.Xr pwd_mkdb 8 99is used to update the password databases. 100.El 101.Pp 102When changing local or NIS password, the next password change date 103is set according to 104.Dq passwordtime 105capability in the user's login class. 106.Pp 107To change another user's Kerberos password, one must first 108run 109.Xr kinit 1 110followed by 111.Nm . 112The super-user is not required to provide a user's current password 113if only the local password is modified. 114.Sh NIS INTERACTION 115The 116.Nm 117utility has built-in support for NIS. 118If a user exists in the NIS password 119database but does not exist locally, 120.Nm 121automatically switches into 122.Nm yppasswd 123mode. 124If the specified 125user does not exist in either the local password database or the 126NIS password maps, 127.Nm 128returns an error. 129.Pp 130When changing an NIS password, unprivileged users are required to provide 131their old password for authentication (the 132.Xr rpc.yppasswdd 8 133daemon requires the original password before 134it will allow any changes to the NIS password maps). 135This restriction applies even to the 136super-user, with one important exception: the password authentication is 137bypassed for the super-user on the NIS master server. 138This means that 139the super-user on the NIS master server can make unrestricted changes to 140anyone's NIS password. 141The super-user on NIS client systems and NIS slave 142servers still needs to provide a password before the update will be processed. 143.Pp 144The following additional options are supported for use with NIS: 145.Bl -tag -width indent 146.It Fl y 147Override 148.Nm Ns 's 149checking heuristics and forces 150it into NIS mode. 151.It Fl l 152When NIS is enabled, the 153.Fl l 154flag can be used to force 155.Nm 156into 157.Dq local only 158mode. 159This flag can be used to change the entry 160for a local user when an NIS user exists with the same login name. 161For example, you will sometimes find entries for system 162.Dq placeholder 163users such as 164.Pa bin 165or 166.Pa daemon 167in both the NIS password maps and the local user database. 168By 169default, 170.Nm 171will try to change the NIS password. 172The 173.Fl l 174flag can be used to change the local password instead. 175.It Fl d Ar domain 176Specify what domain to use when changing an NIS password. 177By default, 178.Nm 179assumes that the system default domain should be used. 180This flag is 181primarily for use by the superuser on the NIS master server: a single 182NIS server can support multiple domains. 183It is also possible that the 184domainname on the NIS master may not be set (it is not necessary for 185an NIS server to also be a client) in which case the 186.Nm 187command needs to be told what domain to operate on. 188.It Fl h Ar host 189Specify the name of an NIS server. 190This option, in conjunction 191with the 192.Fl d 193option, can be used to change an NIS password on a non-local NIS 194server. 195When a domain is specified with the 196.Fl d 197option and 198.Nm 199is unable to determine the name of the NIS master server (possibly because 200the local domainname is not set), the name of the NIS master is assumed to 201be 202.Dq localhost . 203This can be overridden with the 204.Fl h 205flag. 206The specified hostname need not be the name of an NIS master: the 207name of the NIS master for a given map can be determined by querying any 208NIS server (master or slave) in a domain, so specifying the name of a 209slave server will work equally well. 210.It Fl o 211Do not automatically override the password authentication checks for the 212super-user on the NIS master server; assume 213.Dq old 214mode instead. 215This 216flag is of limited practical use but is useful for testing. 217.El 218.Sh FILES 219.Bl -tag -width /etc/master.passwd -compact 220.It Pa /etc/master.passwd 221the user database 222.It Pa /etc/passwd 223a Version 7 format password file 224.It Pa /etc/passwd.XXXXXX 225temporary copy of the password file 226.It Pa /etc/login.conf 227login class capabilities database 228.It Pa /etc/auth.conf 229configure authentication services 230.El 231.Sh SEE ALSO 232.Xr chpass 1 , 233.Xr kinit 1 , 234.Xr login 1 , 235.Xr login.conf 5 , 236.Xr passwd 5 , 237.Xr kerberos 8 , 238.Xr kpasswdd 8 , 239.Xr pw 8 , 240.Xr pwd_mkdb 8 , 241.Xr vipw 8 242.Rs 243.%A Robert Morris 244.%A Ken Thompson 245.%T "UNIX password security" 246.Re 247.Sh NOTES 248The 249.Nm yppasswd 250command is really only a link to 251.Nm . 252.Sh HISTORY 253A 254.Nm 255command appeared in 256.At v6 . 257