xref: /freebsd/usr.bin/passwd/passwd.1 (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1.\" Copyright (c) 1990, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd February 14, 2014
29.Dt PASSWD 1
30.Os
31.Sh NAME
32.Nm passwd , yppasswd
33.Nd modify a user's password
34.Sh SYNOPSIS
35.Nm
36.Op Fl l
37.Op Ar user
38.Nm yppasswd
39.Op Fl l
40.Op Fl y
41.Op Fl d Ar domain
42.Op Fl h Ar host
43.Op Fl o
44.Sh DESCRIPTION
45The
46.Nm
47utility changes the user's local, Kerberos, or NIS password.
48If the user is not the super-user,
49.Nm
50first prompts for the current password and will not continue unless the correct
51password is entered.
52.Pp
53When entering the new password, the characters entered do not echo, in order to
54avoid the password being seen by a passer-by.
55The
56.Nm
57utility prompts for the new password twice in order to detect typing errors.
58.Pp
59The total length of the password must be less than
60.Dv _PASSWORD_LEN
61(currently 128 characters).
62.Pp
63Once the password has been verified,
64.Nm
65communicates the new password information to
66the Kerberos authenticating host.
67.Pp
68The following option is available:
69.Bl -tag -width indent
70.It Fl l
71Cause the password to be updated only in the local
72password file, and not with the Kerberos database.
73When changing only the local password,
74.Xr pwd_mkdb 8
75is used to update the password databases.
76.El
77.Pp
78When changing local or NIS password, the next password change date
79is set according to
80.Dq passwordtime
81capability in the user's login class.
82.Pp
83To change another user's Kerberos password, one must first
84run
85.Xr kinit 1
86followed by
87.Nm .
88The super-user is not required to provide a user's current password
89if only the local password is modified.
90.Sh NIS INTERACTION
91The
92.Nm
93utility has built-in support for NIS.
94If a user exists in the NIS password
95database but does not exist locally,
96.Nm
97automatically switches into
98.Nm yppasswd
99mode.
100If the specified
101user does not exist in either the local password database or the
102NIS password maps,
103.Nm
104returns an error.
105.Pp
106When changing an NIS password, unprivileged users are required to provide
107their old password for authentication (the
108.Xr rpc.yppasswdd 8
109daemon requires the original password before
110it will allow any changes to the NIS password maps).
111This restriction applies even to the
112super-user, with one important exception: the password authentication is
113bypassed for the super-user on the NIS master server.
114This means that
115the super-user on the NIS master server can make unrestricted changes to
116anyone's NIS password.
117The super-user on NIS client systems and NIS slave
118servers still needs to provide a password before the update will be processed.
119.Pp
120The following additional options are supported for use with NIS:
121.Bl -tag -width indent
122.It Fl y
123Override
124.Nm Ns 's
125checking heuristics and forces
126it into NIS mode.
127.It Fl l
128When NIS is enabled, the
129.Fl l
130flag can be used to force
131.Nm
132into
133.Dq local only
134mode.
135This flag can be used to change the entry
136for a local user when an NIS user exists with the same login name.
137For example, you will sometimes find entries for system
138.Dq placeholder
139users such as
140.Pa bin
141or
142.Pa daemon
143in both the NIS password maps and the local user database.
144By
145default,
146.Nm
147will try to change the NIS password.
148The
149.Fl l
150flag can be used to change the local password instead.
151.It Fl d Ar domain
152Specify what domain to use when changing an NIS password.
153By default,
154.Nm
155assumes that the system default domain should be used.
156This flag is
157primarily for use by the superuser on the NIS master server: a single
158NIS server can support multiple domains.
159It is also possible that the
160domainname on the NIS master may not be set (it is not necessary for
161an NIS server to also be a client) in which case the
162.Nm
163command needs to be told what domain to operate on.
164.It Fl h Ar host
165Specify the name of an NIS server.
166This option, in conjunction
167with the
168.Fl d
169option, can be used to change an NIS password on a non-local NIS
170server.
171When a domain is specified with the
172.Fl d
173option and
174.Nm
175is unable to determine the name of the NIS master server (possibly because
176the local domainname is not set), the name of the NIS master is assumed to
177be
178.Dq localhost .
179This can be overridden with the
180.Fl h
181flag.
182The specified hostname need not be the name of an NIS master: the
183name of the NIS master for a given map can be determined by querying any
184NIS server (master or slave) in a domain, so specifying the name of a
185slave server will work equally well.
186.It Fl o
187Do not automatically override the password authentication checks for the
188super-user on the NIS master server; assume
189.Dq old
190mode instead.
191This
192flag is of limited practical use but is useful for testing.
193.El
194.Sh FILES
195.Bl -tag -width /etc/master.passwd -compact
196.It Pa /etc/master.passwd
197the user database
198.It Pa /etc/passwd
199a Version 7 format password file
200.It Pa /etc/passwd.XXXXXX
201temporary copy of the password file
202.It Pa /etc/login.conf
203login class capabilities database
204.El
205.Sh SEE ALSO
206.Xr chpass 1 ,
207.Xr kinit 1 ,
208.Xr login 1 ,
209.Xr login.conf 5 ,
210.Xr passwd 5 ,
211.Xr kerberos 8 ,
212.Xr kpasswdd 8 ,
213.Xr pam_passwdqc 8 ,
214.Xr pw 8 ,
215.Xr pwd_mkdb 8 ,
216.Xr vipw 8
217.Rs
218.%A Robert Morris
219.%A Ken Thompson
220.%T "UNIX password security"
221.Re
222.Sh NOTES
223The
224.Nm yppasswd
225command is really only a link to
226.Nm .
227.Sh HISTORY
228A
229.Nm
230command appeared in
231.At v6 .
232