xref: /freebsd/usr.bin/passwd/passwd.1 (revision e5b786625f7f82a1fa91e41823332459ea5550f9) 
1.\" Copyright (c) 1990, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\"	@(#)passwd.1	8.1 (Berkeley) 6/6/93
29.\"
30.Dd February 14, 2014
31.Dt PASSWD 1
32.Os
33.Sh NAME
34.Nm passwd , yppasswd
35.Nd modify a user's password
36.Sh SYNOPSIS
37.Nm
38.Op Fl l
39.Op Ar user
40.Nm yppasswd
41.Op Fl l
42.Op Fl y
43.Op Fl d Ar domain
44.Op Fl h Ar host
45.Op Fl o
46.Sh DESCRIPTION
47The
48.Nm
49utility changes the user's local, Kerberos, or NIS password.
50If the user is not the super-user,
51.Nm
52first prompts for the current password and will not continue unless the correct
53password is entered.
54.Pp
55When entering the new password, the characters entered do not echo, in order to
56avoid the password being seen by a passer-by.
57The
58.Nm
59utility prompts for the new password twice in order to detect typing errors.
60.Pp
61The total length of the password must be less than
62.Dv _PASSWORD_LEN
63(currently 128 characters).
64.Pp
65Once the password has been verified,
66.Nm
67communicates the new password information to
68the Kerberos authenticating host.
69.Pp
70The following option is available:
71.Bl -tag -width indent
72.It Fl l
73Cause the password to be updated only in the local
74password file, and not with the Kerberos database.
75When changing only the local password,
76.Xr pwd_mkdb 8
77is used to update the password databases.
78.El
79.Pp
80When changing local or NIS password, the next password change date
81is set according to
82.Dq passwordtime
83capability in the user's login class.
84.Pp
85To change another user's Kerberos password, one must first
86run
87.Xr kinit 1
88followed by
89.Nm .
90The super-user is not required to provide a user's current password
91if only the local password is modified.
92.Sh NIS INTERACTION
93The
94.Nm
95utility has built-in support for NIS.
96If a user exists in the NIS password
97database but does not exist locally,
98.Nm
99automatically switches into
100.Nm yppasswd
101mode.
102If the specified
103user does not exist in either the local password database or the
104NIS password maps,
105.Nm
106returns an error.
107.Pp
108When changing an NIS password, unprivileged users are required to provide
109their old password for authentication (the
110.Xr rpc.yppasswdd 8
111daemon requires the original password before
112it will allow any changes to the NIS password maps).
113This restriction applies even to the
114super-user, with one important exception: the password authentication is
115bypassed for the super-user on the NIS master server.
116This means that
117the super-user on the NIS master server can make unrestricted changes to
118anyone's NIS password.
119The super-user on NIS client systems and NIS slave
120servers still needs to provide a password before the update will be processed.
121.Pp
122The following additional options are supported for use with NIS:
123.Bl -tag -width indent
124.It Fl y
125Override
126.Nm Ns 's
127checking heuristics and forces
128it into NIS mode.
129.It Fl l
130When NIS is enabled, the
131.Fl l
132flag can be used to force
133.Nm
134into
135.Dq local only
136mode.
137This flag can be used to change the entry
138for a local user when an NIS user exists with the same login name.
139For example, you will sometimes find entries for system
140.Dq placeholder
141users such as
142.Pa bin
143or
144.Pa daemon
145in both the NIS password maps and the local user database.
146By
147default,
148.Nm
149will try to change the NIS password.
150The
151.Fl l
152flag can be used to change the local password instead.
153.It Fl d Ar domain
154Specify what domain to use when changing an NIS password.
155By default,
156.Nm
157assumes that the system default domain should be used.
158This flag is
159primarily for use by the superuser on the NIS master server: a single
160NIS server can support multiple domains.
161It is also possible that the
162domainname on the NIS master may not be set (it is not necessary for
163an NIS server to also be a client) in which case the
164.Nm
165command needs to be told what domain to operate on.
166.It Fl h Ar host
167Specify the name of an NIS server.
168This option, in conjunction
169with the
170.Fl d
171option, can be used to change an NIS password on a non-local NIS
172server.
173When a domain is specified with the
174.Fl d
175option and
176.Nm
177is unable to determine the name of the NIS master server (possibly because
178the local domainname is not set), the name of the NIS master is assumed to
179be
180.Dq localhost .
181This can be overridden with the
182.Fl h
183flag.
184The specified hostname need not be the name of an NIS master: the
185name of the NIS master for a given map can be determined by querying any
186NIS server (master or slave) in a domain, so specifying the name of a
187slave server will work equally well.
188.It Fl o
189Do not automatically override the password authentication checks for the
190super-user on the NIS master server; assume
191.Dq old
192mode instead.
193This
194flag is of limited practical use but is useful for testing.
195.El
196.Sh FILES
197.Bl -tag -width /etc/master.passwd -compact
198.It Pa /etc/master.passwd
199the user database
200.It Pa /etc/passwd
201a Version 7 format password file
202.It Pa /etc/passwd.XXXXXX
203temporary copy of the password file
204.It Pa /etc/login.conf
205login class capabilities database
206.El
207.Sh SEE ALSO
208.Xr chpass 1 ,
209.Xr kinit 1 ,
210.Xr login 1 ,
211.Xr login.conf 5 ,
212.Xr passwd 5 ,
213.Xr kerberos 8 ,
214.Xr kpasswdd 8 ,
215.Xr pam_passwdqc 8 ,
216.Xr pw 8 ,
217.Xr pwd_mkdb 8 ,
218.Xr vipw 8
219.Rs
220.%A Robert Morris
221.%A Ken Thompson
222.%T "UNIX password security"
223.Re
224.Sh NOTES
225The
226.Nm yppasswd
227command is really only a link to
228.Nm .
229.Sh HISTORY
230A
231.Nm
232command appeared in
233.At v6 .
234