xref: /freebsd/usr.bin/passwd/passwd.1 (revision e627b39baccd1ec9129690167cf5e6d860509655) 
1.\" Copyright (c) 1990, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. All advertising materials mentioning features or use of this software
13.\"    must display the following acknowledgement:
14.\"	This product includes software developed by the University of
15.\"	California, Berkeley and its contributors.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"	@(#)passwd.1	8.1 (Berkeley) 6/6/93
33.\"
34.Dd June 6, 1993
35.Dt PASSWD 1
36.Os BSD 4
37.Sh NAME
38.Nm passwd, yppasswd
39.Nd modify a user's password
40.Sh SYNOPSIS
41.Nm passwd
42.Op Fl l
43.Op Ar user
44.Nm yppasswd
45.Op Fl l
46.Op Fl y
47.Op Fl d Ar domain
48.Op Fl s Ar host
49.Op Fl o
50.Sh DESCRIPTION
51.Nm Passwd
52changes the user's local, Kerberos, or NIS password.  First, the user is prompted for their
53current password.
54If the current password is correctly typed, a new password is
55requested.
56The new password must be entered twice to avoid typing errors.
57.Pp
58The new password should be at least six characters long and not
59purely alphabetic.
60Its total length must be less than
61.Dv _PASSWORD_LEN
62(currently 128 characters).
63Numbers, upper case letters and meta characters
64are encouraged.
65.Pp
66Once the password has been verified,
67.Nm passwd
68communicates the new password information to
69the Kerberos authenticating host.
70.Bl -tag -width flag
71.It Fl l
72This option causes the password to be updated only in the local
73password file, and not with the Kerberos database.
74When changing only the local password,
75.Xr pwd_mkdb  8
76is used to update the password databases.
77.El
78.Pp
79To change another user's Kerberos password, one must first
80run
81.Xr kinit 1
82followed by
83.Xr passwd 1 .
84The super-user is not required to provide a user's current password
85if only the local password is modified.
86.Sh NIS INTERACTION
87.Nm Passwd
88has built-in support for NIS. If a user exists in the NIS password
89database but does not exist locally,
90.Nm passwd
91automatically switches into ``yppasswd'' mode. If the specified
92user does not exist in either the local password database of the
93NIS password maps,
94.Nm passwd
95returns an error.
96.Pp
97When changing an NIS password, unprivileged users are required to provide
98their old password for authentication (the
99.Xr rpc.yppasswdd 8
100daemon requires the original password before
101it will allow any changes to the NIS password maps).
102This restriction applies even to the
103super-user, with one important exception: the password authentication is
104bypassed for the super-user on the NIS master server. This means that
105the super-user on the NIS master server can make unrestricted changes to
106anyone's NIS password. The super-user on NIS client systems and NIS slave
107servers still needs to provide a password before the update will be processed.
108.Pp
109The following additional options are supported for use with NIS:
110.Bl -tag -width flag
111.It Fl y
112The
113.Fl y
114flag overrides
115.Nm passwd 's
116checking heuristics and forces
117it into NIS mode.
118.It Fl l
119When NIS is enabled, the
120.Fl l
121flag can be used to force
122.Nm passwd
123into ``local only'' mode. This flag can be used to change the entry
124for a local user when an NIS user exists when the same login name.
125For example, you will sometimes find entries for system ``placeholder''
126users such as
127.Pa bin
128or
129.Pa daemon
130in both the NIS password maps and the local user database. By
131default,
132.Nm passwd
133will try to change the NIS password. The
134.Fl l
135flag can be used to change the local password instead.
136.It Fl d Ar domain
137Specify what domain to use when changing an NIS password. By default,
138.Nm passwd
139assumes that the system default domain should be used. This flag is
140primarily for use by the superuser on the NIS master server: a single
141NIS server can support multiple domains. It is also possible that the
142domainname on the NIS master may not be set (it is not necessary for
143an NIS server to also be a client) in which case the
144.Nm passwd
145command needs to be told what domain to operate on.
146.It Fl s Ar host
147Specify the name of an NIS server. This option, in conjunction
148with the
149.Fl d
150option, can be used to change an NIS password on a non-local NIS
151server. When a domain is specified with the
152.Fl d
153option and
154.Nm passwd
155is unable to determine the name of the NIS master server (possibly because
156the local domainname isn't set), the name of the NIS master is assumed to
157be ``localhost''. This can be overriden with the
158.Fl s
159flag. The specified hostname need not be the name of an NIS master: the
160name of the NIS master for a given map can be determined by querying any
161NIS server (master or slave) in a domain, so specifying the name of a
162slave server will work equally well.
163.Pp
164.It Fl o
165Do not automatically override the password authentication checks for the
166super-user on the NIS master server; assume 'old' mode instead. This
167flag is of limited practical use but is useful for testing.
168.El
169.Sh FILES
170.Bl -tag -width /etc/master.passwd -compact
171.It Pa /etc/master.passwd
172The user database
173.It Pa /etc/passwd
174A Version 7 format password file
175.It Pa /etc/passwd.XXXXXX
176Temporary copy of the password file
177.El
178.Sh SEE ALSO
179.Xr chpass 1 ,
180.Xr kerberos 1 ,
181.Xr kinit 1 ,
182.Xr login 1 ,
183.Xr passwd 5 ,
184.Xr kpasswdd 8 ,
185.Xr pwd_mkdb 8 ,
186.Xr vipw 8
187.Rs
188.%A Robert Morris
189.%A Ken Thompson
190.%T "UNIX password security"
191.Re
192.Sh NOTES
193The
194.Xr yppasswd 1
195command is really only a link to
196.Nm passwd .
197.Sh HISTORY
198A
199.Nm passwd
200command appeared in
201.At v6 .
202