1.\" Copyright (c) 1990, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)passwd.1 8.1 (Berkeley) 6/6/93 29.\" $FreeBSD: src/usr.bin/passwd/passwd.1,v 1.33 2007/11/07 07:59:38 ru Exp $ 30.\" 31.Dd June 6, 1993 32.Dt PASSWD 1 33.Os 34.Sh NAME 35.Nm passwd , 36.Nm yppasswd 37.Nd modify a user's password 38.Sh SYNOPSIS 39.Nm 40.Op Fl l 41.Op Ar user 42.Nm yppasswd 43.Op Fl l 44.Op Fl y 45.Op Fl d Ar domain 46.Op Fl h Ar host 47.Op Fl o 48.Sh DESCRIPTION 49The 50.Nm 51utility changes the user's local, Kerberos, or NIS password. 52If the user is not the super-user, 53.Nm 54first prompts for the current password and will not continue unless the correct 55password is entered. 56.Pp 57When entering the new password, the characters entered do not echo, in order to 58avoid the password being seen by a passer-by. 59The 60.Nm 61utility prompts for the new password twice in order to detect typing errors. 62.Pp 63The new password should be at least six characters long (which 64may be overridden using the 65.Xr login.conf 5 66.Dq minpasswordlen 67setting for a user's login class) and not purely alphabetic. 68Its total length must be less than 69.Dv _PASSWORD_LEN 70(currently 128 characters). 71.Pp 72The new password should contain a mixture of upper and lower case 73characters (which may be overridden using the 74.Xr login.conf 5 75.Dq mixpasswordcase 76setting for a user's login class). 77Allowing lower case passwords may 78be useful where the password file will be used in situations where only 79lower case passwords are permissible, such as when using Samba to 80authenticate Windows clients. 81In all other situations, numbers, upper 82case letters and meta characters are encouraged. 83.Pp 84Once the password has been verified, 85.Nm 86communicates the new password information to 87the Kerberos authenticating host. 88.Pp 89The following option is available: 90.Bl -tag -width indent 91.It Fl l 92Cause the password to be updated only in the local 93password file, and not with the Kerberos database. 94When changing only the local password, 95.Xr pwd_mkdb 8 96is used to update the password databases. 97.El 98.Pp 99When changing local or NIS password, the next password change date 100is set according to 101.Dq passwordtime 102capability in the user's login class. 103.Pp 104To change another user's Kerberos password, one must first 105run 106.Xr kinit 1 Pq Pa security/heimdal 107followed by 108.Nm . 109The super-user is not required to provide a user's current password 110if only the local password is modified. 111.Sh NIS INTERACTION 112The 113.Nm 114utility has built-in support for NIS. 115If a user exists in the NIS password 116database but does not exist locally, 117.Nm 118automatically switches into 119.Nm yppasswd 120mode. 121If the specified 122user does not exist in either the local password database or the 123NIS password maps, 124.Nm 125returns an error. 126.Pp 127When changing an NIS password, unprivileged users are required to provide 128their old password for authentication (the 129.Xr rpc.yppasswdd 8 130daemon requires the original password before 131it will allow any changes to the NIS password maps). 132This restriction applies even to the 133super-user, with one important exception: the password authentication is 134bypassed for the super-user on the NIS master server. 135This means that 136the super-user on the NIS master server can make unrestricted changes to 137anyone's NIS password. 138The super-user on NIS client systems and NIS slave 139servers still needs to provide a password before the update will be processed. 140.Pp 141The following additional options are supported for use with NIS: 142.Bl -tag -width indent 143.It Fl y 144Override 145.Nm Ns 's 146checking heuristics and forces 147it into NIS mode. 148.It Fl l 149When NIS is enabled, the 150.Fl l 151flag can be used to force 152.Nm 153into 154.Dq local only 155mode. 156This flag can be used to change the entry 157for a local user when an NIS user exists with the same login name. 158For example, you will sometimes find entries for system 159.Dq placeholder 160users such as 161.Pa bin 162or 163.Pa daemon 164in both the NIS password maps and the local user database. 165By 166default, 167.Nm 168will try to change the NIS password. 169The 170.Fl l 171flag can be used to change the local password instead. 172.It Fl d Ar domain 173Specify what domain to use when changing an NIS password. 174By default, 175.Nm 176assumes that the system default domain should be used. 177This flag is 178primarily for use by the superuser on the NIS master server: a single 179NIS server can support multiple domains. 180It is also possible that the 181domainname on the NIS master may not be set (it is not necessary for 182an NIS server to also be a client) in which case the 183.Nm 184command needs to be told what domain to operate on. 185.It Fl h Ar host 186Specify the name of an NIS server. 187This option, in conjunction 188with the 189.Fl d 190option, can be used to change an NIS password on a non-local NIS 191server. 192When a domain is specified with the 193.Fl d 194option and 195.Nm 196is unable to determine the name of the NIS master server (possibly because 197the local domainname is not set), the name of the NIS master is assumed to 198be 199.Dq localhost . 200This can be overridden with the 201.Fl h 202flag. 203The specified hostname need not be the name of an NIS master: the 204name of the NIS master for a given map can be determined by querying any 205NIS server (master or slave) in a domain, so specifying the name of a 206slave server will work equally well. 207.It Fl o 208Do not automatically override the password authentication checks for the 209super-user on the NIS master server; assume 210.Dq old 211mode instead. 212This 213flag is of limited practical use but is useful for testing. 214.El 215.Sh FILES 216.Bl -tag -width /etc/master.passwd -compact 217.It Pa /etc/master.passwd 218the user database 219.It Pa /etc/passwd 220a Version 7 format password file 221.It Pa /etc/passwd.XXXXXX 222temporary copy of the password file 223.It Pa /etc/login.conf 224login class capabilities database 225.It Pa /etc/auth.conf 226configure authentication services 227.El 228.Sh SEE ALSO 229.Xr chpass 1 , 230.Xr kinit 1 , 231.Xr login 1 , 232.Xr login.conf 5 , 233.Xr passwd 5 , 234.Xr kerberos 8 Pq Pa security/heimdal , 235.Xr kpasswdd 8 Pq Pa security/heimdal , 236.Xr pw 8 , 237.Xr pwd_mkdb 8 , 238.Xr vipw 8 239.Rs 240.%A Robert Morris 241.%A Ken Thompson 242.%T "UNIX password security" 243.Re 244.Sh NOTES 245The 246.Nm yppasswd 247command is really only a link to 248.Nm . 249.Sh HISTORY 250A 251.Nm 252command appeared in 253.At v6 . 254