xref: /freebsd/usr.bin/passwd/passwd.1 (revision 0957b409) 
1.\" Copyright (c) 1990, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\"	@(#)passwd.1	8.1 (Berkeley) 6/6/93
29.\" $FreeBSD$
30.\"
31.Dd February 14, 2014
32.Dt PASSWD 1
33.Os
34.Sh NAME
35.Nm passwd , yppasswd
36.Nd modify a user's password
37.Sh SYNOPSIS
38.Nm
39.Op Fl l
40.Op Ar user
41.Nm yppasswd
42.Op Fl l
43.Op Fl y
44.Op Fl d Ar domain
45.Op Fl h Ar host
46.Op Fl o
47.Sh DESCRIPTION
48The
49.Nm
50utility changes the user's local, Kerberos, or NIS password.
51If the user is not the super-user,
52.Nm
53first prompts for the current password and will not continue unless the correct
54password is entered.
55.Pp
56When entering the new password, the characters entered do not echo, in order to
57avoid the password being seen by a passer-by.
58The
59.Nm
60utility prompts for the new password twice in order to detect typing errors.
61.Pp
62The total length of the password must be less than
63.Dv _PASSWORD_LEN
64(currently 128 characters).
65.Pp
66Once the password has been verified,
67.Nm
68communicates the new password information to
69the Kerberos authenticating host.
70.Pp
71The following option is available:
72.Bl -tag -width indent
73.It Fl l
74Cause the password to be updated only in the local
75password file, and not with the Kerberos database.
76When changing only the local password,
77.Xr pwd_mkdb 8
78is used to update the password databases.
79.El
80.Pp
81When changing local or NIS password, the next password change date
82is set according to
83.Dq passwordtime
84capability in the user's login class.
85.Pp
86To change another user's Kerberos password, one must first
87run
88.Xr kinit 1
89followed by
90.Nm .
91The super-user is not required to provide a user's current password
92if only the local password is modified.
93.Sh NIS INTERACTION
94The
95.Nm
96utility has built-in support for NIS.
97If a user exists in the NIS password
98database but does not exist locally,
99.Nm
100automatically switches into
101.Nm yppasswd
102mode.
103If the specified
104user does not exist in either the local password database or the
105NIS password maps,
106.Nm
107returns an error.
108.Pp
109When changing an NIS password, unprivileged users are required to provide
110their old password for authentication (the
111.Xr rpc.yppasswdd 8
112daemon requires the original password before
113it will allow any changes to the NIS password maps).
114This restriction applies even to the
115super-user, with one important exception: the password authentication is
116bypassed for the super-user on the NIS master server.
117This means that
118the super-user on the NIS master server can make unrestricted changes to
119anyone's NIS password.
120The super-user on NIS client systems and NIS slave
121servers still needs to provide a password before the update will be processed.
122.Pp
123The following additional options are supported for use with NIS:
124.Bl -tag -width indent
125.It Fl y
126Override
127.Nm Ns 's
128checking heuristics and forces
129it into NIS mode.
130.It Fl l
131When NIS is enabled, the
132.Fl l
133flag can be used to force
134.Nm
135into
136.Dq local only
137mode.
138This flag can be used to change the entry
139for a local user when an NIS user exists with the same login name.
140For example, you will sometimes find entries for system
141.Dq placeholder
142users such as
143.Pa bin
144or
145.Pa daemon
146in both the NIS password maps and the local user database.
147By
148default,
149.Nm
150will try to change the NIS password.
151The
152.Fl l
153flag can be used to change the local password instead.
154.It Fl d Ar domain
155Specify what domain to use when changing an NIS password.
156By default,
157.Nm
158assumes that the system default domain should be used.
159This flag is
160primarily for use by the superuser on the NIS master server: a single
161NIS server can support multiple domains.
162It is also possible that the
163domainname on the NIS master may not be set (it is not necessary for
164an NIS server to also be a client) in which case the
165.Nm
166command needs to be told what domain to operate on.
167.It Fl h Ar host
168Specify the name of an NIS server.
169This option, in conjunction
170with the
171.Fl d
172option, can be used to change an NIS password on a non-local NIS
173server.
174When a domain is specified with the
175.Fl d
176option and
177.Nm
178is unable to determine the name of the NIS master server (possibly because
179the local domainname is not set), the name of the NIS master is assumed to
180be
181.Dq localhost .
182This can be overridden with the
183.Fl h
184flag.
185The specified hostname need not be the name of an NIS master: the
186name of the NIS master for a given map can be determined by querying any
187NIS server (master or slave) in a domain, so specifying the name of a
188slave server will work equally well.
189.It Fl o
190Do not automatically override the password authentication checks for the
191super-user on the NIS master server; assume
192.Dq old
193mode instead.
194This
195flag is of limited practical use but is useful for testing.
196.El
197.Sh FILES
198.Bl -tag -width /etc/master.passwd -compact
199.It Pa /etc/master.passwd
200the user database
201.It Pa /etc/passwd
202a Version 7 format password file
203.It Pa /etc/passwd.XXXXXX
204temporary copy of the password file
205.It Pa /etc/login.conf
206login class capabilities database
207.El
208.Sh SEE ALSO
209.Xr chpass 1 ,
210.Xr kinit 1 ,
211.Xr login 1 ,
212.Xr login.conf 5 ,
213.Xr passwd 5 ,
214.Xr kerberos 8 ,
215.Xr kpasswdd 8 ,
216.Xr pam_passwdqc 8 ,
217.Xr pw 8 ,
218.Xr pwd_mkdb 8 ,
219.Xr vipw 8
220.Rs
221.%A Robert Morris
222.%A Ken Thompson
223.%T "UNIX password security"
224.Re
225.Sh NOTES
226The
227.Nm yppasswd
228command is really only a link to
229.Nm .
230.Sh HISTORY
231A
232.Nm
233command appeared in
234.At v6 .
235