Annotation of src/usr.bin/passwd/passwd.1, Revision 1.24
1.24 ! millert 1: .\" $OpenBSD: passwd.1,v 1.23 2003/01/06 08:50:11 deraadt Exp $
1.9 aaron 2: .\"
1.1 deraadt 3: .\" Copyright (c) 1990 The Regents of the University of California.
4: .\" All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
1.24 ! millert 14: .\" 3. Neither the name of the University nor the names of its contributors
1.1 deraadt 15: .\" may be used to endorse or promote products derived from this software
16: .\" without specific prior written permission.
17: .\"
18: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28: .\" SUCH DAMAGE.
29: .\"
30: .\" from: @(#)passwd.1 6.11 (Berkeley) 7/24/91
31: .\"
32: .Dd July 24, 1991
33: .Dt PASSWD 1
1.8 aaron 34: .Os
1.1 deraadt 35: .Sh NAME
36: .Nm passwd
37: .Nd modify a user's password
38: .Sh SYNOPSIS
39: .Nm passwd
40: .Op Fl l
1.5 art 41: .Op Fl y
1.1 deraadt 42: .Op Fl k
1.17 hin 43: .Op Fl K
1.5 art 44: .Op Fl n Ar name
45: .Op Fl i Ar instance
46: .Op Fl r Ar realm
47: .Op Fl u Ar username[.instance][@realm]
1.1 deraadt 48: .Op Ar user
1.5 art 49: .\" This should really be: passwd [-l] [-y] [-k [-n name] [-i instance] [-r realm] [-u username[.instance][@realm]]] [user]
1.1 deraadt 50: .Sh DESCRIPTION
1.13 aaron 51: .Nm
1.17 hin 52: changes the user's local, KerberosIV, KerberosV, or YP password.
1.9 aaron 53: First, the user is prompted for their current password.
1.13 aaron 54: If the current password is correctly typed, a new password is requested.
1.1 deraadt 55: The new password must be entered twice to avoid typing errors.
56: .Pp
57: The new password should be at least six characters long and not
58: purely alphabetic.
59: Its total length must be less than
60: .Dv _PASSWORD_LEN
61: (currently 128 characters).
1.13 aaron 62: A mixture of both lower and uppercase letters, numbers, and
63: meta-characters is encouraged.
1.12 provos 64: .Pp
1.18 millert 65: The quality of the password can be enforced by specifying an external
66: checking program via the
67: .Dq passwordcheck
68: variable in
69: .Xr login.conf 5 .
1.9 aaron 70: .Pp
71: The options are as follows:
1.14 aaron 72: .Bl -tag -width Ds
1.1 deraadt 73: .It Fl l
1.13 aaron 74: Causes the password to be updated only in the local password file.
1.9 aaron 75: When changing only the local password,
76: .Xr pwd_mkdb 8
1.1 deraadt 77: is used to update the password databases.
1.6 art 78: .It Fl y
1.7 aaron 79: Forces the YP password database entry to be changed, even if
1.9 aaron 80: the user has an entry in the local database.
81: The
1.6 art 82: .Xr rpc.yppasswdd 8
83: daemon should be running on the YP master server.
1.1 deraadt 84: .It Fl k
1.17 hin 85: Forces the change to affect the KerberosIV database, even
1.1 deraadt 86: if the user has a password in the local database.
87: Once the password has been verified,
1.13 aaron 88: .Nm
1.17 hin 89: communicates the new password information to the KerberosIV authenticating host.
1.6 art 90: .El
91: .Pp
1.8 aaron 92: The following flags are only used when the
1.6 art 93: .Fl k
1.7 aaron 94: flag is specified:
1.6 art 95: .Bl -tag -width flag
1.7 aaron 96: .It Fl n Ar name
1.8 aaron 97: Specifies a
1.7 aaron 98: .Ar name
1.9 aaron 99: that will be used as the principal name rather than the username
1.6 art 100: of the user running
1.7 aaron 101: .Nm passwd .
1.9 aaron 102: (This is determined from the ticket file if it exists; otherwise,
1.7 aaron 103: it is determined from the Unix user ID.)
104: .It Fl i Ar instance
1.8 aaron 105: Specifies an
106: .Ar instance
1.6 art 107: to use rather than a null instance.
1.7 aaron 108: .It Fl r Ar realm
109: Specifies a
110: .Ar realm
1.6 art 111: instead of the local realm.
1.7 aaron 112: .It Fl u Ar username[.instance][@realm]
1.17 hin 113: Specifies a fully qualified KerberosIV principal.
114: .It Fl K Ar principal@REALM
115: Changes a users KerberosV password.
1.1 deraadt 116: .El
117: .Pp
118: This is the behavior if no flags are specified:
1.17 hin 119: if KerberosIV is active then
1.13 aaron 120: .Nm
1.17 hin 121: will talk to the KerberosIV server (even if the user has an entry
1.7 aaron 122: in the local database).
1.1 deraadt 123: If the password is not in the local password database, then
124: an attempt is made to use the YP database.
125: .Pp
1.17 hin 126: To change another user's KerberosIV password, one must first run
1.1 deraadt 127: .Xr kinit 1
128: followed by
129: .Xr passwd 1 .
1.11 aaron 130: The superuser is not required to provide a user's current password
1.1 deraadt 131: if only the local password is modified.
1.4 provos 132: .Pp
133: Which type of cipher is used to encrypt the password information
134: depends on the configuration in
1.18 millert 135: .Xr login.conf 5 .
136: It can be different for local
137: .Po Do localcipher Dc Pc
138: and YP
139: .Po Do ypcipher Dc Pc
140: passwords.
1.13 aaron 141: .Sh DIAGNOSTICS
142: .Bl -diag
1.20 millert 143: .It "Attempting lock password file, please wait or press ^C to abort"
144: .Pp
145: The password file is currently locked by another process;
146: .Nm
147: will keep trying to lock the password file until it succeeds or
1.23 deraadt 148: you hit the interrupt character (control-C by default).
1.20 millert 149: If
150: .Nm
151: is interrupted while trying to gain the lock the password changed will
152: be lost.
153: .Pp
154: If the process holding the lock was prematurely terminated the lock
155: file may be stale and
156: .Nm
157: will wait forever trying to lock the password file.
158: To determine whether a live process is actually holding the lock, the
1.18 millert 159: admin may run the following:
160: .Bd -literal -offset indent
1.22 mpech 161: $ fstat /etc/ptmp
1.18 millert 162: .Ed
163: .Pp
164: If no process is listed, it is safe to remove the
1.13 aaron 165: .Pa /etc/ptmp
1.20 millert 166: file to clear the error.
1.19 mpech 167: .El
1.1 deraadt 168: .Sh FILES
169: .Bl -tag -width /etc/master.passwd -compact
1.18 millert 170: .It /etc/login.conf
171: configuration options
1.1 deraadt 172: .It Pa /etc/master.passwd
1.7 aaron 173: user database
1.8 aaron 174: .It Pa /etc/passwd
1.7 aaron 175: a Version 7 format password file
1.1 deraadt 176: .It Pa /etc/passwd.XXXXXX
1.7 aaron 177: temporary copy of the password file
1.13 aaron 178: .It /etc/ptmp
179: lock file for the passwd database
1.1 deraadt 180: .El
181: .Sh SEE ALSO
182: .Xr chpass 1 ,
183: .Xr kerberos 1 ,
184: .Xr kinit 1 ,
185: .Xr login 1 ,
1.18 millert 186: .Xr login.conf 5 ,
1.1 deraadt 187: .Xr passwd 5 ,
188: .Xr pwd_mkdb 8 ,
189: .Xr vipw 8
190: .Rs
1.16 deraadt 191: .%A Robert Morris
192: .%A Ken Thompson
1.1 deraadt 193: .%T "UNIX password security"
194: .Re
195: .Sh HISTORY
196: A
1.13 aaron 197: .Nm
1.1 deraadt 198: command appeared in
1.21 mickey 199: .At v3 .