Annotation of src/usr.bin/passwd/passwd.1, Revision 1.29
1.29 ! millert 1: .\" $OpenBSD: passwd.1,v 1.28 2004/07/13 21:09:48 millert Exp $
1.9 aaron 2: .\"
1.1 deraadt 3: .\" Copyright (c) 1990 The Regents of the University of California.
4: .\" All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
1.24 millert 14: .\" 3. Neither the name of the University nor the names of its contributors
1.1 deraadt 15: .\" may be used to endorse or promote products derived from this software
16: .\" without specific prior written permission.
17: .\"
18: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28: .\" SUCH DAMAGE.
29: .\"
30: .\" from: @(#)passwd.1 6.11 (Berkeley) 7/24/91
31: .\"
32: .Dd July 24, 1991
33: .Dt PASSWD 1
1.8 aaron 34: .Os
1.1 deraadt 35: .Sh NAME
36: .Nm passwd
37: .Nd modify a user's password
38: .Sh SYNOPSIS
39: .Nm passwd
1.25 jmc 40: .Bk -words
1.1 deraadt 41: .Op Fl l
1.5 art 42: .Op Fl y
1.17 hin 43: .Op Fl K
1.1 deraadt 44: .Op Ar user
1.25 jmc 45: .Ek
1.1 deraadt 46: .Sh DESCRIPTION
1.13 aaron 47: .Nm
1.26 jmc 48: changes the user's local, Kerberos, or YP password.
1.9 aaron 49: First, the user is prompted for their current password.
1.13 aaron 50: If the current password is correctly typed, a new password is requested.
1.1 deraadt 51: The new password must be entered twice to avoid typing errors.
52: .Pp
53: The new password should be at least six characters long and not
54: purely alphabetic.
55: Its total length must be less than
56: .Dv _PASSWORD_LEN
57: (currently 128 characters).
1.13 aaron 58: A mixture of both lower and uppercase letters, numbers, and
59: meta-characters is encouraged.
1.12 provos 60: .Pp
1.18 millert 61: The quality of the password can be enforced by specifying an external
62: checking program via the
63: .Dq passwordcheck
64: variable in
65: .Xr login.conf 5 .
1.9 aaron 66: .Pp
67: The options are as follows:
1.14 aaron 68: .Bl -tag -width Ds
1.1 deraadt 69: .It Fl l
1.13 aaron 70: Causes the password to be updated only in the local password file.
1.9 aaron 71: When changing only the local password,
72: .Xr pwd_mkdb 8
1.1 deraadt 73: is used to update the password databases.
1.6 art 74: .It Fl y
1.7 aaron 75: Forces the YP password database entry to be changed, even if
1.9 aaron 76: the user has an entry in the local database.
77: The
1.6 art 78: .Xr rpc.yppasswdd 8
79: daemon should be running on the YP master server.
1.27 hin 80: .It Fl K
81: Forces the change to affect the Kerberos 5 database, even
1.1 deraadt 82: if the user has a password in the local database.
83: Once the password has been verified,
1.13 aaron 84: .Nm
1.26 jmc 85: communicates the new password information to the Kerberos authenticating host.
1.6 art 86: .El
87: .Pp
1.1 deraadt 88: This is the behavior if no flags are specified:
1.26 jmc 89: if Kerberos is active then
1.13 aaron 90: .Nm
1.26 jmc 91: will talk to the Kerberos server (even if the user has an entry
1.7 aaron 92: in the local database).
1.1 deraadt 93: If the password is not in the local password database, then
94: an attempt is made to use the YP database.
95: .Pp
1.11 aaron 96: The superuser is not required to provide a user's current password
1.1 deraadt 97: if only the local password is modified.
1.4 provos 98: .Pp
99: Which type of cipher is used to encrypt the password information
100: depends on the configuration in
1.18 millert 101: .Xr login.conf 5 .
102: It can be different for local
103: .Po Do localcipher Dc Pc
104: and YP
105: .Po Do ypcipher Dc Pc
106: passwords.
1.28 millert 107: If none is specified, then blowfish with 6 rounds is used for local
108: .Po Do localcipher Dc Pc
109: and old is used for YP
110: .Po Do ypcipher Dc Pc
111: by default.
1.25 jmc 112: .Sh FILES
113: .Bl -tag -width /etc/master.passwd -compact
114: .It /etc/login.conf
115: configuration options
116: .It Pa /etc/master.passwd
117: user database
118: .It Pa /etc/passwd
1.29 ! millert 119: a 6th Edition-style password file
1.25 jmc 120: .It Pa /etc/passwd.XXXXXX
121: temporary copy of the password file
122: .It /etc/ptmp
123: lock file for the passwd database
124: .El
1.13 aaron 125: .Sh DIAGNOSTICS
126: .Bl -diag
1.20 millert 127: .It "Attempting lock password file, please wait or press ^C to abort"
128: .Pp
129: The password file is currently locked by another process;
130: .Nm
131: will keep trying to lock the password file until it succeeds or
1.23 deraadt 132: you hit the interrupt character (control-C by default).
1.20 millert 133: If
134: .Nm
135: is interrupted while trying to gain the lock the password changed will
136: be lost.
137: .Pp
138: If the process holding the lock was prematurely terminated the lock
139: file may be stale and
140: .Nm
141: will wait forever trying to lock the password file.
142: To determine whether a live process is actually holding the lock, the
1.18 millert 143: admin may run the following:
144: .Bd -literal -offset indent
1.22 mpech 145: $ fstat /etc/ptmp
1.18 millert 146: .Ed
147: .Pp
148: If no process is listed, it is safe to remove the
1.13 aaron 149: .Pa /etc/ptmp
1.20 millert 150: file to clear the error.
1.1 deraadt 151: .El
152: .Sh SEE ALSO
153: .Xr chpass 1 ,
154: .Xr kinit 1 ,
155: .Xr login 1 ,
1.18 millert 156: .Xr login.conf 5 ,
1.1 deraadt 157: .Xr passwd 5 ,
158: .Xr pwd_mkdb 8 ,
159: .Xr vipw 8
160: .Rs
1.16 deraadt 161: .%A Robert Morris
162: .%A Ken Thompson
1.1 deraadt 163: .%T "UNIX password security"
164: .Re
165: .Sh HISTORY
166: A
1.13 aaron 167: .Nm
1.1 deraadt 168: command appeared in
1.21 mickey 169: .At v3 .