mirror of
https://github.com/shadow-maint/shadow.git
synced 2024-11-24 02:24:32 +08:00
328 lines
13 KiB
XML
328 lines
13 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
<refentry id='passwd.1'>
|
|
<!-- $Id: passwd.1.xml,v 1.11 2005/06/20 08:47:36 kloczek Exp $ -->
|
|
<refmeta>
|
|
<refentrytitle>passwd</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="sectdesc">User Commands</refmiscinfo>
|
|
</refmeta>
|
|
<refnamediv id='name'>
|
|
<refname>passwd</refname>
|
|
<refpurpose>change user password</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv id='synopsis'>
|
|
<cmdsynopsis>
|
|
<command>passwd</command>
|
|
<group choice='opt'>
|
|
<arg choice='plain'>-f </arg><arg choice='plain'>-s </arg>
|
|
</group>
|
|
<arg choice='opt'>
|
|
<replaceable>name</replaceable>
|
|
</arg>
|
|
</cmdsynopsis>
|
|
<cmdsynopsis>
|
|
<command>passwd</command>
|
|
<arg choice='opt'>-g </arg>
|
|
<group choice='opt'>
|
|
<arg choice='plain'>-r </arg>
|
|
<arg choice='plain'>-R </arg>
|
|
</group>
|
|
<arg choice='plain'>
|
|
<replaceable>group</replaceable>
|
|
</arg>
|
|
</cmdsynopsis>
|
|
<cmdsynopsis>
|
|
<command>passwd</command>
|
|
<arg choice='opt'>-x <replaceable>max</replaceable></arg>
|
|
<arg choice='opt'>-n <replaceable>min</replaceable></arg>
|
|
<arg choice='opt'>-w <replaceable>warn</replaceable></arg>
|
|
<arg choice='opt'>-i <replaceable>inact</replaceable></arg>
|
|
<arg choice='plain'><replaceable>login</replaceable>
|
|
</arg>
|
|
</cmdsynopsis>
|
|
<cmdsynopsis>
|
|
<command>passwd</command>
|
|
<group choice='opt'>
|
|
<arg choice='plain'>-l </arg>
|
|
<arg choice='plain'>-u </arg>
|
|
<arg choice='plain'>-d </arg>
|
|
<arg choice='plain'>-S </arg>
|
|
<arg choice='plain'>-e </arg>
|
|
</group>
|
|
<arg choice='plain'><replaceable>login</replaceable></arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1 id='description'>
|
|
<title>DESCRIPTION</title>
|
|
<para><command>passwd</command> changes passwords for user and group
|
|
accounts. A normal user may only change the password for his/her own
|
|
account, the super user may change the password for any account. The
|
|
administrator of a group may change the password for the group.
|
|
<command>passwd</command> also changes account information, such as
|
|
the full name of the user, user's login shell, or password expiry date
|
|
and interval.
|
|
</para>
|
|
|
|
<para>
|
|
The <option>-s</option> option makes <command>passwd</command> call
|
|
<command>chsh</command> to change the user's shell. The
|
|
<option>-f</option> option makes <command>passwd</command> call
|
|
<command>chfn</command> to change the user's gecos information. These
|
|
two options are only meant for compatibility, since the other programs
|
|
can be called directly.
|
|
</para>
|
|
|
|
<refsect2 id='password_changes'>
|
|
<title>Password Changes</title>
|
|
<para>The user is first prompted for his/her old password, if one is
|
|
present. This password is then encrypted and compared against the
|
|
stored password. The user has only one chance to enter the correct
|
|
password. The super user is permitted to bypass this step so that
|
|
forgotten passwords may be changed.
|
|
</para>
|
|
|
|
<para>After the password has been entered, password aging information
|
|
is checked to see if the user is permitted to change the password at
|
|
this time. If not, <command>passwd</command> refuses to change the
|
|
password and exits.
|
|
</para>
|
|
|
|
<para>The user is then prompted for a replacement password. This
|
|
password is tested for complexity. As a general guideline, passwords
|
|
should consist of 6 to 8 characters including one or more from each
|
|
of following sets:
|
|
</para>
|
|
|
|
<itemizedlist mark='bullet'>
|
|
<listitem>
|
|
<para>lower case alphabetics</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>digits 0 thru 9</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>punctuation marks</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Care must be taken not to include the system default erase or
|
|
kill characters. <command>passwd</command> will reject any password
|
|
which is not suitably complex.
|
|
</para>
|
|
|
|
<para>If the password is accepted, <command>passwd</command> will
|
|
prompt again and compare the second entry against the first. Both
|
|
entries are required to match in order for the password to be
|
|
changed.
|
|
</para>
|
|
</refsect2>
|
|
|
|
<refsect2 id='group_passwords'>
|
|
<title>Group passwords</title>
|
|
<para>
|
|
When the <option>-g</option> option is used, the password for the
|
|
named group is changed. The user must either be the super user, or a
|
|
group administrator for the named group. The current group password
|
|
is not prompted for. The <option>-r</option> option is used with the
|
|
<option>-g</option> option to remove the current password from the
|
|
named group. This allows group access to all members. The
|
|
<option>-R</option> option is used with the <option>-g</option>
|
|
option to restrict the named group for all users.
|
|
</para>
|
|
</refsect2>
|
|
|
|
<refsect2 id='password_expiry_information'>
|
|
<title>Password expiry information</title>
|
|
<para>The password aging information may be changed by the super user
|
|
with the <option>-x</option>, <option>-n</option>,
|
|
<option>-w</option>, and <option>-i</option> options. The
|
|
<option>-x</option> option is used to set the maximum number of days
|
|
a password remains valid. After <emphasis remap='I'>max</emphasis>
|
|
days, the password is required to be changed. The
|
|
<option>-n</option> option is used to set the minimum number of days
|
|
before a password may be changed. The user will not be permitted to
|
|
change the password until <emphasis remap='I'>min</emphasis> days
|
|
have elapsed. The <option>-w</option> option is used to set the
|
|
number of days of warning the user will receive before his/her
|
|
password will expire. The warning occurs <emphasis
|
|
remap='I'>warn</emphasis> days before the expiration, telling the
|
|
user how many days remain until the password is set to expire. The
|
|
<option>-i</option> option is used to disable an account after the
|
|
password has been expired for a number of days. After a user account
|
|
has had an expired password for <emphasis remap='I'>inact</emphasis>
|
|
days, the user may no longer sign on to the account.
|
|
</para>
|
|
|
|
<para>If you wish to immediately expire an account's password, you can
|
|
use the <option>-e</option> option. This in effect can force a user
|
|
to change his/her password at the user's next login. You can also
|
|
use the <option>-d</option> option to delete a user's password (make
|
|
it empty). Use caution with this option since it can make an account
|
|
not require a password at all to login, leaving your system open to
|
|
intruders.
|
|
</para>
|
|
</refsect2>
|
|
|
|
<refsect2 id='account_maintenance'>
|
|
<title>Account maintenance</title>
|
|
<para> User accounts may be locked and unlocked with the
|
|
<option>-l</option> and <option>-u</option> flags. The
|
|
<option>-l</option> option disables an account by changing the
|
|
password to a value which matches no possible encrypted value. The
|
|
<option>-u</option> option re-enables an account by changing the
|
|
password back to its previous value.
|
|
</para>
|
|
|
|
<para>The account status may be viewed with the <option>-S</option>
|
|
option. The status information consists of 7 fields. The first
|
|
field is the user's login name. The second field indicates if the
|
|
user account is locked (L), has no password (NP), or has a usable
|
|
password (P). The third field gives the date of the last password
|
|
change. The next four fields are the minimum age, maximum age,
|
|
warning period, and inactivity period for the password. These ages
|
|
are expressed in days. See <emphasis remap='B'>Password expiry
|
|
information</emphasis> above for a discussion of these fields.
|
|
</para>
|
|
</refsect2>
|
|
|
|
<refsect2 id='hints_for_user_passwords'>
|
|
<title>Hints for user passwords</title>
|
|
<para>The security of a password depends upon the strength of the
|
|
encryption algorithm and the size of the key space. The <emphasis
|
|
remap='B'>\s-2UNIX</emphasis> System encryption method is based on
|
|
the NBS DES algorithm and is very secure. The size of the key space
|
|
depends upon the randomness of the password which is selected.
|
|
</para>
|
|
|
|
<para>Compromises in password security normally result from careless
|
|
password selection or handling. For this reason, you should not
|
|
select a password which appears in a dictionary or which must be
|
|
written down. The password should also not be a proper name, your
|
|
license number, birth date, or street address. Any of these may be
|
|
used as guesses to violate system security.
|
|
</para>
|
|
|
|
<para>Your password must easily remembered so that you will not be
|
|
forced to write it on a piece of paper. This can be accomplished by
|
|
appending two small words together and separating each with a
|
|
special character or digit. For example, Pass%word.
|
|
</para>
|
|
|
|
<para>Other methods of construction involve selecting an easily
|
|
remembered phrase from literature and selecting the first or last
|
|
letter from each word. An example of this is:
|
|
</para>
|
|
|
|
<itemizedlist mark='bullet'>
|
|
<listitem>
|
|
<para>Ask not for whom the bell tolls</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>which produces</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>An4wtbt</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You may be reasonably sure few crackers will have included this
|
|
in their dictionaries. You should, however, select your own methods
|
|
for constructing passwords and not rely exclusively on the methods
|
|
given here.
|
|
</para>
|
|
</refsect2>
|
|
|
|
<refsect2 id='notes_about_group_passwords'>
|
|
<title>Notes about group passwords</title>
|
|
<para>Group passwords are an inherent security problem since more than
|
|
one person is permitted to know the password. However, groups are a
|
|
useful tool for permitting co-operation between different users.
|
|
</para>
|
|
</refsect2>
|
|
</refsect1>
|
|
|
|
<refsect1 id='caveats'>
|
|
<title>CAVEATS</title>
|
|
<para>Not all options may be supported. Password complexity checking
|
|
may vary from site to site. The user is urged to select a password as
|
|
complex as he feels comfortable with. Users may not be able to change
|
|
their password on a system if NIS is enabled and they are not logged
|
|
into the NIS server.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='files'>
|
|
<title>FILES</title>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><filename>/etc/passwd</filename></term>
|
|
<listitem>user account information</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><filename>/etc/shadow</filename></term>
|
|
<listitem>secure user account information</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='exit_values'>
|
|
<title>EXIT VALUES</title>
|
|
<para>
|
|
The <command>passwd</command> command exits with the following values:
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><replaceable>0</replaceable></term>
|
|
<listitem>success</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><replaceable>1</replaceable></term>
|
|
<listitem>permission denied</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><replaceable>2</replaceable></term>
|
|
<listitem>invalid combination of options</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><replaceable>3</replaceable></term>
|
|
<listitem>unexpected failure, nothing done</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><replaceable>4</replaceable></term>
|
|
<listitem>unexpected failure, passwd file missing</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><replaceable>5</replaceable></term>
|
|
<listitem>passwd file busy, try again</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><replaceable>6</replaceable></term>
|
|
<listitem>invalid argument to option</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='see_also'>
|
|
<title>SEE ALSO</title>
|
|
<para><citerefentry>
|
|
<refentrytitle>group</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='author'>
|
|
<title>AUTHOR</title>
|
|
<para>Julianne Frances Haugh <jockgrrl@ix.netcom.com></para>
|
|
</refsect1>
|
|
</refentry>
|