mirrors/shadow
0
0
Fork 0
mirror of https://github.com/shadow-maint/shadow.git synced 2024-12-02 22:44:03 +08:00
Code Issues Packages Projects Releases Wiki Activity
e7a970a189
shadow/man/chgpasswd.8.xml
Tobias Stoeckmann 11091949be man/: add BCRYPT and YESCRYPT information 
The BCRYPT and YESCRYPT relevant items should be described in
manual pages.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2023-12-27 10:48:48 -06:00

256 lines
8.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!--
SPDX-FileCopyrightText: 2006 , Tomasz Kłoczko
SPDX-FileCopyrightText: 2007 - 2011, Nicolas François
SPDX-License-Identifier: BSD-3-Clause
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY BCRYPT_MIN_ROUNDS SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
<!ENTITY YESCRYPT_COST_FACTOR SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='chgpasswd.8'>
<!-- $Id$ -->
<refentryinfo>
<author>
<firstname>Thomas</firstname>
<surname>Kłoczko</surname>
<email>kloczek@pld.org.pl</email>
<contrib>Creation, 2006</contrib>
</author>
<author>
<firstname>Nicolas</firstname>
<surname>François</surname>
<email>nicolas.francois@centraliens.net</email>
<contrib>shadow-utils maintainer, 2007 - now</contrib>
</author>
</refentryinfo>
<refmeta>
<refentrytitle>chgpasswd</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">System Management Commands</refmiscinfo>
<refmiscinfo class="source">shadow-utils</refmiscinfo>
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>chgpasswd</refname>
<refpurpose>update group passwords in batch mode</refpurpose>
</refnamediv>
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>chgpasswd</command>
<arg choice='opt'>
<replaceable>options</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
The <command>chgpasswd</command> command reads a list of group name
and password pairs from standard input and uses this information to
update a set of existing groups. Each line is of the format:
</para>
<para>
<emphasis remap='I'>group_name</emphasis>:<emphasis
remap='I'>password</emphasis>
</para>
<para>
By default the supplied password must be in clear-text, and is
encrypted by <command>chgpasswd</command>.
</para>
<para>
The default encryption algorithm can be defined for the system with
the <option>ENCRYPT_METHOD</option> variable of <filename>/etc/login.defs</filename>,
and can be overwritten with the <option>-e</option>,
<option>-m</option>, or <option>-c</option> options.
</para>
<para>
This command is intended to be used in a large system environment
where many accounts are created at a single time.
</para>
</refsect1>
<refsect1 id='options'>
<title>OPTIONS</title>
<para>
The options which apply to the <command>chgpasswd</command> command
are:
</para>
<variablelist remap='IP'>
<varlistentry>
<term><option>-c</option>, <option>--crypt-method</option></term>
<listitem>
<para>Use the specified method to encrypt the passwords.</para>
<para>
The available methods are <phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable>,</phrase>
<replaceable>DES</replaceable>,
<replaceable>MD5</replaceable><phrase condition="sha_crypt">,
<replaceable>SHA256</replaceable>,
<replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
<replaceable>YESCRYPT</replaceable></phrase> and
<replaceable>NONE</replaceable>
if your libc supports these methods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-e</option>, <option>--encrypted</option></term>
<listitem>
<para>Supplied passwords are in encrypted form.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-h</option>, <option>--help</option></term>
<listitem>
<para>Display help message and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-m</option>, <option>--md5</option></term>
<listitem>
<para>
Use MD5 encryption instead of DES when the supplied passwords are
not encrypted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>-R</option>, <option>--root</option>&nbsp;<replaceable>CHROOT_DIR</replaceable>
</term>
<listitem>
<para>
Apply changes in the <replaceable>CHROOT_DIR</replaceable>
directory and use the configuration files from the
<replaceable>CHROOT_DIR</replaceable> directory.
Only absolute paths are supported.
</para>
</listitem>
</varlistentry>
<varlistentry condition="bcrypt;sha_crypt;yescrypt">
<term><option>-s</option>, <option>--sha-rounds</option></term>
<listitem>
<para>
Use the specified number of rounds to encrypt the passwords.
</para>
<para>
You can only use this option with crypt method:
<phrase condition="bcrypt">
<replaceable>BCRYPT</replaceable></phrase>
<phrase condition="sha_crypt">
<replaceable>SHA256</replaceable>
<replaceable>SHA512</replaceable></phrase>
<phrase condition="yescrypt">
<replaceable>YESCRYPT</replaceable></phrase>
</para>
<para condition="bcrypt">
By default, the number of rounds for BCRYPT is defined by the
BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="bcrypt">
A minimal value of 4 and a maximal value of 31
will be enforced for BCRYPT. The default number of rounds is 13.
</para>
<para condition="sha_crypt">
By default, the number of rounds for SHA256 or SHA512 is defined by
the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
<filename>/etc/login.defs</filename>.
</para>
<para condition="sha_crypt">
A minimal value of 1000 and a maximal value of 999,999,999
will be enforced for SHA256 and SHA512. The default number of rounds
is 5000.
</para>
<para condition="yescrypt">
By default, the number of rounds for YESCRYPT is defined by the
YESCRYPT_COST_FACTOR in <filename>/etc/login.defs</filename>.
</para>
<para condition="yescrypt">
A minimal value of 1 and a maximal value of 11
will be enforced for YESCRYPT. The default number of rounds is 5.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
Remember to set permissions or umask to prevent readability of
unencrypted files by other users.
</para>
<para>
You should make sure the passwords and the encryption method respect
the system's password policy.
</para>
</refsect1>
<refsect1 id='configuration'>
<title>CONFIGURATION</title>
<para>
The following configuration variables in
<filename>/etc/login.defs</filename> change the behavior of this
tool:
</para>
<variablelist>
&BCRYPT_MIN_ROUNDS; <!--This also document BCRYPT_MAX_ROUNDS-->
&ENCRYPT_METHOD;
&MAX_MEMBERS_PER_GROUP;
&MD5_CRYPT_ENAB;
&SHA_CRYPT_MIN_ROUNDS; <!--This also document SHA_CRYPT_MAX_ROUNDS-->
&YESCRYPT_COST_FACTOR;
</variablelist>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/group</filename></term>
<listitem>
<para>Group account information.</para>
</listitem>
</varlistentry>
<varlistentry condition="gshadow">
<term><filename>/etc/gshadow</filename></term>
<listitem>
<para>Secure group account information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/login.defs</filename></term>
<listitem>
<para>Shadow password suite configuration.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>gpasswd</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>groupadd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>
Reference in New Issue View Git Blame Copy Permalink