2007-10-07 17:14:59 +05:30
|
|
|
.\"$Id: passwd.1,v 1.10 2001/12/22 05:40:01 kloczek Exp $
|
2007-10-07 17:14:44 +05:30
|
|
|
.\" Copyright 1989 - 1994, Julianne Frances Haugh
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.TH PASSWD 1
|
|
|
|
.SH NAME
|
|
|
|
passwd \- change user password
|
|
|
|
.SH SYNOPSIS
|
|
|
|
\fBpasswd\fR [\fB-f\fR|\fB-s\fR] [\fIname\fR]
|
|
|
|
.br
|
2007-10-07 17:14:59 +05:30
|
|
|
\fBpasswd\fR [\fB-g\fR] [\fB-r\fR|\fB-R\fR] \fIgroup\fR
|
2007-10-07 17:14:44 +05:30
|
|
|
.br
|
|
|
|
\fBpasswd\fR [\fB-x\fR \fImax\fR] [\fB-n\fR \fImin\fR]
|
2007-10-07 17:14:51 +05:30
|
|
|
[\fB-w\fR \fIwarn\fR] [\fB-i\fR \fIinact\fR] \fIlogin\fR
|
2007-10-07 17:14:44 +05:30
|
|
|
.br
|
2007-10-07 17:14:51 +05:30
|
|
|
\fBpasswd\fR {\fB-l\fR|\fB-u\fR|\fB-d\fR|\fB-S\fR|\fB-e\fR} \fIlogin\fR
|
2007-10-07 17:14:44 +05:30
|
|
|
.SH DESCRIPTION
|
|
|
|
\fBpasswd\fR changes passwords for user and group accounts.
|
|
|
|
A normal user may only change the password for their own account,
|
|
|
|
the super user may change the password for any account.
|
|
|
|
The administrator of a group may change the password for the group.
|
|
|
|
\fBpasswd\fR also changes account information, such as the full name
|
|
|
|
of the user, their login shell, or password expiry dates and intervals.
|
|
|
|
.SS Password Changes
|
|
|
|
The user is first prompted for their old password,
|
|
|
|
if one is present.
|
|
|
|
This password is then encrypted and compared against the
|
|
|
|
stored password.
|
|
|
|
The user has only one chance to enter the correct password.
|
|
|
|
The super user is permitted to bypass this step so that forgotten
|
|
|
|
passwords may be changed.
|
|
|
|
.PP
|
|
|
|
After the password has been entered, password aging information
|
|
|
|
is checked to see if the user is permitted to change their password
|
|
|
|
at this time.
|
|
|
|
If not, \fBpasswd\fR refuses to change the password and exits.
|
|
|
|
.PP
|
|
|
|
The user is then prompted for a replacement password.
|
|
|
|
This password is tested for complexity.
|
|
|
|
As a general guideline,
|
|
|
|
passwords should consist of 6 to 8 characters including
|
|
|
|
one or more from each of following sets:
|
|
|
|
.IP "" .5i
|
|
|
|
Lower case alphabetics
|
|
|
|
.IP "" .5i
|
|
|
|
Upper case alphabetics
|
|
|
|
.IP "" .5i
|
|
|
|
Digits 0 thru 9
|
|
|
|
.IP "" .5i
|
|
|
|
Punctuation marks
|
|
|
|
.PP
|
|
|
|
Care must be taken not to include the system default erase
|
|
|
|
or kill characters.
|
|
|
|
\fBpasswd\fR will reject any password which is not suitably
|
|
|
|
complex.
|
|
|
|
.PP
|
|
|
|
If the password is accepted,
|
|
|
|
\fBpasswd\fR will prompt again and compare the second entry
|
|
|
|
against the first.
|
|
|
|
Both entries are require to match in order for the password
|
|
|
|
to be changed.
|
|
|
|
.SS Group passwords
|
|
|
|
When the \fB-g\fR option is used, the password for the named
|
|
|
|
group is changed.
|
|
|
|
The user must either be the super user, or a group administrator
|
|
|
|
for the named group.
|
|
|
|
The current group password is not prompted for.
|
|
|
|
The \fB-r\fR option is used with the \fB-g\fR option to remove
|
|
|
|
the current password from the named group.
|
|
|
|
This allows group access to all members.
|
|
|
|
The \fB-R\fR option is used with the \fB-g\fR option to restrict
|
|
|
|
the named group for all users.
|
|
|
|
.SS Password expiry information
|
|
|
|
The password aging information may be changed by the super
|
|
|
|
user with the \fB-x\fR, \fB-n\fR, \fB-w\fR, and \fB-i\fR options.
|
|
|
|
The \fB-x\fR option is used to set the maximum number of days
|
|
|
|
a password remains valid.
|
|
|
|
After \fImax\fR days, the password is required to be changed.
|
|
|
|
The \fB-n\fR option is used to set the minimum number of days
|
|
|
|
before a password may be changed.
|
|
|
|
The user will not be permitted to change the password until
|
|
|
|
\fImin\fR days have elapsed.
|
|
|
|
The \fB-w\fR option is used to set the number of days of warning
|
|
|
|
the user will receive before their password will expire.
|
|
|
|
The warning occurs \fIwarn\fR days before the expiration, telling
|
|
|
|
the user how many days until the password is set to expire.
|
|
|
|
The \fB-i\fR option is used to disable an account after the
|
|
|
|
password has been expired for a number of days.
|
|
|
|
After a user account has had an expired password for \fIinact\fR
|
|
|
|
days, the user may no longer sign on to the account.
|
|
|
|
.SS Account maintenance
|
|
|
|
User accounts may be locked and unlocked with the \fB-l\fR and
|
|
|
|
\fB-u\fR flags.
|
|
|
|
The \fB-l\fR option disables an account by changing the password to a
|
|
|
|
value which matches no possible encrypted value.
|
|
|
|
The \fB-u\fR option re-enables an account by changing the password
|
|
|
|
back to its previous value.
|
|
|
|
.PP
|
2007-10-07 17:14:51 +05:30
|
|
|
If you wish to immediately expire an accounts password, you can use the
|
|
|
|
\fB-e\fR option. This in affect can force a user to change their password at
|
|
|
|
their next login. You can also use the \fB-d\fR option to delete a users
|
|
|
|
password (make it empty). Use caution with this option since it can make an
|
|
|
|
account not require a password at all to login, leaving your system open to
|
|
|
|
intruders.
|
|
|
|
.PP
|
2007-10-07 17:14:44 +05:30
|
|
|
The account status may be given with the \fB-S\fR option.
|
|
|
|
The status information consists of 6 parts.
|
|
|
|
The first part indicates if the user account is locked (L), has no
|
|
|
|
password (NP), or has a usable password (P).
|
|
|
|
The second part gives the date of the last password change.
|
|
|
|
The next four parts are the minimum age, maximum age, warning period,
|
|
|
|
and inactivity period for the password.
|
|
|
|
.SS Hints for user passwords
|
|
|
|
The security of a password depends upon the strength of the
|
|
|
|
encryption algorithm and the size of the key space.
|
|
|
|
The \fB\s-2UNIX\s+2\fR System encryption method is based on
|
|
|
|
the NBS DES algorithm and is very secure.
|
|
|
|
The size of the key space depends upon the randomness of the
|
|
|
|
password which is selected.
|
|
|
|
.PP
|
2007-10-07 17:14:51 +05:30
|
|
|
The \fB-s\fR option makes passwd call chsh to change the users shell. The
|
|
|
|
\fB-f\fR option makes passwd call chfn to change the users gecos
|
|
|
|
information. These two options are only meant for compatiblity, since the
|
|
|
|
other programs can be called directly.
|
|
|
|
.PP
|
2007-10-07 17:14:44 +05:30
|
|
|
Compromises in password security normally result from careless
|
|
|
|
password selection or handling.
|
|
|
|
For this reason, you should select a password which does not
|
|
|
|
appear in a dictionary or which must be written down.
|
|
|
|
The password should also not be a proper name, your license
|
|
|
|
number, birth date, or street address.
|
|
|
|
Any of these may be used as guesses to violate system security.
|
|
|
|
.PP
|
|
|
|
Your password must easily remembered so that you will not
|
|
|
|
be forced to write it on a piece of paper.
|
|
|
|
This can be accomplished by appending two small words together
|
|
|
|
and separating each with a special character or digit.
|
|
|
|
For example, Pass%word.
|
|
|
|
.PP
|
|
|
|
Other methods of construction involve selecting an easily
|
|
|
|
remembered phrase from literature and selecting the first
|
|
|
|
or last letter from each.
|
|
|
|
An example of this is
|
|
|
|
.IP "" .5i
|
|
|
|
Ask not for whom the bell tolls.
|
|
|
|
.PP
|
|
|
|
which produces
|
|
|
|
.IP "" .5i
|
|
|
|
An4wtbt.
|
|
|
|
.PP
|
|
|
|
You may be reasonably sure few crackers will have
|
|
|
|
included this in their dictionary.
|
|
|
|
You should, however, select your own methods for constructing
|
|
|
|
passwords and not rely exclusively on the methods given here.
|
|
|
|
.SS Notes about group passwords
|
|
|
|
Group passwords are an inherent security problem since more
|
|
|
|
than one person is permitted to know the password.
|
|
|
|
However, groups are a useful tool for permitting co-operation
|
|
|
|
between different users.
|
|
|
|
.SH CAVEATS
|
|
|
|
Not all options may be supported.
|
|
|
|
Password complexity checking may vary from site to site.
|
|
|
|
The user is urged to select as complex a password as they
|
|
|
|
feel comfortable with.
|
|
|
|
User's may not be able to change their password on a system if NIS
|
|
|
|
is enabled and they are not logged into the NIS server.
|
|
|
|
.SH FILES
|
|
|
|
/etc/passwd \- user account information
|
|
|
|
.br
|
|
|
|
/etc/shadow \- encrypted user passwords
|
|
|
|
.SH SEE ALSO
|
|
|
|
.BR group (5),
|
|
|
|
.BR passwd (5)
|
|
|
|
.SH AUTHOR
|
|
|
|
Julianne Frances Haugh (jockgrrl@ix.netcom.com)
|