|
Packit |
64c699 |
.\" Copyright Red Hat, Inc., 1998, 1999, 2002, 2009, 2012, 2015, 2018.
|
|
Packit |
64c699 |
.\"
|
|
Packit |
64c699 |
.\" Redistribution and use in source and binary forms, with or without
|
|
Packit |
64c699 |
.\" modification, are permitted provided that the following conditions
|
|
Packit |
64c699 |
.\" are met:
|
|
Packit |
64c699 |
.\" 1. Redistributions of source code must retain the above copyright
|
|
Packit |
64c699 |
.\" notice, and the entire permission notice in its entirety,
|
|
Packit |
64c699 |
.\" including the disclaimer of warranties.
|
|
Packit |
64c699 |
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
Packit |
64c699 |
.\" notice, this list of conditions and the following disclaimer in the
|
|
Packit |
64c699 |
.\" documentation and/or other materials provided with the distribution.
|
|
Packit |
64c699 |
.\" 3. The name of the author may not be used to endorse or promote
|
|
Packit |
64c699 |
.\" products derived from this software without specific prior
|
|
Packit |
64c699 |
.\" written permission.
|
|
Packit |
64c699 |
.\"
|
|
Packit |
64c699 |
.\" ALTERNATIVELY, this product may be distributed under the terms of
|
|
Packit |
64c699 |
.\" the GNU Public License, in which case the provisions of the GPL are
|
|
Packit |
64c699 |
.\" required INSTEAD OF the above restrictions. (This clause is
|
|
Packit |
64c699 |
.\" necessary due to a potential bad interaction between the GPL and
|
|
Packit |
64c699 |
.\" the restrictions contained in a BSD-style copyright.)
|
|
Packit |
64c699 |
.\"
|
|
Packit |
64c699 |
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
Packit |
64c699 |
.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Packit |
64c699 |
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
Packit |
64c699 |
.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
Packit |
64c699 |
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
Packit |
64c699 |
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
Packit |
64c699 |
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit |
64c699 |
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
Packit |
64c699 |
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
Packit |
64c699 |
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
Packit |
64c699 |
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Packit |
64c699 |
.\"
|
|
Packit |
64c699 |
.\" Copyright (c) Cristian Gafton, 1998, <gafton@redhat.com>
|
|
Packit |
64c699 |
.\" Copyright (c) Tomas Mraz, 2009, 2012, <tmraz@redhat.com>
|
|
Packit |
64c699 |
.\"
|
|
Packit |
64c699 |
.TH PASSWD 1 "Mar 28 2018" "GNU/Linux" "User utilities"
|
|
Packit |
64c699 |
.SH NAME
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
passwd \- update user's authentication tokens
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH SYNOPSIS
|
|
Packit Service |
2bde9a |
.B passwd [-k] [-l] [-u [-f]] [-d] [-e] [-n mindays] [-x maxdays] [-w warndays] [-i inactivedays] [-S] [--stdin] [username]
|
|
Packit |
64c699 |
.sp 2
|
|
Packit |
64c699 |
.SH DESCRIPTION
|
|
Packit |
64c699 |
The passwd utility is used to update user's authentication token(s).
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
This task is achieved through calls to the
|
|
Packit |
64c699 |
.BR "Linux-PAM" " and "
|
|
Packit |
64c699 |
.BR "Libuser API" ". "
|
|
Packit |
64c699 |
Essentially, it initializes itself as a "passwd" service with
|
|
Packit |
64c699 |
.I Linux-PAM
|
|
Packit |
64c699 |
and utilizes configured
|
|
Packit |
64c699 |
.I "password"
|
|
Packit |
64c699 |
modules to authenticate and then update a user's password.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.sp
|
|
Packit |
64c699 |
A simple entry in the global
|
|
Packit |
64c699 |
.I Linux-PAM
|
|
Packit |
64c699 |
configuration file for this service would be:
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
#
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
# passwd service entry that does strength checking of
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
# a proposed password before updating it.
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
#
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
passwd password requisite pam_cracklib.so retry=3
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
passwd password required pam_unix.so use_authtok
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
#
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.sp
|
|
Packit |
64c699 |
Note, other module types are not required for this application to
|
|
Packit |
64c699 |
function correctly.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH OPTIONS
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit Service |
2bde9a |
\fB\-k\fR, \fB\-\-keep\fR
|
|
Packit |
64c699 |
The option
|
|
Packit |
64c699 |
.B \-k
|
|
Packit |
64c699 |
is used to indicate that the update should only be for expired
|
|
Packit |
64c699 |
authentication tokens (passwords); the user wishes to keep their
|
|
Packit |
64c699 |
non-expired tokens as before.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-l\fR, \fB\-\-lock\fP
|
|
Packit |
64c699 |
This option is used to lock the password of specified account and
|
|
Packit |
64c699 |
it is available to root only. The locking is performed by rendering
|
|
Packit |
64c699 |
the encrypted password into an invalid string (by prefixing the
|
|
Packit |
64c699 |
encrypted string with an !). Note that the account is not fully
|
|
Packit |
64c699 |
locked - the user can still log in by other means of authentication
|
|
Packit |
64c699 |
such as the ssh public key authentication. Use \fBchage -E 0 user\fR
|
|
Packit |
64c699 |
command instead for full account locking.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.IP \fB--stdin\fR
|
|
Packit |
64c699 |
This option is used to indicate that \fBpasswd\fR should read the new
|
|
Packit |
64c699 |
password from standard input, which can be a pipe.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-u\fR, \fB\-\-unlock\fR
|
|
Packit |
64c699 |
This is the reverse of the
|
|
Packit |
64c699 |
.BR -l " option - it will unlock the account"
|
|
Packit |
64c699 |
password by removing the ! prefix. This option is available to root
|
|
Packit |
64c699 |
only. By default passwd will refuse to create a passwordless account
|
|
Packit |
64c699 |
(it will not unlock an account that has only "!" as a password). The
|
|
Packit |
64c699 |
force option \fB-f\fR will override this protection.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-d\fR, \fB\-\-delete\fR
|
|
Packit |
64c699 |
This is a quick way to delete a password for an account. It will set
|
|
Packit |
64c699 |
the named account passwordless. Available to root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
Note that if the password was locked,
|
|
Packit |
64c699 |
this implicitly removes the password lock as well.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-e\fR, \fB\-\-expire\fR
|
|
Packit |
64c699 |
This is a quick way to expire a password for an account. The user will be
|
|
Packit |
64c699 |
forced to change the password during the next login attempt.
|
|
Packit |
64c699 |
Available to root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-f\fR, \fB\-\-force\fR
|
|
Packit |
64c699 |
Force the specified operation.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-n\fR, \fB\-\-minimum\fR \fIDAYS\fR
|
|
Packit |
64c699 |
This will set the minimum password lifetime, in days, if the user's
|
|
Packit |
64c699 |
account supports password lifetimes. Available to root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-x\fR, \fB\-\-maximum\fR \fIDAYS\fR
|
|
Packit |
64c699 |
This will set the maximum password lifetime, in days, if the user's
|
|
Packit |
64c699 |
account supports password lifetimes. Available to root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-w\fR, \fB\-\-warning\fR \fIDAYS\fR
|
|
Packit |
64c699 |
This will set the number of days in advance the user will begin receiving
|
|
Packit |
64c699 |
warnings that her password will expire, if the user's account supports
|
|
Packit |
64c699 |
password lifetimes. Available to root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-i\fR, \fB\-\-inactive\fR \fIDAYS\fR
|
|
Packit |
64c699 |
This will set the number of days which will pass before an expired password
|
|
Packit |
64c699 |
for this account will be taken to mean that the account is inactive and should
|
|
Packit |
64c699 |
be disabled, if the user's account supports password lifetimes. Available to
|
|
Packit |
64c699 |
root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.TP
|
|
Packit |
64c699 |
\fB\-S\fR, \fB\-\-status\fR
|
|
Packit |
64c699 |
This will output a short information about the status of the password
|
|
Packit |
64c699 |
for a given account. The status information consists of 7 fields. The
|
|
Packit |
64c699 |
first field is the user's login name. The second field indicates if the
|
|
Packit Service |
2bde9a |
user account has a locked password (L), has no password (NP), or has a
|
|
Packit Service |
2bde9a |
usable password (P). The third field gives the date of the last password
|
|
Packit |
64c699 |
change. The next four fields are the minimum age, maximum age, warning
|
|
Packit |
64c699 |
period, and inactivity period for the password. These ages are expressed
|
|
Packit |
64c699 |
in days.
|
|
Packit |
64c699 |
.sp
|
|
Packit |
64c699 |
\fBNotes:\fR
|
|
Packit |
64c699 |
The date of the last password change is stored as a number of days
|
|
Packit |
64c699 |
since epoch. Depending on the current time zone, the
|
|
Packit |
64c699 |
\fBpasswd \-S\fR
|
|
Packit |
64c699 |
\fIusername\fR
|
|
Packit |
64c699 |
may show the date of the last password change that is different
|
|
Packit |
64c699 |
from the real date of the last password change by ±1 day.
|
|
Packit |
64c699 |
.sp
|
|
Packit |
64c699 |
This option is available to root only.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH "Remember the following two principles"
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.IP \fBProtect\ your\ password.\fR
|
|
Packit |
64c699 |
Don't write down your password - memorize it.
|
|
Packit |
64c699 |
In particular, don't write it down and leave it anywhere, and don't
|
|
Packit |
64c699 |
place it in an unencrypted file! Use unrelated passwords for
|
|
Packit |
64c699 |
systems controlled by different organizations. Don't give or share your
|
|
Packit |
64c699 |
password, in particular to someone claiming to be from
|
|
Packit |
64c699 |
computer support or a vendor. Don't let anyone watch you enter your
|
|
Packit |
64c699 |
password. Don't enter your password to a computer you don't trust or
|
|
Packit |
64c699 |
if things "look funny"; someone may be trying to hijack your password.
|
|
Packit |
64c699 |
Use the password for a limited time and change it periodically.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.IP \fBChoose\ a\ hard-to-guess\ password.\fR
|
|
Packit |
64c699 |
.I passwd
|
|
Packit |
64c699 |
through the calls to the
|
|
Packit |
64c699 |
.BR pam_cracklib " PAM module"
|
|
Packit |
64c699 |
will try to prevent you from choosing a really bad password,
|
|
Packit |
64c699 |
but it isn't foolproof; create your password wisely.
|
|
Packit |
64c699 |
Don't use something you'd find in a dictionary (in any language or jargon).
|
|
Packit |
64c699 |
Don't use a name (including that of a spouse, parent, child, pet,
|
|
Packit |
64c699 |
fantasy character, famous person, and location) or any
|
|
Packit |
64c699 |
variation of your personal or account name. Don't use accessible
|
|
Packit |
64c699 |
information about you (such as your phone number, license plate, or
|
|
Packit |
64c699 |
social security number) or your environment. Don't use a birthday or a
|
|
Packit |
64c699 |
simple pattern (such as "qwerty", "abc", or "aaa"). Don't use any of those
|
|
Packit |
64c699 |
backwards, followed by a digit, or preceded by a digit. Instead, use
|
|
Packit |
64c699 |
a mixture of upper and lower case letters, as well as digits or
|
|
Packit |
64c699 |
punctuation. When choosing a new password, make sure it's unrelated
|
|
Packit |
64c699 |
to any previous password. Use long passwords (say at least 8 characters
|
|
Packit |
64c699 |
long). You might use a word pair with punctuation inserted, a
|
|
Packit |
64c699 |
passphrase (an understandable sequence of words), or the first
|
|
Packit |
64c699 |
letter of each word in a passphrase.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH ""
|
|
Packit |
64c699 |
These principles are partially enforced by the system, but only partly so.
|
|
Packit |
64c699 |
Vigilance on your part will make the system much more secure.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH "EXIT CODE"
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
The
|
|
Packit |
64c699 |
.B passwd
|
|
Packit |
64c699 |
command exits with the following codes:
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI0\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
success
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI1\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
passwd/libuser operation failed
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI2\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
unknown user
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI252\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
unknown user name
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI253\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
bad arguments or passwordless account
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI254\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
invalid application of arguments
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
\fI255\fR
|
|
Packit |
64c699 |
.RS 4
|
|
Packit |
64c699 |
libuser operation failed
|
|
Packit |
64c699 |
.RE
|
|
Packit |
64c699 |
.PP
|
|
Packit |
64c699 |
Error messages are written to the standard error stream.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH "CONFORMING TO"
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
.BR Linux-PAM
|
|
Packit |
64c699 |
(Pluggable Authentication modules for Linux).
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH "FILES"
|
|
Packit |
64c699 |
.br
|
|
Packit |
64c699 |
.B /etc/pam.d/passwd
|
|
Packit |
64c699 |
- the
|
|
Packit |
64c699 |
.BR Linux-PAM
|
|
Packit |
64c699 |
configuration file
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH BUGS
|
|
Packit |
64c699 |
.sp 2
|
|
Packit |
64c699 |
None known.
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH "SEE ALSO"
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.BR pam "(8), "
|
|
Packit |
64c699 |
.BR pam.d "(5), "
|
|
Packit |
64c699 |
.BR libuser.conf "(5), "
|
|
Packit |
64c699 |
and
|
|
Packit |
64c699 |
.BR pam_chauthtok "(3). "
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.sp
|
|
Packit |
64c699 |
For more complete information on how to configure this application
|
|
Packit |
64c699 |
with
|
|
Packit |
64c699 |
.BR Linux-PAM ", "
|
|
Packit |
64c699 |
see the
|
|
Packit |
64c699 |
.BR "Linux-PAM System Administrators' Guide" "."
|
|
Packit |
64c699 |
|
|
Packit |
64c699 |
.SH AUTHOR
|
|
Packit |
64c699 |
Cristian Gafton <gafton@redhat.com>
|