1.\" $OpenBSD: passwd.1,v 1.30 2005/03/07 22:51:46 jmc Exp $ 2.\" 3.\" Copyright (c) 1990 The Regents of the University of California. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" from: @(#)passwd.1 6.11 (Berkeley) 7/24/91 31.\" 32.Dd July 24, 1991 33.Dt PASSWD 1 34.Os 35.Sh NAME 36.Nm passwd 37.Nd modify a user's password 38.Sh SYNOPSIS 39.Nm passwd 40.Bk -words 41.Op Fl l 42.Op Fl y 43.Op Fl K 44.Op Ar user 45.Ek 46.Sh DESCRIPTION 47.Nm 48changes the user's local, Kerberos, or YP password. 49First, the user is prompted for their current password. 50If the current password is correctly typed, a new password is requested. 51The new password must be entered twice to avoid typing errors. 52.Pp 53The new password should be at least six characters long and not 54purely alphabetic. 55Its total length must be less than 56.Dv _PASSWORD_LEN 57(currently 128 characters). 58A mixture of both lower and uppercase letters, numbers, and 59meta-characters is encouraged. 60.Pp 61The quality of the password can be enforced by specifying an external 62checking program via the 63.Dq passwordcheck 64variable in 65.Xr login.conf 5 . 66.Pp 67The options are as follows: 68.Bl -tag -width Ds 69.It Fl l 70Causes the password to be updated only in the local password file. 71When changing only the local password, 72.Xr pwd_mkdb 8 73is used to update the password databases. 74.It Fl y 75Forces the YP password database entry to be changed, even if 76the user has an entry in the local database. 77The 78.Xr rpc.yppasswdd 8 79daemon should be running on the YP master server. 80.It Fl K 81Forces the change to affect the Kerberos 5 database, even 82if the user has a password in the local database. 83Once the password has been verified, 84.Nm 85communicates the new password information to the Kerberos authenticating host. 86.El 87.Pp 88This is the behavior if no flags are specified: 89if Kerberos is active then 90.Nm 91will talk to the Kerberos server (even if the user has an entry 92in the local database). 93If the password is not in the local password database, then 94an attempt is made to use the YP database. 95.Pp 96The superuser is not required to provide a user's current password 97if only the local password is modified. 98.Pp 99Which type of cipher is used to encrypt the password information 100depends on the configuration in 101.Xr login.conf 5 . 102It can be different for local 103.Pq Dq localcipher 104and YP 105.Pq Dq ypcipher 106passwords. 107If none is specified, then blowfish with 6 rounds is used for local 108.Pq Dq localcipher 109and old is used for YP 110.Pq Dq ypcipher 111by default. 112.Sh FILES 113.Bl -tag -width /etc/master.passwd -compact 114.It /etc/login.conf 115configuration options 116.It Pa /etc/master.passwd 117user database 118.It Pa /etc/passwd 119a 6th Edition-style password file 120.It Pa /etc/passwd.XXXXXX 121temporary copy of the password file 122.It /etc/ptmp 123lock file for the passwd database 124.El 125.Sh DIAGNOSTICS 126.Bl -diag 127.It "Attempting lock password file, please wait or press ^C to abort" 128.Pp 129The password file is currently locked by another process; 130.Nm 131will keep trying to lock the password file until it succeeds or 132you hit the interrupt character (control-C by default). 133If 134.Nm 135is interrupted while trying to gain the lock the password changed will 136be lost. 137.Pp 138If the process holding the lock was prematurely terminated the lock 139file may be stale and 140.Nm 141will wait forever trying to lock the password file. 142To determine whether a live process is actually holding the lock, the 143admin may run the following: 144.Bd -literal -offset indent 145$ fstat /etc/ptmp 146.Ed 147.Pp 148If no process is listed, it is safe to remove the 149.Pa /etc/ptmp 150file to clear the error. 151.El 152.Sh SEE ALSO 153.Xr chpass 1 , 154.Xr kinit 1 , 155.Xr login 1 , 156.Xr login.conf 5 , 157.Xr passwd 5 , 158.Xr pwd_mkdb 8 , 159.Xr vipw 8 160.Rs 161.%A Robert Morris 162.%A Ken Thompson 163.%T "UNIX password security" 164.Re 165.Sh HISTORY 166A 167.Nm 168command appeared in 169.At v3 . 170