1.\"	$OpenBSD: passwd.1,v 1.30 2005/03/07 22:51:46 jmc Exp $
2.\"
3.\" Copyright (c) 1990 The Regents of the University of California.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the University nor the names of its contributors
15.\"    may be used to endorse or promote products derived from this software
16.\"    without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.\"	from: @(#)passwd.1	6.11 (Berkeley) 7/24/91
31.\"
32.Dd July 24, 1991
33.Dt PASSWD 1
34.Os
35.Sh NAME
36.Nm passwd
37.Nd modify a user's password
38.Sh SYNOPSIS
39.Nm passwd
40.Bk -words
41.Op Fl l
42.Op Fl y
43.Op Fl K
44.Op Ar user
45.Ek
46.Sh DESCRIPTION
47.Nm
48changes the user's local, Kerberos, or YP password.
49First, the user is prompted for their current password.
50If the current password is correctly typed, a new password is requested.
51The new password must be entered twice to avoid typing errors.
52.Pp
53The new password should be at least six characters long and not
54purely alphabetic.
55Its total length must be less than
56.Dv _PASSWORD_LEN
57(currently 128 characters).
58A mixture of both lower and uppercase letters, numbers, and
59meta-characters is encouraged.
60.Pp
61The quality of the password can be enforced by specifying an external
62checking program via the
63.Dq passwordcheck
64variable in
65.Xr login.conf 5 .
66.Pp
67The options are as follows:
68.Bl -tag -width Ds
69.It Fl l
70Causes the password to be updated only in the local password file.
71When changing only the local password,
72.Xr pwd_mkdb 8
73is used to update the password databases.
74.It Fl y
75Forces the YP password database entry to be changed, even if
76the user has an entry in the local database.
77The
78.Xr rpc.yppasswdd 8
79daemon should be running on the YP master server.
80.It Fl K
81Forces the change to affect the Kerberos 5 database, even
82if the user has a password in the local database.
83Once the password has been verified,
84.Nm
85communicates the new password information to the Kerberos authenticating host.
86.El
87.Pp
88This is the behavior if no flags are specified:
89if Kerberos is active then
90.Nm
91will talk to the Kerberos server (even if the user has an entry
92in the local database).
93If the password is not in the local password database, then
94an attempt is made to use the YP database.
95.Pp
96The superuser is not required to provide a user's current password
97if only the local password is modified.
98.Pp
99Which type of cipher is used to encrypt the password information
100depends on the configuration in
101.Xr login.conf 5 .
102It can be different for local
103.Pq Dq localcipher
104and YP
105.Pq Dq ypcipher
106passwords.
107If none is specified, then blowfish with 6 rounds is used for local
108.Pq Dq localcipher
109and old is used for YP
110.Pq Dq ypcipher
111by default.
112.Sh FILES
113.Bl -tag -width /etc/master.passwd -compact
114.It /etc/login.conf
115configuration options
116.It Pa /etc/master.passwd
117user database
118.It Pa /etc/passwd
119a 6th Edition-style password file
120.It Pa /etc/passwd.XXXXXX
121temporary copy of the password file
122.It /etc/ptmp
123lock file for the passwd database
124.El
125.Sh DIAGNOSTICS
126.Bl -diag
127.It "Attempting lock password file, please wait or press ^C to abort"
128.Pp
129The password file is currently locked by another process;
130.Nm
131will keep trying to lock the password file until it succeeds or
132you hit the interrupt character (control-C by default).
133If
134.Nm
135is interrupted while trying to gain the lock the password changed will
136be lost.
137.Pp
138If the process holding the lock was prematurely terminated the lock
139file may be stale and
140.Nm
141will wait forever trying to lock the password file.
142To determine whether a live process is actually holding the lock, the
143admin may run the following:
144.Bd -literal -offset indent
145$ fstat /etc/ptmp
146.Ed
147.Pp
148If no process is listed, it is safe to remove the
149.Pa /etc/ptmp
150file to clear the error.
151.El
152.Sh SEE ALSO
153.Xr chpass 1 ,
154.Xr kinit 1 ,
155.Xr login 1 ,
156.Xr login.conf 5 ,
157.Xr passwd 5 ,
158.Xr pwd_mkdb 8 ,
159.Xr vipw 8
160.Rs
161.%A Robert Morris
162.%A Ken Thompson
163.%T "UNIX password security"
164.Re
165.Sh HISTORY
166A
167.Nm
168command appeared in
169.At v3 .
170