Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
passwd(1)							     passwd(1)

NAME
       passwd -	change user password

SYNOPSIS
       passwd [-f|-g|-s|-k[-q]]	[name]
       passwd [-D binddn][-n min][-x max][-w warn][-i inact] account
       passwd [-D binddn] {-l|-u|-d|-S[-a]|-e} name
       passwd --bioapi [account]
       passwd --stdin [account]

DESCRIPTION
       passwd  changes passwords for user and group accounts.  While an	admin-
       istrator	may change the password	for any	account	 or  group,  a	normal
       user  is	 only  allowed	to  change the password	for their own account.
       passwd also changes account information,	such as	the full name  of  the
       user, their login shell,	password expiry	dates and intervals or disable
       an account.

       passwd is written to work through the PAM API.	Essentially,  it  ini-
       tializes	 itself	 as  a "passwd"	service	and utilizes configured	"pass-
       word" modules to	authenticate and then update a user's password.

       A sample	/etc/pam.d/passwd file might look like this:

	      #%PAM-1.0
	      auth	required  pam_unix2.so	  nullok
	      account	required  pam_unix2.so
	      password	required  pam_pwcheck.so  nullok
	      password	required  pam_unix2.so	  nullok \
				    use_first_pass use_authtok
	      session	required  pam_unix2.so

   Password Changes
       If an old password is present, the user is first	promted	for it and the
       password	 is  compared  agaisnt	the  stored  one. This can be changed,
       depending which PAM modules are used.  An administrator is permitted to
       bypass this step	so that	forgotten passwords may	be changed.

       After the user is authenticated,	password aging information are checked
       to see if the user is permitted to change their password	at this	 time.
       Else passwd refuses to change the password.

       The  user  is  then  prompted for a replacement password.  Care must be
       taken to	not include special control characters	or  characters,	 which
       are not available on all	keyboards.

       If  the	password is accepted, passwd will prompt again and compare the
       second entry against the	first.	Both entries are require to  match  in
       order for the password to be changed.

OPTIONS
       -f     Change  the finger (gecos) information. This are the users full-
	      name, office room	number,	office phone  number  and  home	 phone
	      number.  This  information is stored in the /etc/passwd file and
	      typically	printed	by finger(1) and similiar programs.

       -g     With this	option,	the password  for  the	named  group  will  be
	      changed.

       -s     This  option  is	used  to change	the user login shell. A	normal
	      user may only change the login shell for their own account,  the
	      super user may change the	login shell for	any account.

       -k     Keep  non-expired	 authentication	tokens.	The password will only
	      be changed if it is expired.

       -q     Try to be	quiet. This option can only be used with -k.

   Password expiry information
       -n min With this	option the minimum number  of  days  between  password
	      changes  is  changed.  A	value of zero for this field indicates
	      that the user may	change her password at any time. Else the user
	      will not be permitted to change the password until min days have
	      elapsed.

       -x max With this	option the maximum number of days during which a pass-
	      word is valid is changed.	When maxdays plus lastday is less than
	      the current day, the user	will be	required to change  his	 pass-
	      word before being	able to	use the	account.

       -w warn
	      With this	option the number of days of warning before a password
	      change is	required can be	changed. This option is	the number  of
	      days  prior  to the password expiring that a user	will be	warned
	      the password is about to expire.

       -i inact
	      This option is used to set the  number  of  days	of  inactivity
	      after  a	password  has  expired before the account is locked. A
	      user whose account is locked must	contact	the  system   adminis-
	      trator  before  being able to use	the account again.  A value of
	      -1 disables this feature.

   Account maintenance
       -l     A	system administrator can lock the  account  of	the  specified
	      user.

       -u     A	 system	administrator can unlock the specified account,	if the
	      account is not passwordless afterwards (it will  not  unlock  an
	      account that has only  "!" as a password).

       -d     The  password  of	the given account can be deleted by the	system
	      administrator. If	the BioAPI interface is	used the  BioAPI  data
	      for that account is removed.

       -S     Report  password	status	on  the	 named account.	The first part
	      indicates	if the user account is locked (LK),  has  no  password
	      (NP),  or	 has  an  existing or locked password (PS). The	second
	      part gives the date of the last password change. The next	 parts
	      are the minimum age, maximum age,	warning	period,	and inactivity
	      period for the password.

       -a     Report the password status for all accounts. Can only be used in
	      conjunction with -S.

       -e     The user will be forced to change	the password at	next login.

       -P path
	      Search  passwd  and  shadow  file	in path. This option cannot be
	      used with	changing passwords.

       --bioapi
	      This option is used to  indicate	that  passwd  should  use  the
	      BioAPI  for  managing the	authentication token of	an account. It
	      is only supported	with a small subset  of	 other	options.  This
	      option is	not always available.

       --stdin
	      This  option is used to indicate that passwd should read the new
	      password from standard input, which can be a  pipe  (only	 by  a
	      system administrator).

   Name	service	switch options
       -D binddn
	      Use the Distinguished Name binddn	to bind	to the LDAP directory.

FILES
       passwd -	user account information
       shadow -	shadow user account information

SEE ALSO
       passwd(1), group(5), passwd(5), shadow(5), pam(5)

AUTHOR
       Thorsten	Kukuk <kukuk@suse.de>

pwdutils			 November 2005			     passwd(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | FILES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=passwd&manpath=SuSE+Linux%2fi386+11.3>

home | help