Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
passwd(1)               FreeBSD General Commands Manual              passwd(1)

       passwd - change user password

       passwd [-f|-g|-s|-k[-q]] [name]
       passwd [-D binddn][-n min][-x max][-w warn][-i inact] account
       passwd [-D binddn] {-l|-u|-d|-S[-a]|-e} name
       passwd --bioapi [account]
       passwd --stdin [account]

       passwd changes passwords for user and group accounts.  While an
       administrator may change the password for any account or group, a
       normal user is only allowed to change the password for their own
       account.  passwd also changes account information, such as the full
       name of the user, their login shell, password expiry dates and
       intervals or disable an account.

       passwd is written to work through the PAM API.  Essentially, it
       initializes itself as a "passwd" service and utilizes configured
       "password" modules to authenticate and then update a user's password.

       A sample /etc/pam.d/passwd file might look like this:

              auth      required    nullok
              account   required
              password  required  nullok
              password  required    nullok \
                                    use_first_pass use_authtok
              session   required

   Password Changes
       If an old password is present, the user is first promted for it and the
       password is compared agaisnt the stored one. This can be changed,
       depending which PAM modules are used.  An administrator is permitted to
       bypass this step so that forgotten passwords may be changed.

       After the user is authenticated, password aging information are checked
       to see if the user is permitted to change their password at this time.
       Else passwd refuses to change the password.

       The user is then prompted for a replacement password.  Care must be
       taken to not include special control characters or characters, which
       are not available on all keyboards.

       If the password is accepted, passwd will prompt again and compare the
       second entry against the first.  Both entries are require to match in
       order for the password to be changed.

       -f     Change the finger (gecos) information. This are the users
              fullname, office room number, office phone number and home phone
              number. This information is stored in the /etc/passwd file and
              typically printed by finger(1) and similiar programs.

       -g     With this option, the password for the named group will be

       -s     This option is used to change the user login shell. A normal
              user may only change the login shell for their own account, the
              super user may change the login shell for any account.

       -k     Keep non-expired authentication tokens. The password will only
              be changed if it is expired.

       -q     Try to be quiet. This option can only be used with -k.

   Password expiry information
       -n min With this option the minimum number of days between password
              changes is changed. A value of zero for this field indicates
              that the user may change her password at any time. Else the user
              will not be permitted to change the password until min days have

       -x max With this option the maximum number of days during which a
              password is valid is changed. When maxdays plus lastday is less
              than the current day, the user will be required to change his
              password before being able to use the account.

       -w warn
              With this option the number of days of warning before a password
              change is required can be changed. This option is the number of
              days prior to the password expiring that a user will be warned
              the password is about to expire.

       -i inact
              This option is used to set the number of days of inactivity
              after a password has expired before the account is locked. A
              user whose account is locked must contact the system
              administrator before being able to use the account again.  A
              value of -1 disables this feature.

   Account maintenance
       -l     A system administrator can lock the account of the specified

       -u     A system administrator can unlock the specified account, if the
              account is not passwordless afterwards (it will not unlock an
              account that has only  "!" as a password).

       -d     The password of the given account can be deleted by the system
              administrator. If the BioAPI interface is used the BioAPI data
              for that account is removed.

       -S     Report password status on the named account. The first part
              indicates if the user account is locked (LK), has no password
              (NP), or has an existing or locked password (PS). The second
              part gives the date of the last password change. The next parts
              are the minimum age, maximum age, warning period, and inactivity
              period for the password.

       -a     Report the password status for all accounts. Can only be used in
              conjunction with -S.

       -e     The user will be forced to change the password at next login.

       -P path
              Search passwd and shadow file in path. This option cannot be
              used with changing passwords.

              This option is used to indicate that passwd should use the
              BioAPI for managing the authentication token of an account. It
              is only supported with a small subset of other options. This
              option is not always available.

              This option is used to indicate that passwd should read the new
              password from standard input, which can be a pipe (only by a
              system administrator).

   Name service switch options
       -D binddn
              Use the Distinguished Name binddn to bind to the LDAP directory.

       passwd - user account information
       shadow - shadow user account information

       passwd(1), group(5), passwd(5), shadow(5), pam(5)

       Thorsten Kukuk <>

pwdutils                         November 2005                       passwd(1)


Want to link to this manual page? Use this URL:

home | help