Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
passwd(1)		    General Commands Manual		     passwd(1)

       passwd -	change user password

       passwd [-f|-g|-s|-k[-q]]	[name]
       passwd [-D binddn][-n min][-x max][-w warn][-i inact] account
       passwd [-D binddn] {-l|-u|-d|-S[-a]|-e} name
       passwd --bioapi [account]
       passwd --stdin [account]

       passwd  changes passwords for user and group accounts.  While an	admin-
       istrator	may change the password	for any	account	 or  group,  a	normal
       user  is	 only  allowed	to  change the password	for their own account.
       passwd also changes account information,	such as	the full name  of  the
       user, their login shell,	password expiry	dates and intervals or disable
       an account.

       passwd is written to work through the PAM API.	Essentially,  it  ini-
       tializes	 itself	 as  a "passwd"	service	and utilizes configured	"pass-
       word" modules to	authenticate and then update a user's password.

       A sample	/etc/pam.d/passwd file might look like this:

	      auth	required	  nullok
	      account	required
	      password	required  nullok
	      password	required	  nullok \
				    use_first_pass use_authtok
	      session	required

   Password Changes
       If an old password is present, the user is first	promted	for it and the
       password	 is  compared agaisnt the stored one. This can be changed, de-
       pending which PAM modules are used.  An administrator is	 permitted  to
       bypass this step	so that	forgotten passwords may	be changed.

       After the user is authenticated,	password aging information are checked
       to see if the user is permitted to change their password	at this	 time.
       Else passwd refuses to change the password.

       The  user  is  then  prompted for a replacement password.  Care must be
       taken to	not include special control characters	or  characters,	 which
       are not available on all	keyboards.

       If  the	password is accepted, passwd will prompt again and compare the
       second entry against the	first.	Both entries are require to  match  in
       order for the password to be changed.

       -f     Change  the finger (gecos) information. This are the users full-
	      name, office room	number,	office phone  number  and  home	 phone
	      number.  This  information is stored in the /etc/passwd file and
	      typically	printed	by finger(1) and similiar programs.

       -g     With this	option,	the password  for  the	named  group  will  be

       -s     This  option  is	used  to change	the user login shell. A	normal
	      user may only change the login shell for their own account,  the
	      super user may change the	login shell for	any account.

       -k     Keep  non-expired	 authentication	tokens.	The password will only
	      be changed if it is expired.

       -q     Try to be	quiet. This option can only be used with -k.

   Password expiry information
       -n min With this	option the minimum number  of  days  between  password
	      changes  is  changed.  A	value of zero for this field indicates
	      that the user may	change her password at any time. Else the user
	      will not be permitted to change the password until min days have

       -x max With this	option the maximum number of days during which a pass-
	      word is valid is changed.	When maxdays plus lastday is less than
	      the current day, the user	will be	required to change  his	 pass-
	      word before being	able to	use the	account.

       -w warn
	      With this	option the number of days of warning before a password
	      change is	required can be	changed. This option is	the number  of
	      days  prior  to the password expiring that a user	will be	warned
	      the password is about to expire.

       -i inact
	      This option is used to set the number of days of inactivity  af-
	      ter  a password has expired before the account is	locked.	A user
	      whose account is locked must contact the	system	 administrator
	      before  being able to use	the account again.  A value of -1 dis-
	      ables this feature.

   Account maintenance
       -l     A	system administrator can lock the  account  of	the  specified

       -u     A	 system	administrator can unlock the specified account,	if the
	      account is not passwordless afterwards (it will  not  unlock  an
	      account that has only  "!" as a password).

       -d     The  password  of	the given account can be deleted by the	system
	      administrator. If	the BioAPI interface is	used the  BioAPI  data
	      for that account is removed.

       -S     Report  password status on the named account. The	first part in-
	      dicates if the user account is  locked  (LK),  has  no  password
	      (NP),  or	 has  an  existing or locked password (PS). The	second
	      part gives the date of the last password change. The next	 parts
	      are the minimum age, maximum age,	warning	period,	and inactivity
	      period for the password.

       -a     Report the password status for all accounts. Can only be used in
	      conjunction with -S.

       -e     The user will be forced to change	the password at	next login.

       -P path
	      Search  passwd  and  shadow  file	in path. This option cannot be
	      used with	changing passwords.

	      This option is used to  indicate	that  passwd  should  use  the
	      BioAPI  for  managing the	authentication token of	an account. It
	      is only supported	with a small subset of other options. This op-
	      tion is not always available.

	      This  option is used to indicate that passwd should read the new
	      password from standard input, which can be a  pipe  (only	 by  a
	      system administrator).

   Name	service	switch options
       -D binddn
	      Use the Distinguished Name binddn	to bind	to the LDAP directory.

       passwd -	user account information
       shadow -	shadow user account information

       passwd(1), group(5), passwd(5), shadow(5), pam(5)

       Thorsten	Kukuk <>

pwdutils			 November 2005			     passwd(1)


Want to link to this manual page? Use this URL:

home | help