FreeBSD Manual Pages

home | help
PASSWD(1)		    General Commands Manual		     PASSWD(1)

NAME
       passwd, yppasswd	-- modify a user's password

SYNOPSIS
       passwd [-l] [user]
       yppasswd	[-l] [-y] [-d domain] [-h host]	[-o]

DESCRIPTION
       The passwd utility changes the user's local, Kerberos, or NIS password.
       If the user is not the super-user, passwd first prompts for the current
       password	and will not continue unless the correct password is entered.

       When  entering the new password,	the characters entered do not echo, in
       order to	avoid the password being seen  by  a  passer-by.   The	passwd
       utility	prompts	 for  the new password twice in	order to detect	typing
       errors.

       The total length	of the password	must be	less than _PASSWORD_LEN	 (cur-
       rently 128 characters).

       Once  the password has been verified, passwd communicates the new pass-
       word information	to the Kerberos	authenticating host.

       The following option is available:

       -l      Cause the password to be	updated	only  in  the  local  password
	       file,  and  not with the	Kerberos database.  When changing only
	       the local password, pwd_mkdb(8) is used to update the  password
	       databases.

       When  changing  local or	NIS password, the next password	change date is
       set according to	"passwordtime" capability in the user's	login class.

       To change another user's	Kerberos password, one must first run kinit(1)
       followed	by passwd.  The	super-user is not required to provide a	user's
       current password	if only	the local password is modified.

NIS INTERACTION
       The passwd utility has built-in support for NIS.	 If a user  exists  in
       the  NIS	password database but does not exist locally, passwd automati-
       cally switches into yppasswd mode.  If the specified user does not  ex-
       ist  in	either	the  local password database or	the NIS	password maps,
       passwd returns an error.

       When changing an	NIS password, unprivileged users are required to  pro-
       vide their old password for authentication (the rpc.yppasswdd(8)	daemon
       requires	 the original password before it will allow any	changes	to the
       NIS password maps).  This restriction applies even to  the  super-user,
       with  one  important exception: the password authentication is bypassed
       for the super-user on the NIS master server.  This means	that  the  su-
       per-user	on the NIS master server can make unrestricted changes to any-
       one's NIS password.  The	super-user on NIS client systems and NIS slave
       servers	still  needs  to  provide a password before the	update will be
       processed.

       The following additional	options	are supported for use with NIS:

       -y      Override	passwd's checking heuristics and forces	 it  into  NIS
	       mode.

       -l      When  NIS  is  enabled, the -l flag can be used to force	passwd
	       into "local only" mode.	This flag can be used  to  change  the
	       entry  for  a  local user when an NIS user exists with the same
	       login name.  For	example, you will sometimes find  entries  for
	       system  "placeholder"  users  such as bin or daemon in both the
	       NIS password maps and the local	user  database.	  By  default,
	       passwd will try to change the NIS password.  The	-l flag	can be
	       used to change the local	password instead.

       -d domain
	       Specify	what  domain to	use when changing an NIS password.  By
	       default,	passwd assumes that the	system default	domain	should
	       be  used.   This	 flag is primarily for use by the superuser on
	       the NIS master server: a	single NIS server can support multiple
	       domains.	 It is also possible that the domainname  on  the  NIS
	       master may not be set (it is not	necessary for an NIS server to
	       also  be	a client) in which case	the passwd command needs to be
	       told what domain	to operate on.

       -h host
	       Specify the name	of an NIS server.  This	option,	in conjunction
	       with the	-d option, can be used to change an NIS	password on  a
	       non-local  NIS  server.	When a domain is specified with	the -d
	       option and passwd is unable to determine	the name  of  the  NIS
	       master  server  (possibly  because  the local domainname	is not
	       set), the name of the NIS master	is assumed to be  "localhost".
	       This  can  be overridden	with the -h flag.  The specified host-
	       name need not be	the name of an NIS master: the name of the NIS
	       master for a given map can be determined	by  querying  any  NIS
	       server (master or slave)	in a domain, so	specifying the name of
	       a slave server will work	equally	well.

       -o      Do  not	automatically  override	 the  password	authentication
	       checks for the super-user on  the  NIS  master  server;	assume
	       "old"  mode instead.  This flag is of limited practical use but
	       is useful for testing.

FILES
       /etc/master.passwd  the user database
       /etc/passwd	   a Version 7 format password file
       /etc/passwd.XXXXXX  temporary copy of the password file
       /etc/login.conf	   login class capabilities database

SEE ALSO
       chpass(1), kinit(1), login(1), login.conf(5),  passwd(5),  kerberos(8),
       kpasswdd(8), pam_passwdqc(8), pw(8), pwd_mkdb(8), vipw(8)

       Robert Morris and Ken Thompson, UNIX password security.

NOTES
       The yppasswd command is really only a link to passwd.

HISTORY
       A passwd	command	appeared in Version 6 AT&T UNIX.

FreeBSD	13.2		       February	14, 2014		     PASSWD(1)
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=passwd&sektion=1&manpath=FreeBSD+14.0-RELEASE+and+Ports>
home | help
Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
