passwd(1)passwd(1)NAMEpasswd - change user password
SYNOPSISpasswd [-f|-g|-s|-k[-q]] [name]
passwd [-D binddn][-n min][-x max][-w warn][-i inact] account
passwd [-D binddn] {-l|-u|-d|-S[-a]|-e} name
passwd--bioapi [account]
passwd--stdin [account]
DESCRIPTIONpasswd changes passwords for user and group accounts. While an admin‐
istrator may change the password for any account or group, a normal
user is only allowed to change the password for their own account.
passwd also changes account information, such as the full name of the
user, their login shell, password expiry dates and intervals or disable
an account.
passwd is written to work through the PAM API. Essentially, it ini‐
tializes itself as a "passwd" service and utilizes configured "pass‐
word" modules to authenticate and then update a user's password.
A sample /etc/pam.d/passwd file might look like this:
#%PAM-1.0
auth required pam_unix2.so nullok
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok \
use_first_pass use_authtok
session required pam_unix2.so
Password Changes
If an old password is present, the user is first promted for it and the
password is compared agaisnt the stored one. This can be changed,
depending which PAM modules are used. An administrator is permitted to
bypass this step so that forgotten passwords may be changed.
After the user is authenticated, password aging information are checked
to see if the user is permitted to change their password at this time.
Else passwd refuses to change the password.
The user is then prompted for a replacement password. Care must be
taken to not include special control characters or characters, which
are not available on all keyboards.
If the password is accepted, passwd will prompt again and compare the
second entry against the first. Both entries are require to match in
order for the password to be changed.
OPTIONS-f Change the finger (gecos) information. This are the users full‐
name, office room number, office phone number and home phone
number. This information is stored in the /etc/passwd file and
typically printed by finger(1) and similiar programs.
-g With this option, the password for the named group will be
changed.
-s This option is used to change the user login shell. A normal
user may only change the login shell for their own account, the
super user may change the login shell for any account.
-k Keep non-expired authentication tokens. The password will only
be changed if it is expired.
-q Try to be quiet. This option can only be used with -k.
Password expiry information
-n min With this option the minimum number of days between password
changes is changed. A value of zero for this field indicates
that the user may change her password at any time. Else the user
will not be permitted to change the password until min days have
elapsed.
-x max With this option the maximum number of days during which a pass‐
word is valid is changed. When maxdays plus lastday is less than
the current day, the user will be required to change his pass‐
word before being able to use the account.
-w warn
With this option the number of days of warning before a password
change is required can be changed. This option is the number of
days prior to the password expiring that a user will be warned
the password is about to expire.
-i inact
This option is used to set the number of days of inactivity
after a password has expired before the account is locked. A
user whose account is locked must contact the system adminis‐
trator before being able to use the account again. A value of
-1 disables this feature.
Account maintenance
-l A system administrator can lock the account of the specified
user.
-u A system administrator can unlock the specified account, if the
account is not passwordless afterwards (it will not unlock an
account that has only "!" as a password).
-d The password of the given account can be deleted by the system
administrator. If the BioAPI interface is used the BioAPI data
for that account is removed.
-S Report password status on the named account. The first part
indicates if the user account is locked (LK), has no password
(NP), or has an existing or locked password (PS). The second
part gives the date of the last password change. The next parts
are the minimum age, maximum age, warning period, and inactivity
period for the password.
-a Report the password status for all accounts. Can only be used in
conjunction with -S.
-e The user will be forced to change the password at next login.
-P path
Search passwd and shadow file in path. This option cannot be
used with changing passwords.
--bioapi
This option is used to indicate that passwd should use the
BioAPI for managing the authentication token of an account. It
is only supported with a small subset of other options. This
option is not always available.
--stdin
This option is used to indicate that passwd should read the new
password from standard input, which can be a pipe (only by a
system administrator).
Name service switch options
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
FILESpasswd - user account information
shadow - shadow user account information
SEE ALSOpasswd(1), group(5), passwd(5), shadow(5), pam(5)AUTHOR
Thorsten Kukuk <kukuk@suse.de>
pwdutils November 2005 passwd(1)
