version 1, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
PASSWD |
|
|
2 |
!!!PASSWD |
|
|
3 |
NAME |
|
|
4 |
SYNOPSIS |
|
|
5 |
DESCRIPTION |
|
|
6 |
CAVEATS |
|
|
7 |
FILES |
|
|
8 |
SEE ALSO |
|
|
9 |
AUTHOR |
|
|
10 |
---- |
|
|
11 |
!!NAME |
|
|
12 |
|
|
|
13 |
|
|
|
14 |
passwd - change user password |
|
|
15 |
!!SYNOPSIS |
|
|
16 |
|
|
|
17 |
|
|
|
18 |
__passwd__ [[__-f__|__-s__] [[''name'']__ |
|
|
19 |
passwd__ [[__-g__] [[__-r__|__R__] |
|
|
20 |
''group''__ |
|
|
21 |
passwd__ [[__-x__ ''max''] [[__-n__ ''min''] |
|
|
22 |
[[__-w__ ''warn''] [[__-i__ ''inact''] |
|
|
23 |
''name''__ |
|
|
24 |
passwd__ |
|
|
25 |
{__-l__|__-u__|__-d__|__-S__|__-e__} |
|
|
26 |
''name'' |
|
|
27 |
!!DESCRIPTION |
|
|
28 |
|
|
|
29 |
|
|
|
30 |
__passwd__ changes passwords for user and group accounts. |
|
|
31 |
A normal user may only change the password for their own |
|
|
32 |
account, the super user may change the password for any |
|
|
33 |
account. The administrator of a group may change the |
|
|
34 |
password for the group. __passwd__ also changes account |
|
|
35 |
information, such as the full name of the user, their login |
|
|
36 |
shell, or password expiry dates and intervals. |
|
|
37 |
|
|
|
38 |
|
|
|
39 |
__Password Changes__ |
|
|
40 |
|
|
|
41 |
|
|
|
42 |
The user is first prompted for their old password, if one is |
|
|
43 |
present. This password is then encrypted and compared |
|
|
44 |
against the stored password. The user has only one chance to |
|
|
45 |
enter the correct password. The super user is permitted to |
|
|
46 |
bypass this step so that forgotten passwords may be |
|
|
47 |
changed. |
|
|
48 |
|
|
|
49 |
|
|
|
50 |
After the password has been entered, password aging |
|
|
51 |
information is checked to see if the user is permitted to |
|
|
52 |
change their password at this time. If not, __passwd__ |
|
|
53 |
refuses to change the password and exits. |
|
|
54 |
|
|
|
55 |
|
|
|
56 |
The user is then prompted for a replacement password. This |
|
|
57 |
password is tested for complexity. As a general guideline, |
|
|
58 |
passwords should consist of 6 to 8 characters including one |
|
|
59 |
or more from each of following sets: |
|
|
60 |
|
|
|
61 |
|
|
|
62 |
Lower case alphabetics |
|
|
63 |
|
|
|
64 |
|
|
|
65 |
Upper case alphabetics |
|
|
66 |
|
|
|
67 |
|
|
|
68 |
Digits 0 thru 9 |
|
|
69 |
|
|
|
70 |
|
|
|
71 |
Punctuation marks |
|
|
72 |
|
|
|
73 |
|
|
|
74 |
Care must be taken not to include the system default erase |
|
|
75 |
or kill characters. __passwd__ will reject any password |
|
|
76 |
which is not suitably complex. |
|
|
77 |
|
|
|
78 |
|
|
|
79 |
If the password is accepted, __passwd__ will prompt again |
|
|
80 |
and compare the second entry against the first. Both entries |
|
|
81 |
are require to match in order for the password to be |
|
|
82 |
changed. |
|
|
83 |
|
|
|
84 |
|
|
|
85 |
__Group passwords__ |
|
|
86 |
|
|
|
87 |
|
|
|
88 |
When the __-g__ option is used, the password for the |
|
|
89 |
named group is changed. The user must either be the super |
|
|
90 |
user, or a group administrator for the named group. The |
|
|
91 |
current group password is not prompted for. The __-r__ |
|
|
92 |
option is used with the __-g__ option to remove the |
|
|
93 |
current password from the named group. This allows group |
|
|
94 |
access to all members. The __-R__ option is used with the |
|
|
95 |
__-g__ option to restrict the named group for all |
|
|
96 |
users. |
|
|
97 |
|
|
|
98 |
|
|
|
99 |
__Password expiry information__ |
|
|
100 |
|
|
|
101 |
|
|
|
102 |
The password aging information may be changed by the super |
|
|
103 |
user with the __-x__, __-n__, __-w__, and __-i__ |
|
|
104 |
options. The __-x__ option is used to set the maximum |
|
|
105 |
number of days a password remains valid. After ''max'' |
|
|
106 |
days, the password is required to be changed. The __-n__ |
|
|
107 |
option is used to set the minimum number of days before a |
|
|
108 |
password may be changed. The user will not be permitted to |
|
|
109 |
change the password until ''min'' days have elapsed. The |
|
|
110 |
__-w__ option is used to set the number of days of |
|
|
111 |
warning the user will receive before their password will |
|
|
112 |
expire. The warning occurs ''warn'' days before the |
|
|
113 |
expiration, telling the user how many days until the |
|
|
114 |
password is set to expire. The __-i__ option is used to |
|
|
115 |
disable an account after the password has been expired for a |
|
|
116 |
number of days. After a user account has had an expired |
|
|
117 |
password for ''inact'' days, the user may no longer sign |
|
|
118 |
on to the account. |
|
|
119 |
|
|
|
120 |
|
|
|
121 |
__Account maintenance__ |
|
|
122 |
|
|
|
123 |
|
|
|
124 |
User accounts may be locked and unlocked with the __-l__ |
|
|
125 |
and __-u__ flags. The __-l__ option disables an |
|
|
126 |
account by changing the password to a value which matches no |
|
|
127 |
possible encrypted value. The __-u__ option re-enables an |
|
|
128 |
account by changing the password back to its previous |
|
|
129 |
value. |
|
|
130 |
|
|
|
131 |
|
|
|
132 |
If you wish to immediately expire an accounts password, you |
|
|
133 |
can use the __-e__ option. This in affect can force a |
|
|
134 |
user to change their password at their next login. You can |
|
|
135 |
also use the __-d__ option to delete a users password |
|
|
136 |
(make it empty). Use caution with this option since it can |
|
|
137 |
make an account not require a password at all to login, |
|
|
138 |
leaving your system open to intruders. |
|
|
139 |
|
|
|
140 |
|
|
|
141 |
The account status may be given with the __-S__ option. |
|
|
142 |
The status information consists of 6 parts. The first part |
|
|
143 |
indicates if the user account is locked (L), has no password |
|
|
144 |
(NP), or has a usable password (P). The second part gives |
|
|
145 |
the date of the last password change. The next four parts |
|
|
146 |
are the minimum age, maximum age, warning period, and |
|
|
147 |
inactivity period for the password. |
|
|
148 |
|
|
|
149 |
|
|
|
150 |
__Hints for user passwords__ |
|
|
151 |
|
|
|
152 |
|
|
|
153 |
The security of a password depends upon the strength of the |
|
|
154 |
encryption algorithm and the size of the key space. The |
|
|
155 |
__UNIX__ System encryption method is based |
|
|
156 |
on the NBS DES algorithm and is very secure. The size of the |
|
|
157 |
key space depends upon the randomness of the password which |
|
|
158 |
is selected. |
|
|
159 |
|
|
|
160 |
|
|
|
161 |
The __-s__ option makes passwd call chsh to change the |
|
|
162 |
users shell. The __-f__ option makes passwd call chfn to |
|
|
163 |
change the users gecos information. These two options are |
|
|
164 |
only meant for compatiblity, since the other programs can be |
|
|
165 |
called directly. |
|
|
166 |
|
|
|
167 |
|
|
|
168 |
Compromises in password security normally result from |
|
|
169 |
careless password selection or handling. For this reason, |
|
|
170 |
you should select a password which does not appear in a |
|
|
171 |
dictionary or which must be written down. The password |
|
|
172 |
should also not be a proper name, your license number, birth |
|
|
173 |
date, or street address. Any of these may be used as guesses |
|
|
174 |
to violate system security. |
|
|
175 |
|
|
|
176 |
|
|
|
177 |
Your password must easily remembered so that you will not be |
|
|
178 |
forced to write it on a piece of paper. This can be |
|
|
179 |
accomplished by appending two small words together and |
|
|
180 |
separating each with a special character or digit. For |
|
|
181 |
example, Pass%word. |
|
|
182 |
|
|
|
183 |
|
|
|
184 |
Other methods of construction involve selecting an easily |
|
|
185 |
remembered phrase from literature and selecting the first or |
|
|
186 |
last letter from each. An example of this is |
|
|
187 |
|
|
|
188 |
|
|
|
189 |
Ask not for whom the bell tolls. |
|
|
190 |
|
|
|
191 |
|
|
|
192 |
which produces |
|
|
193 |
|
|
|
194 |
|
|
|
195 |
An4wtbt. |
|
|
196 |
|
|
|
197 |
|
|
|
198 |
You may be reasonably sure few crackers will have included |
|
|
199 |
this in their dictionary. You should, however, select your |
|
|
200 |
own methods for constructing passwords and not rely |
|
|
201 |
exclusively on the methods given here. |
|
|
202 |
|
|
|
203 |
|
|
|
204 |
__Notes about group passwords__ |
|
|
205 |
|
|
|
206 |
|
|
|
207 |
Group passwords are an inherent security problem since more |
|
|
208 |
than one person is permitted to know the password. However, |
|
|
209 |
groups are a useful tool for permitting co-operation between |
|
|
210 |
different users. |
|
|
211 |
!!CAVEATS |
|
|
212 |
|
|
|
213 |
|
|
|
214 |
Not all options may be supported. Password complexity |
|
|
215 |
checking may vary from site to site. The user is urged to |
|
|
216 |
select as complex a password as they feel comfortable with. |
|
|
217 |
User's may not be able to change their password on a system |
|
|
218 |
if NIS is enabled and they are not logged into the NIS |
|
|
219 |
server. |
|
|
220 |
!!FILES |
|
|
221 |
|
|
|
222 |
|
|
|
223 |
/etc/passwd - user account information |
|
|
224 |
/etc/shadow - encrypted user passwords |
|
|
225 |
!!SEE ALSO |
|
|
226 |
|
|
|
227 |
|
|
|
228 |
group(5), passwd(5) |
|
|
229 |
!!AUTHOR |
|
|
230 |
|
|
|
231 |
|
|
|
232 |
Julianne Frances Haugh (jfh@austin.ibm.com) |
|
|
233 |
---- |