1PASSWD(1) User utilities PASSWD(1)
2
6 passwd - update user's authentication tokens
7
10 passwd [-k] [-l] [-u [-f]] [-d] [-e] [-n mindays] [-x maxdays] [-w
11 warndays] [-i inactivedays] [-S] [--stdin] [username]
12
16 The passwd utility is used to update user's authentication token(s).
17 This task is achieved through calls to the Linux-PAM and Libuser API.
19 Essentially, it initializes itself as a "passwd" service with Linux-PAM
20 and utilizes configured password modules to authenticate and then
21 update a user's password.
22 A simple entry in the global Linux-PAM configuration file for this ser‐
25 vice would be:
26 #
28 # passwd service entry that does strength checking of
29 # a proposed password before updating it.
30 #
31 passwd password requisite pam_cracklib.so retry=3
32 passwd password required pam_unix.so use_authtok
33 #
34 Note, other module types are not required for this application to func‐
37 tion correctly.
38
41 -k, --keep
42 The option -k is used to indicate that the update should only be
43 for expired authentication tokens (passwords); the user wishes
44 to keep their non-expired tokens as before.
45 -l, --lock
48 This option is used to lock the password of specified account
49 and it is available to root only. The locking is performed by
50 rendering the encrypted password into an invalid string (by pre‐
51 fixing the encrypted string with an !). Note that the account is
52 not fully locked - the user can still log in by other means of
53 authentication such as the ssh public key authentication. Use
54 chage -E 0 user command instead for full account locking.
55 --stdin
58 This option is used to indicate that passwd should read the new
59 password from standard input, which can be a pipe.
60 -u, --unlock
63 This is the reverse of the -l option - it will unlock the
64 account password by removing the ! prefix. This option is avail‐
65 able to root only. By default passwd will refuse to create a
66 passwordless account (it will not unlock an account that has
67 only "!" as a password). The force option -f will override this
68 protection.
69 -d, --delete
72 This is a quick way to delete a password for an account. It will
73 set the named account passwordless. Available to root only.
74 Note that if the password was locked, this implicitly removes
76 the password lock as well.
77 -e, --expire
80 This is a quick way to expire a password for an account. The
81 user will be forced to change the password during the next login
82 attempt. Available to root only.
83 -f, --force
86 Force the specified operation.
87 -n, --minimum DAYS
90 This will set the minimum password lifetime, in days, if the
91 user's account supports password lifetimes. Available to root
92 only.
93 -x, --maximum DAYS
96 This will set the maximum password lifetime, in days, if the
97 user's account supports password lifetimes. Available to root
98 only.
99 -w, --warning DAYS
102 This will set the number of days in advance the user will begin
103 receiving warnings that her password will expire, if the user's
104 account supports password lifetimes. Available to root only.
105 -i, --inactive DAYS
108 This will set the number of days which will pass before an
109 expired password for this account will be taken to mean that the
110 account is inactive and should be disabled, if the user's
111 account supports password lifetimes. Available to root only.
112 -S, --status
115 This will output a short information about the status of the
116 password for a given account. The status information consists of
117 7 fields. The first field is the user's login name. The second
118 field indicates if the user account has a locked password (L),
119 has no password (NP), or has a usable password (P). The third
120 field gives the date of the last password change. The next four
121 fields are the minimum age, maximum age, warning period, and
122 inactivity period for the password. These ages are expressed in
123 days.
124 Notes: The date of the last password change is stored as a num‐
126 ber of days since epoch. Depending on the current time zone, the
127 passwd -S username may show the date of the last password change
128 that is different from the real date of the last password change
129 by ±1 day.
130 This option is available to root only.
132
135 Protect your password.
136 Don't write down your password - memorize it. In particular,
137 don't write it down and leave it anywhere, and don't place it in
138 an unencrypted file! Use unrelated passwords for systems con‐
139 trolled by different organizations. Don't give or share your
140 password, in particular to someone claiming to be from computer
141 support or a vendor. Don't let anyone watch you enter your
142 password. Don't enter your password to a computer you don't
143 trust or if things "look funny"; someone may be trying to hijack
144 your password. Use the password for a limited time and change
145 it periodically.
146 Choose a hard-to-guess password.
149 passwd through the calls to the pam_cracklib PAM module will try
150 to prevent you from choosing a really bad password, but it isn't
151 foolproof; create your password wisely. Don't use something
152 you'd find in a dictionary (in any language or jargon). Don't
153 use a name (including that of a spouse, parent, child, pet, fan‐
154 tasy character, famous person, and location) or any variation of
155 your personal or account name. Don't use accessible information
156 about you (such as your phone number, license plate, or social
157 security number) or your environment. Don't use a birthday or a
158 simple pattern (such as "qwerty", "abc", or "aaa"). Don't use
159 any of those backwards, followed by a digit, or preceded by a
160 digit. Instead, use a mixture of upper and lower case letters,
161 as well as digits or punctuation. When choosing a new password,
162 make sure it's unrelated to any previous password. Use long
163 passwords (say at least 8 characters long). You might use a
164 word pair with punctuation inserted, a passphrase (an under‐
165 standable sequence of words), or the first letter of each word
166 in a passphrase.
167 These principles are partially enforced by the system, but only partly
171 so. Vigilance on your part will make the system much more secure.
172
175 The passwd command exits with the following codes:
176 0
178 success
179 1
181 passwd/libuser operation failed
182 2
184 unknown user
185 252
187 unknown user name
188 253
190 bad arguments or passwordless account
191 254
193 invalid application of arguments
194 255
196 libuser operation failed
197 Error messages are written to the standard error stream.
199
202 Linux-PAM (Pluggable Authentication modules for Linux).
203
206 /etc/pam.d/passwd - the Linux-PAM configuration file
207
210 None known.
211
214 pam(8), pam.d(5), libuser.conf(5), and pam_chauthtok(3).
215 For more complete information on how to configure this application with
218 Linux-PAM, see the Linux-PAM System Administrators' Guide.
219
222 Cristian Gafton <gafton@redhat.com>
223GNU/Linux Mar 28 2018 PASSWD(1)