1PASSWD(1) User utilities PASSWD(1)
2
6 passwd - update user's authentication tokens
7
10 passwd [-k] [-l] [-u [-f]] [-d] [-e] [-n mindays] [-x maxdays] [-w
11 warndays] [-i inactivedays] [-S] [--stdin] [-?] [--usage] [username]
12
16 The passwd utility is used to update user's authentication token(s).
17 This task is achieved through calls to the Linux-PAM and Libuser API.
19 Essentially, it initializes itself as a "passwd" service with Linux-PAM
20 and utilizes configured password modules to authenticate and then
21 update a user's password.
22 A simple entry in the global Linux-PAM configuration file for this ser‐
25 vice would be:
26 #
28 # passwd service entry that does strength checking of
29 # a proposed password before updating it.
30 #
31 passwd password requisite pam_cracklib.so retry=3
32 passwd password required pam_unix.so use_authtok
33 #
34 Note, other module types are not required for this application to func‐
37 tion correctly.
38
41 -k, --keep-tokens
42 The option -k is used to indicate that the update should only be
43 for expired authentication tokens (passwords); the user wishes
44 to keep their non-expired tokens as before.
45 -l, --lock
48 This option is used to lock the password of specified account
49 and it is available to root only. The locking is performed by
50 rendering the encrypted password into an invalid string (by pre‐
51 fixing the encrypted string with an !). Note that the account is
52 not fully locked - the user can still log in by other means of
53 authentication such as the ssh public key authentication. Use
54 chage -E 0 user command instead for full account locking.
55 --stdin
58 This option is used to indicate that passwd should read the new
59 password from standard input, which can be a pipe.
60 -u, --unlock
63 This is the reverse of the -l option - it will unlock the
64 account password by removing the ! prefix. This option is avail‐
65 able to root only. By default passwd will refuse to create a
66 passwordless account (it will not unlock an account that has
67 only "!" as a password). The force option -f will override this
68 protection.
69 -d, --delete
72 This is a quick way to delete a password for an account. It will
73 set the named account passwordless. Available to root only.
74 Note that if the password was locked, this implicitly removes
76 the password lock as well.
77 -e, --expire
80 This is a quick way to expire a password for an account. The
81 user will be forced to change the password during the next login
82 attempt. Available to root only.
83 -f, --force
86 Force the specified operation.
87 -n, --minimum DAYS
90 This will set the minimum password lifetime, in days, if the
91 user's account supports password lifetimes. Available to root
92 only.
93 -x, --maximum DAYS
96 This will set the maximum password lifetime, in days, if the
97 user's account supports password lifetimes. Available to root
98 only.
99 -w, --warning DAYS
102 This will set the number of days in advance the user will begin
103 receiving warnings that her password will expire, if the user's
104 account supports password lifetimes. Available to root only.
105 -i, --inactive DAYS
108 This will set the number of days which will pass before an
109 expired password for this account will be taken to mean that the
110 account is inactive and should be disabled, if the user's
111 account supports password lifetimes. Available to root only.
112 -S, --status
115 This will output a short information about the status of the
116 password for a given account. The status information consists of
117 7 fields. The first field is the user's login name. The second
118 field indicates if the user account has a locked password (LK),
119 has no password (NP), or has a usable password (PS). The third
120 field gives the date of the last password change. The next four
121 fields are the minimum age, maximum age, warning period, and
122 inactivity period for the password. These ages are expressed in
123 days.
124 Notes: The date of the last password change is stored as a num‐
126 ber of days since epoch. Depending on the current time zone, the
127 passwd -S username may show the date of the last password change
128 that is different from the real date of the last password change
129 by ±1 day.
130 This option is available to root only.
132 -?, --help
135 Print a help message and exit.
136 --usage
139 Print a short usage message and exit.
140
143 Protect your password.
144 Don't write down your password - memorize it. In particular,
145 don't write it down and leave it anywhere, and don't place it in
146 an unencrypted file! Use unrelated passwords for systems con‐
147 trolled by different organizations. Don't give or share your
148 password, in particular to someone claiming to be from computer
149 support or a vendor. Don't let anyone watch you enter your
150 password. Don't enter your password to a computer you don't
151 trust or if things "look funny"; someone may be trying to hijack
152 your password. Use the password for a limited time and change
153 it periodically.
154 Choose a hard-to-guess password.
157 passwd through the calls to the pam_cracklib PAM module will try
158 to prevent you from choosing a really bad password, but it isn't
159 foolproof; create your password wisely. Don't use something
160 you'd find in a dictionary (in any language or jargon). Don't
161 use a name (including that of a spouse, parent, child, pet, fan‐
162 tasy character, famous person, and location) or any variation of
163 your personal or account name. Don't use accessible information
164 about you (such as your phone number, license plate, or social
165 security number) or your environment. Don't use a birthday or a
166 simple pattern (such as "qwerty", "abc", or "aaa"). Don't use
167 any of those backwards, followed by a digit, or preceded by a
168 digit. Instead, use a mixture of upper and lower case letters,
169 as well as digits or punctuation. When choosing a new password,
170 make sure it's unrelated to any previous password. Use long
171 passwords (say at least 8 characters long). You might use a
172 word pair with punctuation inserted, a passphrase (an under‐
173 standable sequence of words), or the first letter of each word
174 in a passphrase.
175 These principles are partially enforced by the system, but only partly
179 so. Vigilance on your part will make the system much more secure.
180
183 The passwd command exits with the following codes:
184 0
186 success
187 1
189 passwd/libuser operation failed
190 2
192 unknown user
193 252
195 unknown user name
196 253
198 bad arguments or passwordless account
199 254
201 invalid application of arguments
202 255
204 libuser operation failed
205 Error messages are written to the standard error stream.
207
210 Linux-PAM (Pluggable Authentication modules for Linux).
211
214 /etc/pam.d/passwd - the Linux-PAM configuration file
215
218 None known.
219
222 pam(8), pam.d(5), libuser.conf(5), and pam_chauthtok(3).
223 For more complete information on how to configure this application with
226 Linux-PAM, see the Linux-PAM System Administrators' Guide.
227
230 Cristian Gafton <gafton@redhat.com>
231GNU/Linux Mar 28 2018 PASSWD(1)