214 lines
6.6 KiB
Groff
214 lines
6.6 KiB
Groff
'\" t
|
|
.\" Title: chgpasswd
|
|
.\" Author: Thomas Kłoczko <kloczek@pld.org.pl>
|
|
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
|
|
.\" Date: 03/19/2025
|
|
.\" Manual: System Management Commands
|
|
.\" Source: shadow-utils 4.17.4
|
|
.\" Language: English
|
|
.\"
|
|
.TH "CHGPASSWD" "8" "03/19/2025" "shadow\-utils 4\&.17\&.4" "System Management Commands"
|
|
.\" -----------------------------------------------------------------
|
|
.\" * Define some portability stuff
|
|
.\" -----------------------------------------------------------------
|
|
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
.\" http://bugs.debian.org/507673
|
|
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\" -----------------------------------------------------------------
|
|
.\" * set default formatting
|
|
.\" -----------------------------------------------------------------
|
|
.\" disable hyphenation
|
|
.nh
|
|
.\" disable justification (adjust text to left margin only)
|
|
.ad l
|
|
.\" -----------------------------------------------------------------
|
|
.\" * MAIN CONTENT STARTS HERE *
|
|
.\" -----------------------------------------------------------------
|
|
.SH "NAME"
|
|
chgpasswd \- update group passwords in batch mode
|
|
.SH "SYNOPSIS"
|
|
.HP \w'\fBchgpasswd\fR\ 'u
|
|
\fBchgpasswd\fR [\fIoptions\fR]
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
The
|
|
\fBchgpasswd\fR
|
|
command reads a list of group name and password pairs from standard input and uses this information to update a set of existing groups\&. Each line is of the format:
|
|
.PP
|
|
\fIgroup_name\fR:\fIpassword\fR
|
|
.PP
|
|
By default the supplied password must be in clear\-text, and is encrypted by
|
|
\fBchgpasswd\fR\&.
|
|
.PP
|
|
The default encryption algorithm can be defined for the system with the
|
|
\fBENCRYPT_METHOD\fR
|
|
variable of
|
|
/etc/login\&.defs, and can be overwritten with the
|
|
\fB\-e\fR,
|
|
\fB\-m\fR, or
|
|
\fB\-c\fR
|
|
options\&.
|
|
.PP
|
|
This command is intended to be used in a large system environment where many accounts are created at a single time\&.
|
|
.SH "OPTIONS"
|
|
.PP
|
|
The options which apply to the
|
|
\fBchgpasswd\fR
|
|
command are:
|
|
.PP
|
|
\fB\-c\fR, \fB\-\-crypt\-method\fR
|
|
.RS 4
|
|
Use the specified method to encrypt the passwords\&.
|
|
.sp
|
|
The available methods are
|
|
\fIDES\fR,
|
|
\fIMD5\fR, \fISHA256\fR, \fISHA512\fR
|
|
and
|
|
\fINONE\fR
|
|
if your libc supports these methods\&.
|
|
.RE
|
|
.PP
|
|
\fB\-e\fR, \fB\-\-encrypted\fR
|
|
.RS 4
|
|
Supplied passwords are in encrypted form\&.
|
|
.RE
|
|
.PP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
.RS 4
|
|
Display help message and exit\&.
|
|
.RE
|
|
.PP
|
|
\fB\-m\fR, \fB\-\-md5\fR
|
|
.RS 4
|
|
Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&.
|
|
.RE
|
|
.PP
|
|
\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR
|
|
.RS 4
|
|
Apply changes in the
|
|
\fICHROOT_DIR\fR
|
|
directory and use the configuration files from the
|
|
\fICHROOT_DIR\fR
|
|
directory\&. Only absolute paths are supported\&.
|
|
.RE
|
|
.PP
|
|
\fB\-s\fR, \fB\-\-sha\-rounds\fR
|
|
.RS 4
|
|
Use the specified number of rounds to encrypt the passwords\&.
|
|
.sp
|
|
You can only use this option with crypt method:
|
|
\fISHA256\fR \fISHA512\fR
|
|
.sp
|
|
By default, the number of rounds for SHA256 or SHA512 is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
|
|
/etc/login\&.defs\&.
|
|
.sp
|
|
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced for SHA256 and SHA512\&. The default number of rounds is 5000\&.
|
|
.RE
|
|
.SH "CAVEATS"
|
|
.PP
|
|
Remember to set permissions or umask to prevent readability of unencrypted files by other users\&.
|
|
.PP
|
|
You should make sure the passwords and the encryption method respect the system\*(Aqs password policy\&.
|
|
.SH "CONFIGURATION"
|
|
.PP
|
|
The following configuration variables in
|
|
/etc/login\&.defs
|
|
change the behavior of this tool:
|
|
.PP
|
|
\fBENCRYPT_METHOD\fR (string)
|
|
.RS 4
|
|
This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&.
|
|
.sp
|
|
It can take one of these values:
|
|
\fIDES\fR
|
|
(default),
|
|
\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see
|
|
crypt(5)
|
|
for recommendations\&.
|
|
.sp
|
|
Note: this parameter overrides the
|
|
\fBMD5_CRYPT_ENAB\fR
|
|
variable\&.
|
|
.RE
|
|
.PP
|
|
\fBMAX_MEMBERS_PER_GROUP\fR (number)
|
|
.RS 4
|
|
Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in
|
|
/etc/group
|
|
(with the same name, same password, and same GID)\&.
|
|
.sp
|
|
The default value is 0, meaning that there are no limits in the number of members in a group\&.
|
|
.sp
|
|
This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&.
|
|
.sp
|
|
If you need to enforce such limit, you can use 25\&.
|
|
.sp
|
|
Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&.
|
|
.RE
|
|
.PP
|
|
\fBMD5_CRYPT_ENAB\fR (boolean)
|
|
.RS 4
|
|
Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to
|
|
\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to
|
|
\fIno\fR
|
|
if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is
|
|
\fIno\fR\&.
|
|
.sp
|
|
This variable is superseded by the
|
|
\fBENCRYPT_METHOD\fR
|
|
variable or by any command line option used to configure the encryption algorithm\&.
|
|
.sp
|
|
This variable is deprecated\&. You should use
|
|
\fBENCRYPT_METHOD\fR\&.
|
|
.RE
|
|
.PP
|
|
\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number)
|
|
.RS 4
|
|
When
|
|
\fBENCRYPT_METHOD\fR
|
|
is set to
|
|
\fISHA256\fR
|
|
or
|
|
\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&.
|
|
.sp
|
|
With a lot of rounds, it is more difficult to brute force the password\&. But note also that more CPU resources will be needed to authenticate users\&.
|
|
.sp
|
|
If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&.
|
|
.sp
|
|
The values must be inside the 1000\-999,999,999 range\&.
|
|
.sp
|
|
If only one of the
|
|
\fBSHA_CRYPT_MIN_ROUNDS\fR
|
|
or
|
|
\fBSHA_CRYPT_MAX_ROUNDS\fR
|
|
values is set, then this value will be used\&.
|
|
.sp
|
|
If
|
|
\fBSHA_CRYPT_MIN_ROUNDS\fR
|
|
>
|
|
\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&.
|
|
.RE
|
|
.SH "FILES"
|
|
.PP
|
|
/etc/group
|
|
.RS 4
|
|
Group account information\&.
|
|
.RE
|
|
.PP
|
|
/etc/gshadow
|
|
.RS 4
|
|
Secure group account information\&.
|
|
.RE
|
|
.PP
|
|
/etc/login\&.defs
|
|
.RS 4
|
|
Shadow password suite configuration\&.
|
|
.RE
|
|
.SH "SEE ALSO"
|
|
.PP
|
|
\fBgpasswd\fR(1),
|
|
\fBgroupadd\fR(8),
|
|
\fBlogin.defs\fR(5)\&.
|