220 lines
6.6 KiB
Groff
220 lines
6.6 KiB
Groff
'\" t
|
|
.\" Title: chpasswd
|
|
.\" Author: Julianne Frances Haugh
|
|
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
|
|
.\" Date: 03/19/2025
|
|
.\" Manual: System Management Commands
|
|
.\" Source: shadow-utils 4.17.4
|
|
.\" Language: English
|
|
.\"
|
|
.TH "CHPASSWD" "8" "03/19/2025" "shadow\-utils 4\&.17\&.4" "System Management Commands"
|
|
.\" -----------------------------------------------------------------
|
|
.\" * Define some portability stuff
|
|
.\" -----------------------------------------------------------------
|
|
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
.\" http://bugs.debian.org/507673
|
|
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\" -----------------------------------------------------------------
|
|
.\" * set default formatting
|
|
.\" -----------------------------------------------------------------
|
|
.\" disable hyphenation
|
|
.nh
|
|
.\" disable justification (adjust text to left margin only)
|
|
.ad l
|
|
.\" -----------------------------------------------------------------
|
|
.\" * MAIN CONTENT STARTS HERE *
|
|
.\" -----------------------------------------------------------------
|
|
.SH "NAME"
|
|
chpasswd \- update passwords in batch mode
|
|
.SH "SYNOPSIS"
|
|
.HP \w'\fBchpasswd\fR\ 'u
|
|
\fBchpasswd\fR [\fIoptions\fR]
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
The
|
|
\fBchpasswd\fR
|
|
command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users\&. Each line is of the format:
|
|
.PP
|
|
\fIuser_name\fR:\fIpassword\fR
|
|
.PP
|
|
By default the passwords must be supplied in clear\-text, and are encrypted by
|
|
\fBchpasswd\fR\&. Also the password age will be updated, if present\&.
|
|
.PP
|
|
The default encryption algorithm can be defined for the system with the
|
|
\fBENCRYPT_METHOD\fR
|
|
or
|
|
\fBMD5_CRYPT_ENAB\fR
|
|
variables of
|
|
/etc/login\&.defs, and can be overwritten with the
|
|
\fB\-e\fR,
|
|
\fB\-m\fR, or
|
|
\fB\-c\fR
|
|
options\&.
|
|
.PP
|
|
\fBchpasswd\fR
|
|
first updates all the passwords in memory, and then commits all the changes to disk if no errors occurred for any user\&.
|
|
.PP
|
|
This command is intended to be used in a large system environment where many accounts are created at a single time\&.
|
|
.SH "OPTIONS"
|
|
.PP
|
|
The options which apply to the
|
|
\fBchpasswd\fR
|
|
command are:
|
|
.PP
|
|
\fB\-c\fR, \fB\-\-crypt\-method\fR\ \&\fIMETHOD\fR
|
|
.RS 4
|
|
Use the specified method to encrypt the passwords\&.
|
|
.sp
|
|
The available methods are
|
|
\fIDES\fR,
|
|
\fIMD5\fR, \fISHA256\fR, \fISHA512\fR
|
|
and
|
|
\fINONE\fR
|
|
if your libc supports these methods\&.
|
|
.sp
|
|
By default (if none of the
|
|
\fB\-c\fR,
|
|
\fB\-m\fR, or
|
|
\fB\-e\fR
|
|
options are specified), the encryption method is defined by the
|
|
\fBENCRYPT_METHOD\fR
|
|
or
|
|
\fBMD5_CRYPT_ENAB\fR
|
|
variables of
|
|
/etc/login\&.defs\&.
|
|
.RE
|
|
.PP
|
|
\fB\-e\fR, \fB\-\-encrypted\fR
|
|
.RS 4
|
|
Supplied passwords are in encrypted form\&.
|
|
.RE
|
|
.PP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
.RS 4
|
|
Display help message and exit\&.
|
|
.RE
|
|
.PP
|
|
\fB\-m\fR, \fB\-\-md5\fR
|
|
.RS 4
|
|
Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&.
|
|
.RE
|
|
.PP
|
|
\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR
|
|
.RS 4
|
|
Apply changes in the
|
|
\fICHROOT_DIR\fR
|
|
directory and use the configuration files from the
|
|
\fICHROOT_DIR\fR
|
|
directory\&. Only absolute paths are supported\&.
|
|
.RE
|
|
.PP
|
|
\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR
|
|
.RS 4
|
|
Apply changes to configuration files under the root filesystem found under the directory
|
|
\fIPREFIX_DIR\fR\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&.
|
|
.RE
|
|
.PP
|
|
\fB\-s\fR, \fB\-\-sha\-rounds\fR\ \&\fIROUNDS\fR
|
|
.RS 4
|
|
Use the specified number of rounds to encrypt the passwords\&.
|
|
.sp
|
|
You can only use this option with crypt method:
|
|
\fISHA256\fR \fISHA512\fR
|
|
.sp
|
|
By default, the number of rounds for SHA256 or SHA512 is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
|
|
/etc/login\&.defs\&.
|
|
.sp
|
|
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced for SHA256 and SHA512\&. The default number of rounds is 5000\&.
|
|
.RE
|
|
.SH "CAVEATS"
|
|
.PP
|
|
Remember to set permissions or umask to prevent readability of unencrypted files by other users\&.
|
|
.SH "CONFIGURATION"
|
|
.PP
|
|
The following configuration variables in
|
|
/etc/login\&.defs
|
|
change the behavior of this tool:
|
|
.PP
|
|
\fBENCRYPT_METHOD\fR (string)
|
|
.RS 4
|
|
This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&.
|
|
.sp
|
|
It can take one of these values:
|
|
\fIDES\fR
|
|
(default),
|
|
\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see
|
|
crypt(5)
|
|
for recommendations\&.
|
|
.sp
|
|
Note: this parameter overrides the
|
|
\fBMD5_CRYPT_ENAB\fR
|
|
variable\&.
|
|
.RE
|
|
.PP
|
|
\fBMD5_CRYPT_ENAB\fR (boolean)
|
|
.RS 4
|
|
Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to
|
|
\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to
|
|
\fIno\fR
|
|
if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is
|
|
\fIno\fR\&.
|
|
.sp
|
|
This variable is superseded by the
|
|
\fBENCRYPT_METHOD\fR
|
|
variable or by any command line option used to configure the encryption algorithm\&.
|
|
.sp
|
|
This variable is deprecated\&. You should use
|
|
\fBENCRYPT_METHOD\fR\&.
|
|
.RE
|
|
.PP
|
|
\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number)
|
|
.RS 4
|
|
When
|
|
\fBENCRYPT_METHOD\fR
|
|
is set to
|
|
\fISHA256\fR
|
|
or
|
|
\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&.
|
|
.sp
|
|
With a lot of rounds, it is more difficult to brute force the password\&. But note also that more CPU resources will be needed to authenticate users\&.
|
|
.sp
|
|
If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&.
|
|
.sp
|
|
The values must be inside the 1000\-999,999,999 range\&.
|
|
.sp
|
|
If only one of the
|
|
\fBSHA_CRYPT_MIN_ROUNDS\fR
|
|
or
|
|
\fBSHA_CRYPT_MAX_ROUNDS\fR
|
|
values is set, then this value will be used\&.
|
|
.sp
|
|
If
|
|
\fBSHA_CRYPT_MIN_ROUNDS\fR
|
|
>
|
|
\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&.
|
|
.RE
|
|
.SH "FILES"
|
|
.PP
|
|
/etc/passwd
|
|
.RS 4
|
|
User account information\&.
|
|
.RE
|
|
.PP
|
|
/etc/shadow
|
|
.RS 4
|
|
Secure user account information\&.
|
|
.RE
|
|
.PP
|
|
/etc/login\&.defs
|
|
.RS 4
|
|
Shadow password suite configuration\&.
|
|
.RE
|
|
.SH "SEE ALSO"
|
|
.PP
|
|
\fBpasswd\fR(1),
|
|
\fBnewusers\fR(8),
|
|
\fBlogin.defs\fR(5),
|
|
\fBuseradd\fR(8)\&.
|