diff options
Diffstat (limited to 'man/man8/chpasswd.8')
-rw-r--r-- | man/man8/chpasswd.8 | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/man/man8/chpasswd.8 b/man/man8/chpasswd.8 new file mode 100644 index 0000000..67b4156 --- /dev/null +++ b/man/man8/chpasswd.8 @@ -0,0 +1,214 @@ +'\" t +.\" Title: chpasswd +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHPASSWD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chpasswd \- update passwords in batch mode +.SH "SYNOPSIS" +.HP \w'\fBchpasswd\fR\ 'u +\fBchpasswd\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +The +\fBchpasswd\fR +command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users\&. Each line is of the format: +.PP +\fIuser_name\fR:\fIpassword\fR +.PP +By default the passwords must be supplied in clear\-text, and are encrypted by +\fBchpasswd\fR\&. Also the password age will be updated, if present\&. +.PP +The default encryption algorithm can be defined for the system with the +\fBENCRYPT_METHOD\fR +or +\fBMD5_CRYPT_ENAB\fR +variables of +/etc/login\&.defs, and can be overwritten with the +\fB\-e\fR, +\fB\-m\fR, or +\fB\-c\fR +options\&. +.PP +\fBchpasswd\fR +first updates all the passwords in memory, and then commits all the changes to disk if no errors occurred for any user\&. +.PP +This command is intended to be used in a large system environment where many accounts are created at a single time\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchpasswd\fR +command are: +.PP +\fB\-c\fR, \fB\-\-crypt\-method\fR\ \&\fIMETHOD\fR +.RS 4 +Use the specified method to encrypt the passwords\&. +.sp +The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods\&. +.sp +By default (if none of the +\fB\-c\fR, +\fB\-m\fR, or +\fB\-e\fR +options are specified), the encryption method is defined by the +\fBENCRYPT_METHOD\fR +or +\fBMD5_CRYPT_ENAB\fR +variables of +/etc/login\&.defs\&. +.RE +.PP +\fB\-e\fR, \fB\-\-encrypted\fR +.RS 4 +Supplied passwords are in encrypted form\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-m\fR, \fB\-\-md5\fR +.RS 4 +Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sha\-rounds\fR\ \&\fIROUNDS\fR +.RS 4 +Use the specified number of rounds to encrypt the passwords\&. +.sp +The value 0 means that the system will choose the default number of rounds for the crypt method (5000)\&. +.sp +A minimal value of 1000 and a maximal value of 999,999,999 will be enforced\&. +.sp +You can only use this option with the SHA256 or SHA512 crypt method\&. +.sp +By default, the number of rounds is defined by the +\fBSHA_CRYPT_MIN_ROUNDS\fR +and +\fBSHA_CRYPT_MAX_ROUNDS\fR +variables in +/etc/login\&.defs\&. +.RE +.SH "CAVEATS" +.PP +Remember to set permissions or umask to prevent readability of unencrypted files by other users\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBpasswd\fR(1), +\fBnewusers\fR(8), +\fBlogin.defs\fR(5), +\fBuseradd\fR(8)\&. |