summaryrefslogtreecommitdiffstats
path: root/man/man8/chpasswd.8
diff options
context:
space:
mode:
Diffstat (limited to 'man/man8/chpasswd.8')
-rw-r--r--man/man8/chpasswd.8214
1 files changed, 214 insertions, 0 deletions
diff --git a/man/man8/chpasswd.8 b/man/man8/chpasswd.8
new file mode 100644
index 0000000..67b4156
--- /dev/null
+++ b/man/man8/chpasswd.8
@@ -0,0 +1,214 @@
+'\" t
+.\" Title: chpasswd
+.\" Author: Julianne Frances Haugh
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\" Date: 11/08/2022
+.\" Manual: System Management Commands
+.\" Source: shadow-utils 4.13
+.\" Language: English
+.\"
+.TH "CHPASSWD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+chpasswd \- update passwords in batch mode
+.SH "SYNOPSIS"
+.HP \w'\fBchpasswd\fR\ 'u
+\fBchpasswd\fR [\fIoptions\fR]
+.SH "DESCRIPTION"
+.PP
+The
+\fBchpasswd\fR
+command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users\&. Each line is of the format:
+.PP
+\fIuser_name\fR:\fIpassword\fR
+.PP
+By default the passwords must be supplied in clear\-text, and are encrypted by
+\fBchpasswd\fR\&. Also the password age will be updated, if present\&.
+.PP
+The default encryption algorithm can be defined for the system with the
+\fBENCRYPT_METHOD\fR
+or
+\fBMD5_CRYPT_ENAB\fR
+variables of
+/etc/login\&.defs, and can be overwritten with the
+\fB\-e\fR,
+\fB\-m\fR, or
+\fB\-c\fR
+options\&.
+.PP
+\fBchpasswd\fR
+first updates all the passwords in memory, and then commits all the changes to disk if no errors occurred for any user\&.
+.PP
+This command is intended to be used in a large system environment where many accounts are created at a single time\&.
+.SH "OPTIONS"
+.PP
+The options which apply to the
+\fBchpasswd\fR
+command are:
+.PP
+\fB\-c\fR, \fB\-\-crypt\-method\fR\ \&\fIMETHOD\fR
+.RS 4
+Use the specified method to encrypt the passwords\&.
+.sp
+The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods\&.
+.sp
+By default (if none of the
+\fB\-c\fR,
+\fB\-m\fR, or
+\fB\-e\fR
+options are specified), the encryption method is defined by the
+\fBENCRYPT_METHOD\fR
+or
+\fBMD5_CRYPT_ENAB\fR
+variables of
+/etc/login\&.defs\&.
+.RE
+.PP
+\fB\-e\fR, \fB\-\-encrypted\fR
+.RS 4
+Supplied passwords are in encrypted form\&.
+.RE
+.PP
+\fB\-h\fR, \fB\-\-help\fR
+.RS 4
+Display help message and exit\&.
+.RE
+.PP
+\fB\-m\fR, \fB\-\-md5\fR
+.RS 4
+Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&.
+.RE
+.PP
+\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR
+.RS 4
+Apply changes in the
+\fICHROOT_DIR\fR
+directory and use the configuration files from the
+\fICHROOT_DIR\fR
+directory\&. Only absolute paths are supported\&.
+.RE
+.PP
+\fB\-s\fR, \fB\-\-sha\-rounds\fR\ \&\fIROUNDS\fR
+.RS 4
+Use the specified number of rounds to encrypt the passwords\&.
+.sp
+The value 0 means that the system will choose the default number of rounds for the crypt method (5000)\&.
+.sp
+A minimal value of 1000 and a maximal value of 999,999,999 will be enforced\&.
+.sp
+You can only use this option with the SHA256 or SHA512 crypt method\&.
+.sp
+By default, the number of rounds is defined by the
+\fBSHA_CRYPT_MIN_ROUNDS\fR
+and
+\fBSHA_CRYPT_MAX_ROUNDS\fR
+variables in
+/etc/login\&.defs\&.
+.RE
+.SH "CAVEATS"
+.PP
+Remember to set permissions or umask to prevent readability of unencrypted files by other users\&.
+.SH "CONFIGURATION"
+.PP
+The following configuration variables in
+/etc/login\&.defs
+change the behavior of this tool:
+.PP
+\fBENCRYPT_METHOD\fR (string)
+.RS 4
+This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&.
+.sp
+It can take one of these values:
+\fIDES\fR
+(default),
+\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see
+crypt(5)
+for recommendations\&.
+.sp
+Note: this parameter overrides the
+\fBMD5_CRYPT_ENAB\fR
+variable\&.
+.RE
+.PP
+\fBMD5_CRYPT_ENAB\fR (boolean)
+.RS 4
+Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to
+\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to
+\fIno\fR
+if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is
+\fIno\fR\&.
+.sp
+This variable is superseded by the
+\fBENCRYPT_METHOD\fR
+variable or by any command line option used to configure the encryption algorithm\&.
+.sp
+This variable is deprecated\&. You should use
+\fBENCRYPT_METHOD\fR\&.
+.RE
+.PP
+\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number)
+.RS 4
+When
+\fBENCRYPT_METHOD\fR
+is set to
+\fISHA256\fR
+or
+\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&.
+.sp
+With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&.
+.sp
+If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&.
+.sp
+The values must be inside the 1000\-999,999,999 range\&.
+.sp
+If only one of the
+\fBSHA_CRYPT_MIN_ROUNDS\fR
+or
+\fBSHA_CRYPT_MAX_ROUNDS\fR
+values is set, then this value will be used\&.
+.sp
+If
+\fBSHA_CRYPT_MIN_ROUNDS\fR
+>
+\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&.
+.RE
+.SH "FILES"
+.PP
+/etc/passwd
+.RS 4
+User account information\&.
+.RE
+.PP
+/etc/shadow
+.RS 4
+Secure user account information\&.
+.RE
+.PP
+/etc/login\&.defs
+.RS 4
+Shadow password suite configuration\&.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpasswd\fR(1),
+\fBnewusers\fR(8),
+\fBlogin.defs\fR(5),
+\fBuseradd\fR(8)\&.