diff options
Diffstat (limited to 'man/man8/chgpasswd.8')
| -rw-r--r-- | man/man8/chgpasswd.8 | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/man/man8/chgpasswd.8 b/man/man8/chgpasswd.8 new file mode 100644 index 0000000..67c1325 --- /dev/null +++ b/man/man8/chgpasswd.8 @@ -0,0 +1,210 @@ +'\" t +.\" Title: chgpasswd +.\" Author: Thomas Kłoczko <kloczek@pld.org.pl> +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHGPASSWD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chgpasswd \- update group passwords in batch mode +.SH "SYNOPSIS" +.HP \w'\fBchgpasswd\fR\ 'u +\fBchgpasswd\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +The +\fBchgpasswd\fR +command reads a list of group name and password pairs from standard input and uses this information to update a set of existing groups\&. Each line is of the format: +.PP +\fIgroup_name\fR:\fIpassword\fR +.PP +By default the supplied password must be in clear\-text, and is encrypted by +\fBchgpasswd\fR\&. +.PP +The default encryption algorithm can be defined for the system with the +\fBENCRYPT_METHOD\fR +variable of +/etc/login\&.defs, and can be overwritten with the +\fB\-e\fR, +\fB\-m\fR, or +\fB\-c\fR +options\&. +.PP +This command is intended to be used in a large system environment where many accounts are created at a single time\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchgpasswd\fR +command are: +.PP +\fB\-c\fR, \fB\-\-crypt\-method\fR +.RS 4 +Use the specified method to encrypt the passwords\&. +.sp +The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods\&. +.RE +.PP +\fB\-e\fR, \fB\-\-encrypted\fR +.RS 4 +Supplied passwords are in encrypted form\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-m\fR, \fB\-\-md5\fR +.RS 4 +Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sha\-rounds\fR +.RS 4 +Use the specified number of rounds to encrypt the passwords\&. +.sp +The value 0 means that the system will choose the default number of rounds for the crypt method (5000)\&. +.sp +A minimal value of 1000 and a maximal value of 999,999,999 will be enforced\&. +.sp +You can only use this option with the SHA256 or SHA512 crypt method\&. +.sp +By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in +/etc/login\&.defs\&. +.RE +.SH "CAVEATS" +.PP +Remember to set permissions or umask to prevent readability of unencrypted files by other users\&. +.PP +You should make sure the passwords and the encryption method respect the system\*(Aqs password policy\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBgpasswd\fR(1), +\fBgroupadd\fR(8), +\fBlogin.defs\fR(5)\&. |