1 .\" Copyright (c) 1988, 1990, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)chpass.1 8.2 (Berkeley) 12/30/93
40 .Nd add or change user database information
44 .Op Fl e Ar expiretime
52 .Op Fl e Ar expiretime
61 allows editing of the user database information associated
64 or, by default, the current user.
73 utilities behave identically to
75 (There is only one program.)
77 The information is formatted and supplied to an editor for changes.
79 Only the information that the user is allowed to change is displayed.
81 The options are as follows:
82 .Bl -tag -width "-e expiretime"
84 The super-user is allowed to directly supply a user database
85 entry, in the format specified by
88 This argument must be a colon
90 separated list of all the
91 user database fields, although they may be empty.
92 .It Fl e Ar expiretime
93 Change the account expire time.
94 This option is used to set the expire time
95 from a script as if it was done in the interactive editor.
97 The super-user is allowed to directly supply an encrypted password field,
102 Attempt to change the user's shell to
106 Possible display items are as follows:
108 .Bl -tag -width "Other Information:" -compact -offset indent
112 user's encrypted password
118 user's general classification
122 account expiration time
126 user's office location (1)
128 user's office phone (1)
130 user's home phone (1)
131 .It Other Information:
132 any locally defined parameters for user (1)
134 user's home directory
139 In the actual master.passwd file, these fields are comma-delimited
140 fields embedded in the FullName field.
145 field is the user name used to access the computer account.
149 field contains the encrypted form of the user's password.
153 field is the number associated with the
156 Both of these fields should be unique across the system (and often
157 across a group of systems) as they control file access.
159 While it is possible to have multiple entries with identical login names
160 and/or identical user id's, it is usually a mistake to do so.
162 that manipulate these files will often return only one of the multiple
163 entries, and that one by random selection.
167 field is the group that the user will be placed in at login.
170 supports multiple groups (see
172 this field currently has little special meaning.
173 This field may be filled in with either a number or a group name (see
178 field references class descriptions in
180 and is typically used to initialize the user's system resource limits
185 field is the date by which the password must be changed.
189 field is the date on which the account expires.
195 fields should be entered in the form
199 is the month name (the first three characters are sufficient),
201 is the day of the month, and
205 Five fields are available for storing the user's
206 .Ar full name , office location ,
211 .Ar other information
212 which is a single comma delimited string to represent any additional
213 gecos fields (typically used for site specific user information).
216 will display the office location and office phone together under the
224 path name where the user
225 will be placed at login.
229 field is the command interpreter the user prefers.
232 field is empty, the Bourne shell,
235 When altering a login shell, and not the super-user, the user
236 may not change from a non-standard shell or to a non-standard
238 Non-standard is defined as a shell not found in
241 Once the information has been verified,
245 to update the user database.
249 editor will be used unless the environment variable
253 When the editor terminates, the information is re-read and used to
254 update the user database itself.
255 Only the user, or the super-user, may edit the information associated
260 for an explanation of the impact of setting the
262 environment variable.
266 utility can also be used in conjunction with NIS, however some restrictions
270 can only make changes to the NIS passwd maps through
271 .Xr rpc.yppasswdd 8 ,
272 which normally only permits changes to a user's password, shell and GECOS
274 Except when invoked by the super-user on the NIS master server,
280 server to change other user information or
281 add new records to the NIS passwd maps.
284 requires password authentication before it will make any
286 The only user allowed to submit changes without supplying
287 a password is the super-user on the NIS master server; all other users,
288 including those with root privileges on NIS clients (and NIS slave
289 servers) must enter a password.
290 (The super-user on the NIS master is allowed to bypass these restrictions
291 largely for convenience: a user with root access
292 to the NIS master server already has the privileges required to make
293 updates to the NIS maps, but editing the map source files by hand can
296 Note: these exceptions only apply when the NIS master server is a
300 Consequently, except where noted, the following restrictions apply when
303 .Bl -enum -offset indent
305 .Em "Only the shell and GECOS information may be changed" .
307 fields are restricted, even when
309 is invoked by the super-user.
311 changing other fields could be added, this would lead to
312 compatibility problems with other NIS-capable systems.
313 Even though the super-user may supply data for other fields
314 while editing an entry, the extra information (other than the
315 password \(em see below) will be silently discarded.
317 Exception: the super-user on the NIS master server is permitted to
320 .Em "Password authentication is required" .
323 utility will prompt for the user's NIS password before effecting
325 If the password is invalid, all changes will be
328 Exception: the super-user on the NIS master server is allowed to
329 submit changes without supplying a password.
331 choose to turn off this feature using the
333 flag, described below.)
335 .Em "Adding new records to the local password database is discouraged" .
338 utility will allow the administrator to add new records to the
339 local password database while NIS is enabled, but this can lead to
340 some confusion since the new records are appended to the end of
341 the master password file, usually after the special NIS '+' entries.
342 The administrator should use
344 to modify the local password
345 file when NIS is running.
347 The super-user on the NIS master server is permitted to add new records
348 to the NIS password maps, provided the
350 server has been started with the
352 flag to permitted additions (it refuses them by default).
355 utility tries to update the local password database by default; to update the
356 NIS maps instead, invoke chpass with the
360 .Em "Password changes are not permitted".
365 to change their NIS passwords.
366 The super-user is allowed to specify
367 a new password (even though the
370 up in the editor template, the super-user may add it back by hand),
371 but even the super-user must supply the user's original password
374 will refuse to update the NIS maps.
376 Exception: the super-user on the NIS master server is permitted to
377 change a user's NIS password with
381 There are also a few extra option flags that are available when
383 is compiled with NIS support:
384 .Bl -tag -width "-d domain"
386 Specify a particular NIS domain.
389 utility uses the system domain name by default, as set by the
394 option can be used to override a default, or to specify a domain
395 when the system domain name is not set.
397 Specify the name or address of an NIS server to query.
400 will communicate with the NIS master host specified in the
405 On hosts that have not been configured as NIS clients, there is
406 no way for the program to determine this information unless the user
407 provides the hostname of a server.
408 Note that the specified hostname need
409 not be that of the NIS master server; the name of any server, master or
410 slave, in a given NIS domain will do.
414 option, the hostname defaults to
418 option can be used in conjunction with the
420 option, in which case the user-specified hostname will override
425 to modify the local copy of a user's password
426 information in the event that a user exists in both
427 the local and NIS databases.
429 Force the use of RPC-based updates when communicating with
432 When invoked by the super-user on the NIS master server,
434 allows unrestricted changes to the NIS passwd maps using dedicated,
435 non-RPC-based mechanism (in this case, a
440 flag can be used to force
442 to use the standard update mechanism instead.
443 This option is provided
444 mainly for testing purposes.
448 This flag is largely redundant since
450 operates on NIS entries by default if NIS is enabled.
453 .Bl -tag -width /etc/master.passwd -compact
454 .It Pa /etc/master.passwd
457 a Version 7 format password file
458 .It Pa /etc/pw.XXXXXX
461 the list of approved shells
464 Change the shell of the current user to
465 .Ql /usr/local/bin/zsh :
466 .Bd -literal -offset indent
467 chsh -s /usr/local/bin/zsh
482 .%T "UNIX Password security"
490 User information should (and eventually will) be stored elsewhere.