'\" t .\" Title: passwd .\" Author: Julianne Frances Haugh .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 2025-06-27 .\" Manual: User Commands .\" Source: shadow-utils 4.18.0 .\" Language: Chinese Simplified .\" .TH "PASSWD" "1" "2025-06-27" "shadow\-utils 4\&.18\&.0" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "名称" passwd \- 更改用户密码 .SH "大纲" .HP \w'\fBpasswd\fR\ 'u \fBpasswd\fR [\fIoptions\fR] [\fILOGIN\fR] .SH "描述" .PP The \fBpasswd\fR command changes passwords for user accounts\&. A regular user can only change the password for their own account, while the superuser can change the password for any account\&. The \fBpasswd\fR also changes the account or associated password validity period\&. .SS "密码更改" .PP If the account has a non\-empty password, the user is first prompted to enter their current password\&. The entered password is encrypted and compared to the stored value\&. The user has only one attempt to enter the correct password\&. The superuser can bypass this step to allow changing forgotten passwords\&. .PP After the password has been entered, password aging information is checked to determine if the user is permitted to change the password at this time\&. If not, \fBpasswd\fR refuses to change the password and exits\&. .PP The user is then prompted twice for a replacement password\&. The second entry is compared against the first and both are required to match for the password to be changed\&. .PP Then, the password is tested for complexity\&. \fBpasswd\fR rejects passwords that do not meet the complexity requirements\&. Do not include the system default erase or kill characters\&. .SS "关于用户密码的提示" .PP The security of a password depends on the strength of the encryption algorithm and the size of the key space\&. The legacy \fIUNIX\fR System encryption method is based on the NBS DES algorithm\&. More recent methods are now recommended (see \fBENCRYPT_METHOD\fR)\&. The size of the key space depends on the randomness of the selected password\&. .PP Compromises in password security normally result from careless password selection or handling\&. For this reason, you should not select a password which appears in a dictionary or one that must be written down\&. The password should also not be a proper name, your license number, birth date, or street address\&. Any of these may be used as guesses to violate system security\&. .PP As a general guideline, passwords should be long and random\&. It\*(Aqs fine to use simple character sets, such as passwords consisting only of lowercase letters, if that helps memorizing longer passwords\&. For a password consisting only of lowercase English letters randomly chosen, and a length of 32, there are 26^32 (approximately 2^150) different possible combinations\&. Being an exponential equation, it\*(Aqs apparent that the exponent (the length) is more important than the base (the size of the character set)\&. .PP You can find advice on how to choose a strong password on https://en\&.wikipedia\&.org/wiki/Password_strength .SH "选项" .PP The options which apply to the \fBpasswd\fR command are: .PP \fB\-a\fR, \fB\-\-all\fR .RS 4 This option can be used only with \fB\-S\fR and causes show status for all users\&. .RE .PP \fB\-d\fR, \fB\-\-delete\fR .RS 4 Deletes a user\*(Aqs password, making it empty\&. This command sets the account to be passwordless\&. .RE .PP \fB\-e\fR, \fB\-\-expire\fR .RS 4 让一个账户的密码立即过期。这可以强制一个用户下次登录时更改密码。 .RE .PP \fB\-h\fR, \fB\-\-help\fR .RS 4 显示帮助信息并退出。 .RE .PP \fB\-i\fR, \fB\-\-inactive\fR\ \&\fIINACTIVE\fR .RS 4 This option is used to disable an account after the password has been expired for a number of days\&. After a user account has had an expired password for \fIINACTIVE\fR days, the user may no longer sign on to the account\&. .RE .PP \fB\-k\fR, \fB\-\-keep\-tokens\fR .RS 4 表示密码更改只应该因为认证口令(密码)过期更改。用户希望保持他们尚未过期的口令。 .RE .PP \fB\-l\fR, \fB\-\-lock\fR .RS 4 锁定指定账户的密码。此选项通过将密码更改为一个不可能与加密值匹配的值来禁用(它在密码开头添加一个\(lq!\(rq)。 .sp Note that this does not disable the account\&. The user may still be able to login using another authentication token (e\&.g\&. an SSH key)\&. To disable the account, administrators should use \fBusermod \-\-expiredate 1\fR (this sets the account\*(Aqs expire date to 1970\-01\-02)\&. .sp 被锁定了密码的用户不允许更改密码。 .RE .PP \fB\-n\fR, \fB\-\-mindays\fR\ \&\fIMIN_DAYS\fR .RS 4 Set the minimum number of days between password changes to \fIMIN_DAYS\fR\&. A value of zero for this field indicates that the user may change their password at any time\&. .RE .PP \fB\-q\fR, \fB\-\-quiet\fR .RS 4 安静模式。 .RE .PP \fB\-r\fR, \fB\-\-repository\fR\ \&\fIREPOSITORY\fR .RS 4 change password in \fIREPOSITORY\fR repository .RE .PP \fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR .RS 4 Apply changes in the \fICHROOT_DIR\fR directory and use the configuration files from the \fICHROOT_DIR\fR directory\&. Only absolute paths are supported\&. .RE .PP \fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR .RS 4 Apply changes to configuration files under the root filesystem found under the directory \fIPREFIX_DIR\fR\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. No PAM support\&. No SELINUX support\&. .RE .PP \fB\-S\fR, \fB\-\-status\fR .RS 4 显示账户状态信息。状态信息包含 7 个字段。首个字段是用户的登录名,第二个字段表示用户账户是否已经锁定密码(L)、没有密码 (NP)或者密码可用(P),第三个字段给出最后一次更改密码的日期。接下来的四个字段分别是密码的最小年龄、最大年龄、警告期和禁用期。这些年龄以天为单位计算。 .RE .PP \fB\-u\fR, \fB\-\-unlock\fR .RS 4 Unlock the password of the named account\&. This option re\-enables a password by changing the password back to its previous value (to the value before using the \fB\-l\fR option)\&. .RE .PP \fB\-w\fR, \fB\-\-warndays\fR\ \&\fIWARN_DAYS\fR .RS 4 Set the number of days of warning before a password change is required\&. The \fIWARN_DAYS\fR option is the number of days prior to password expiration during which the user is warned that their password is about to expire\&. .RE .PP \fB\-x\fR, \fB\-\-maxdays\fR\ \&\fIMAX_DAYS\fR .RS 4 Set the maximum number of days a password remains valid\&. After \fIMAX_DAYS\fR, the password is required to be changed\&. .sp Passing the number \fI\-1\fR as \fIMAX_DAYS\fR will remove checking a password\*(Aqs validity\&. .RE .PP \fB\-s\fR, \fB\-\-stdin\fR .RS 4 This option is used to indicate that passwd should read the new password from standard input, which can be a pipe\&. .RE .SH "CAVEATS" .PP 密码复杂性检查在每台机器间不同。用户应该选择适合的尽量复杂的密码。 .PP 在启动了 NIS 的系统上,如果没有登录 NIS 服务器,用户或许不能更改自己的密码。 .PP \fBpasswd\fR uses PAM to authenticate users and to change their passwords\&. .SH "文件" .PP /etc/passwd .RS 4 用户账户信息。 .RE .PP /etc/shadow .RS 4 安全用户账户信息。 .RE .PP /etc/pam\&.d/passwd .RS 4 PAM configuration for \fBpasswd\fR\&. .RE .SH "退出值" .PP The \fBpasswd\fR command exits with the following values: .PP \fI0\fR .RS 4 success .RE .PP \fI1\fR .RS 4 permission denied .RE .PP \fI2\fR .RS 4 invalid combination of options .RE .PP \fI3\fR .RS 4 unexpected failure, nothing done .RE .PP \fI4\fR .RS 4 unexpected failure, passwd file missing .RE .PP \fI5\fR .RS 4 passwd file busy, try again .RE .PP \fI6\fR .RS 4 invalid argument to option .RE .PP \fI10\fR .RS 4 an error was returned by pam(3) .RE .SH "参见" .PP \fBchpasswd\fR(8), \fBmakepasswd\fR(1), \fBpasswd\fR(5), \fBshadow\fR(5), \fBusermod\fR(8)\&. .PP The following web page comically (yet correctly) compares the strength of two different methods for choosing a password: "https://xkcd\&.com/936/"