passwd (用于更改用户帐户的密码)

瑞兹 发表于 2020-11-03 09:39
浏览次数:
在手机上阅读

在类似Unix的操作系统上,passwd命令用于更改用户帐户的密码。

查看英文版

目录

1 passwd 运行系统环境

2 passwd 描述

3 passwd 语法

4 passwd 例子

passwd 运行系统环境

Linux

passwd 描述

本文档介绍了passwdLinux版本。

passwd命令更改为密码的用户帐户。普通用户只能更改自己帐户的密码,而超级用户可以更改任何帐户的密码。passwd还可以更改或重置帐户的有效期-密码过期之前必须经过多少时间,必须更改密码。

普通用户必须先输入当前密码进行验证,然后才能更改自己的密码。(超级用户可以在更改其他用户的密码时跳过此步骤。)

在验证了当前密码后,passwd会检查此时是否允许用户更改密码。如果不是,则passwd拒绝继续,然后退出。

否则,然后两次提示用户输入替换密码。这两个条目必须匹配才能使passwd继续。

接下来,测试密码的复杂性。作为一般准则,密码应至少包含6个字符,包括以下每个或多个:

  • 小写字母 
  • 数字0到9 
  • 标点符号

This document covers the Linux version of passwd.

The passwd command changes passwords for user accounts. A normal user can only change the password for their own account, but the superuser can change the password for any account. passwd can also change or reset the account's validity period — how much time can pass before the password expires and must be changed.

Before a normal user can change their own password, they must first enter their current password for verification. (The superuser can bypass this step when changing another user's password.)

After the current password has been verified, passwd checks to see if the user is allowed to change their password at this time. If not, passwd refuses to continue, and exits.

Otherwise, the user is then prompted twice for a replacement password. Both entries must match for passwd to continue.

Next, the password is tested for complexity. As a general guideline, passwords should consist of at least 6 characters, including one or more of each of the following:

  • lower case letters 
  • digits 0 through 9 
  • punctuation marks

查看英文版

查看中文版

passwd 语法

passwd [OPTION] [USER]

选件

以下选项将更改passwd的操作方式:

-a--all 当与-S一起使用(见下文)时,此选项将显示所有用户的密码状态。如果不使用-S,则此选项将不起作用。
-d,-delete 删除用户的密码(使其为空)。此选项是一种禁用帐户登录而又不禁用帐户本身的快速方法。
-e,-- expire 立即使帐户密码失效。这将迫使用户在下次登录时更改其密码。
-h--help 显示有关如何使用passwd命令的信息。
-i,-- inactive INACTIVE 此选项用于在密码过期数天后禁用帐户。用户帐户的密码过期了无效的整数天后,该用户可能不再登录该帐户。
-k,-- keep-tokens 保留密码令牌。指示该用户的密码仅在过期后才可以更改。
-l,--lock 锁定命名帐户的密码。此选项通过将密码更改为与可能的加密值不匹配的值来禁用密码。它通过在加密密码的开头添加一个字符来实现。

请注意,这不会禁用该帐户。用户可能仍然可以使用其他身份验证方法(例如SSH密钥)登录。要禁用该帐户,超级用户可以将usermod命令与--expiredate 1选项一起使用。此选项会将帐户的到期日期设置为过去的日期,即1970年1月2日。

密码锁定的用户不允许更改密码。
-n,-- mindays MIN_DAYS 两次密码更改之间的最短天数设置为MIN_DAYS。该字段的值为零表示用户可以随时更改其密码。
-q,-quiet 静音模式; passwd将在不显示任何输出的情况下运行。
-R--root CHROOT_DIR 对于高级用户:此选项将在chroot目录CHROOT_DIR中应用更改,并使用CHROOT_DIR目录中的配置文件。
  • -S--status

显示帐户状态信息。状态信息包含7个字段:

  • 用户的登录
  • 名密码可用性:如果帐户具有锁定密码,则为L;如果帐户没有密码,则为NP;如果帐户具有可用的密码,则为P
  • 上次密码更改的日期
  • 最低密码年龄
  • 密码最长使用期限
  • 密码警告期
  • 密码无效期


在字段4到7中,密码期限以天为单位。除了-S以外,还

指定-a将显示所有用户的密码状态。
-u,--unlock 解锁指定帐户的密码。在使用-l选项锁定密码之前,此选项通过将密码改回其值来重新启用密码。
-w,-- warndays WARN_DAYS 设置需要更改密码之前的警告天数。WARN_DAYS是密码到期之前的天数,系统将警告用户密码即将过期。
-x,-- maxdays MAX_DAYS 设置密码有效的最大天数。MAX_DAYS之后,必须更改密码。

笔记

密码复杂度将因系统而异。有关默认复杂性规则以及如何更改规则,请查阅您的操作系统文档。

在使用NIS(网络信息服务)的系统上,如果用户未登录NIS服务器,则可能无法更改其密码。

passwd使用的文件

/ etc / passwd 用户帐户信息。
/ etc /shadow 安全的用户帐户信息。
/etc/pam.d/passwd passwd的PAM配置。
passwd [OPTION] [USER]

Options

The following options will change the way passwd operates:

-a--all When used with -S (see below), this option will show the password status for all users. This option will not work if used without -S.
-d--delete Delete a user's password (make it empty). This option is a quick way to disable logins for an account, without disabling the account itself.
-e--expire Immediately expire an account's password. This forces a user to change their password the next time they log in.
-h--help Display information about how to use the passwd command.
-i--inactive INACTIVE This option is used to disable an account after the password has been expired for a number of days. After a user account has had an expired password for integer INACTIVE days, the user may no longer sign on to the account.
-k--keep-tokens Keep password tokens. Indicates that this user's password should only be changed if it has expired.
-l--lock Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value. It does this by adding a character at the beginning of the encrypted password.

Note that this does not disable the account. The user may still be able to log in using another authentication method (an SSH key, for example). To disable the account, the superuser can use the usermod command with the option --expiredate 1. This option will set the account's expiration date to a date in the past — namely Jan 2, 1970.

Users with a locked password are not allowed to change their password.
-n--mindays MIN_DAYS Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password at any time.
-q--quiet Quiet mode; passwd will operate without displaying any output.
-R--root CHROOT_DIR For advanced users: this option will apply changes in the chroot directory CHROOT_DIR and use the configuration files from the CHROOT_DIR directory.
-S--status

Display account status information. The status information consists of 7 fields:

  • The user's login name
  • password usability: L if the account has a locked password,NP if the account has no password, or P if the account has a usable password
  • date of the last password change
  • minimum password age
  • maximum password age
  • password warning period
  • password inactivity period

In fields 4 through 7,password ages are expressed in days.


Specifying -a in addition to -S displays password status for all users.
-u--unlock Unlock the password of the named account. This option re-enables a password by changing the password back to its value before the -l option was used to lock it.
-w--warndays WARN_DAYS Set the number of days of warning before a password change is required. WARN_DAYS is the number of days prior to the password expiring that a user will be warned that their password is about to expire.
-x--maxdays MAX_DAYS Set the maximum number of days a password remains valid. After MAX_DAYS, the password must be changed.

Notes

Password complexity will vary depending on the system. Consult your operating system documentation for default complexity rules and how to change them.

On systems that use NIS (Network Information Services), users may not be able to change their password if they are not logged into the NIS server.

Files used by passwd

/etc/passwd User account information.
/etc/shadow Secure user account information.
/etc/pam.d/passwd PAM configuration for passwd.

查看英文版

查看中文版

passwd 例子

更改您的密码

passwd

运行不带任何选项的passwd将更改运行命令的帐户的密码。首先将提示您输入帐户的当前密码:

(current) UNIX password:

如果正确,则将要求您输入新密码:

Enter new UNIX password:

...并再次输入相同的密码以进行验证:

Retype new UNIX password:

如果密码匹配,密码将被更改。

更改其他用户的密码

sudo passwd jeff

如果您具有超级用户特权,则可以更改其他用户的密码。在这里,我们为命令加上sudo前缀,以超级用户身份运行它。此命令将更改用户jeff的密码。不会提示您输入jeff的当前密码。

在不知道当前密码的情况下更改密码

如果由于忘记了密码而需要更改密码,则需要登录到root帐户。为此,您将需要知道root用户的密码。

假设您的用户名是sally,并且您忘记了密码。但是,您具有系统管理员权限:您可以使用该帐户的密码以root用户身份登录。以root用户身份登录,然后从命令行运行:

passwd sally

但是,如果您也忘记了root的密码怎么办?在这种情况下,您将需要以单用户模式(也称为运行级别1)登录到计算机。无法通过网络完成此操作,因此您将需要对计算机的物理访问权才能启动到此运行级别。

重新启动机器。在启动时,应该显示一个引导程序菜单。在许多系统上,例如Debian或Ubuntu,启动菜单将包含“恢复模式”或“单用户模式”的选项(如下图所示)。选择此启动选项。

此选项将引导您进入纯文本模式,并以root用户身份登录。

如果需要挂载 /,请执行以下操作:

mount -rw -o remount /

现在更改sally的密码:

passwd sally

root

passwd

完成后,重新启动系统:

shutdown -r now

正常启动系统,您应该可以使用新密码以sally身份登录。

其他例子

sudo passwd -S ted

检查名为ted的用户的密码状态。输出将类似于以下内容:

ted P 05/13/2014 2 365 7 28

在这里,我们看到用户的名称(ted),后跟一个P,指示该用户的密码当前有效且可用。该密码将于20145月5日到期。Ted最多只能每2天更改一次密码,而必须365天更改一次密码。将在要求更改密码的7天前警告他,如果他允许密码过期,则28天后将禁用其帐户。

sudo passwd -S -a

与上面的命令类似,但是在系统范围内检查所有用户帐户的密码状态。

sudo passwd -l jane

锁定用户jane的密码。在系统管理员将其解锁之前,她将无法登录。

sudo passwd -u jane

解锁jane的密码。它将自动重置为锁定之前的状态,她将能够再次登录。

sudo passwd -e alan

使alan的密码过期。下次登录时,将要求他设置一个新密码。

Change your password

passwd

Running passwd with no options will change the password of the account running the command. You will first be prompted to enter the account's current password:

(current) UNIX password:

If it is correct, you will then be asked to enter a new password:

Enter new UNIX password:

...and to enter the same password again, to verify it:

Retype new UNIX password:

If the passwords match, the password will be changed.

Change another user's password

sudo passwd jeff

If you have superuser privileges, you can change another user's password. Here, we prefix the command with sudo to run it as the superuser. This command will change the password for user jeff. You will not be prompted for jeff's current password.

Change your password without knowing your current password

If you need to change your password because you forgot it, you will need to log in to the root account. To do this, you will need to know the password for user root.

Let's say your username is sally, and you can't remember your password. However, you have administrator access to the system: you can log in as root, using the password for that account. Log in as root, and then from the command line, run:

passwd sally

But what if you forgot the password for root as well? In this case, you will need to log in to the machine in single-user mode, also known as Runlevel 1. This cannot be done over the network, so you will need physical access to the machine to boot into this runlevel.

Reboot the machine. When it is booting up, you should be presented with a bootloader menu. On many systems, such as Debian or Ubuntu, the boot menu will include an option for "Recovery Mode" or "Single User Mode" (as in the image below). Select this boot option.

This option will boot you into a text-only mode, and log you in as root.

If you need to mount /, do so:

mount -rw -o remount /

Now change sally's password:

passwd sally

Or root's:

passwd

When you're done, reboot your system:

shutdown -r now

Start the system normally, and you should be able to log in as sally with the new password.

Additional examples

sudo passwd -S ted

Check the status of the password for the user named ted. Output will resemble the following:

ted P 05/13/2014 2 365 7 28

Here, we see the user's name (ted), followed by a P, indicating that his password is currently valid and usable. The password will expire on May 5, 2014. Ted cannot change his password more often than every 2 days, and must change the password every 365 days. He will be warned 7 days before a required password change, and if he allows his password to expire, his account will be disabled 28 days later.

sudo passwd -S -a

Similar to the above command, but checks the password status for all user accounts, system-wide.

sudo passwd -l jane

Lock the password for user jane. She will be unable to log in until a system administrator unlocks it.

sudo passwd -u jane

Unlock jane's password. It will automatically be reset to whatever it was before it was locked, and she will be able to log in again.

sudo passwd -e alan

Expire alan's password. The next time he logs in, he will be required to set a new password.

查看英文版

查看中文版

其他命令行

pack | pagesize | parted | partprobe | paste | pax | pcat | pg | perl | pgrep | pico | pine | ping | pr | printenv | priocntl | printf | pstree | pvs | pwd |

如此好文,分享给朋友