PASSWD(1) CYGWIN PASSWD(1)NAME
- Change USER's password or password attributes.
SYNOPSISpasswd [OPTION] [USER]
OPTIONS
User operations:
-l, --lock
lock USER's account.
-u, --unlock
unlock USER's account.
-c, --cannot-change
USER can't change password.
-C, --can-change
USER can change password.
-e, --never-expires
USER's password never expires.
-E, --expires
USER's password expires according to system's password aging
rule.
-p, --pwd-not-required
no password required for USER.
-P, --pwd-required
password is required for USER.
-R, --reg-store-pwd
enter password to store it in the registry for later usage by
services to be able to switch to this user context with network
credentials.
System operations:
-i, --inactive NUM
set NUM of days before inactive accounts are disabled (inactive
accounts are those with expired passwords).
-n, --minage DAYS
set system minimum password age to DAYS days.
-x, --maxage DAYS
set system maximum password age to DAYS days.
-L, --length LEN
set system minimum password length to LEN.
Other options:
-d, --logonserver SERVER connect to SERVER (e.g. domain controller).
Default server is the local system, unless changing the current
user, in which case the default is the content of $LOGONSERVER.
-S, --status
display password status for USER (locked, expired, etc.) plus
global system password settings.
-h, --help
output usage information and exit.
-v, --version
output version information and exit.
If no option is given, change USER's password. If no user name is
given, operate on current user. System operations must not be mixed
with user operations. Don't specify a USER when triggering a system
operation.
Don't specify a user or any other option together with the -R option.
Non-Admin users can only store their password if cygserver is running.
Note that storing even obfuscated passwords in the registry is not
overly secure. Use this feature only if the machine is adequately
locked down. Don't use this feature if you don't need network access
within a remote session. You can delete your stored password by using
`passwd -R' and specifying an empty password.
DESCRIPTIONpasswd changes passwords for user accounts. A normal user may only
change the password for their own account, but administrators may
change passwords on any account. passwd also changes account informa‐
tion, such as password expiry dates and intervals.
For password changes, the user is first prompted for their old pass‐
word, if one is present. This password is then encrypted and compared
against the stored password. The user has only one chance to enter the
correct password. The administrators are permitted to bypass this step
so that forgotten passwords may be changed.
The user is then prompted for a replacement password. passwd will
prompt twice for this replacement and compare the second entry against
the first. Both entries are required to match in order for the pass‐
word to be changed.
After the password has been entered, password aging information is
checked to see if the user is permitted to change their password at
this time. If not, passwd refuses to change the password and exits.
To get current password status information, use the -S option. Admin‐
istrators can use passwd to perform several account maintenance func‐
tions (users may perform some of these functions on their own
accounts). Accounts may be locked with the -l flag and unlocked with
the -u flag. Similarly, -c disables a user's ability to change pass‐
words, and -C allows a user to change passwords. For password expiry,
the -e option disables expiration, while the -E option causes the
password to expire according to the system's normal aging rules. Use
-p to disable the password requirement for a user, or -P to require a
password.
Administrators can also use passwd to change system-wide password
expiry and length requirements with the -i, -n, -x, and -L options.
The -i option is used to disable an account after the password has
been expired for a number of days. After a user account has had an
expired password for NUM days, the user may no longer sign on to the
account. The -n option is used to set the minimum number of days
before a password may be changed. The user will not be permitted to
change the password until MINDAYS days have elapsed. The -x option is
used to set the maximum number of days a password remains valid. After
MAXDAYS days, the password is required to be changed. Allowed values
for the above options are 0 to 999. The -L option sets the minimum
length of allowed passwords for users who don't belong to the adminis‐
trators group to LEN characters. Allowed values for the minimum pass‐
word length are 0 to 14. In any of the above cases, a value of 0 means
`no restrictions'.
All operations affecting the current user are by default run against
the logon server of the current user (taken from the environment vari‐
able of other users should be changed, the default server is the local
system. To change a user account on a remote machine, use the -d
option to specify the machine to run the command against. Note that
the current user must be a valid member of the administrators group on
the remote machine to perform such actions.
Users can use the passwd-R to enter a password which then gets stored
in a special area of the registry on the local system, which is also
used by Windows to store passwords of accounts running Windows ser‐
vices. When a privileged Cygwin application calls the
set{e}uid(user_id) system call, Cygwin checks if a password for that
user has been stored in this registry area. If so, it uses this pass‐
word to switch to this user account using that password. This allows
you to logon through, for instance, ssh with public key authentication
and get a full qualified user token with all credentials for network
access. However, the method has some drawbacks security-wise. This is
explained in more detail in ntsec /xref.
Please note that storing passwords in that registry area is a privi‐
leged operation which only administrative accounts are allowed to do.
If normal, non-admin users should be allowed to enter their passwords
using passwd-R, it's required to run cygserver as a service under the
LocalSystem account before running passwd-R. This only affects stor‐
ing passwords. Using passwords in privileged processes does not
require cygserver to run.
Limitations: Users may not be able to change their password on some
systems.
COPYRIGHT
Cygwin is Copyright (C) 1995-2010 Red Hat, Inc.
Cygwin is Free software; for complete licensing information, refer to:
http://cygwin.com/licensing.html
SEE ALSO
The full documentation to the Cygwin API is maintained on the web at:
http://cygwin.com/cygwin-api/cygwin-api.html
The website is updated more frequently than the man pages and should be
considered the authoritative source of information.
April 2010 PASSWD(1)
