name
passwd - update user's authentication tokens(更新用户的身份验证令牌)
synopsis(概要,大纲)
passwd [-k] [-l] [-u [-f]] [-d] [-e] [-n mindays] [-x maxdays] [-w warndays] [-i inactivedays] [-S] [--stdin] [username]
The passwd utility is used to update user's authentication token(s)(passwd实用程序用于更新用户的身份验证令牌。)
This task is achieved through calls to the Linux-PAM and Libuser API(该任务是通过调用Linux-PAM和Libuser API来实现的). Essentially, it initializes itself as a "passwd" service with Linux-PAM and utilizes configured password modules to authenticate and then update a user's password(本质上,它将自己初始化为一个“passwd”服务Linux-PAM和利用配置的密码模块进行身份验证,然后更新用户的密码)
A simple entry in the global Linux-PAM configuration file for this service would be:
(在全局Linux-PAM配置文件中,该服务的一个简单条目如下:)
#
# passwd service entry that does strength checking of
# a proposed password before updating it.
#(Passwd服务条目,在更新之前对建议的密码进行强度检查)
passwd password requisite pam_cracklib.so retry=3
passwd password required pam_unix.so use_authtok
#
Note, other module types are not required for this application to function correctly.
(注意,这个应用程序不需要其他模块类型才能正常运行)
OPTIONS 选项
-k, --keep
The option -k is used to indicate that the update should only be for expired authentication tokens (passwords); the user wishes
to keep their non-expired tokens as before. 选项-k表示只更新过期的身份验证令牌(密码);用户期望像以前一样保存未过期的令牌
-l, --lock
This option is used to lock the password of specified account and it is available to root only.(该选项用于锁定指定帐户的密码,只对root有效) The locking is performed by
rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !).(锁由
将加密的密码显示为无效的字符串(在加密字符串前加上!)。) Note that the account is
not fully locked - the user can still log in by other means of authentication such as the ssh public key authentication. Use
chage -E 0 user command instead for full account locking 。注意,帐户是未完全锁定—用户仍然可以通过其他认证方式登录,例如SSH公钥认证。使用
chage -E 0用户命令代替完整的帐户锁定
锁定账户后,当从另一个普通用户切换到被锁定的用户时,显示认证失败。
--stdin
This option is used to indicate that passwd should read the new password from standard input, which can be a pipe(这个选项表示passwd应该从标准输入读取新密码,标准输入可以是一个管道)
-u, --unlock
This is the reverse of the -l option - it will unlock the account password by removing the ! prefix. This option is available
to root only. (这与-l选项相反——它将通过删除!前缀。此选项可用
只root。)By default passwd will refuse to create a passwordless account (it will not unlock an account that has only "!"
as a password). The force option -f will override this protection(默认情况下,passwd将拒绝创建无密码帐户(它不会解锁只有"!"的帐户)。
作为密码)。强制选项-f会覆盖这个保护)
-d, --delete
This is a quick way to delete a password for an account. It will set the named account passwordless. Available to root only.(这是一种删除账户密码的快速方法。它会将指定的帐户设置为无密码。仅限root用户使用。)
-e, --expire
This is a quick way to expire a password for an account. The user will be forced to change the password during the next login
attempt. Available to root only。这是一种让账户密码过期的快速方法。用户下次登录时将被迫更改密码尝试。仅限root用户使用
当该普通用户下次登录时,会显示密码已经过期,必须强制修改密码。
-f, --force
Force the specified operation(强制执行指定的操作)
-n, --minimum DAYS
This will set the minimum password lifetime, in days, if the user's account supports password lifetimes. Available to root only.如果用户的帐户支持密码生命周期,这将设置最小密码生命周期,以天为单位。只有root可用。
-x, --maximum DAYS
This will set the maximum password lifetime, in days, if the user's account supports password lifetimes. Available to root
only.(如果用户的帐户支持密码生命周期,这将设置最大密码生命周期,以天为单位。root可用只有)
-w, --warning DAYS
This will set the number of days in advance the user will begin receiving warnings that her password will expire, if the user's
account supports password lifetimes. Available to root only(这将设置用户提前几天开始收到密码将过期的警告,如果用户的密码是
帐号支持密码有效期。仅限root用户使用)
-i, --inactive DAYS
This will set the number of days which will pass before an expired password for this account will be taken to mean that the
account is inactive and should be disabled, if the user's account supports password lifetimes. Available to root only(这将设置该帐户密码过期前的天数,这意味着
帐户是不活跃的,如果用户的帐户支持密码生命周期,应该禁用。仅限root用户使用)
-S, --status
This will output a short information about the status of the password for a given account. The status information consists of 7
fields. The first field is the user's login name. The second field indicates if the user account has a locked password (LK),
has no password (NP), or has a usable password (PS). The third field gives the date of the last password change. The next four
fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in
days(这将输出有关给定帐户密码状态的简短信息。状态信息为7
字段。第一个字段是用户的登录名。第二个字段表示用户帐户是否有锁定密码(LK),
无密码(NP)或有可用密码(PS)。第三个字段给出了最后一次修改密码的日期。接下来的四个
字段是密码的最小年龄、最大年龄、警告期和不活动期。这些年龄用
天)
Notes: The date of the last password change is stored as a number of days since epoch. Depending on the current time zone, the
passwd -S username may show the date of the last password change that is different from the real date of the last password
change by ±1 day(注意:最后一次更改密码的日期存储为自纪元以来的天数。根据当前时区,
passwd -S username显示的最近一次修改密码的日期可能与实际日期不同
改变±1天)
This option is available to root only(这个选项只对root有效)
Remember the following two principles 记住以下两个原则
Protect your password 保护你的密码
Don't write down your password - memorize it. In particular, don't write it down and leave it anywhere, and don't place it in
an unencrypted file! Use unrelated passwords for systems controlled by different organizations. Don't give or share your
password, in particular to someone claiming to be from computer support or a vendor. Don't let anyone watch you enter your
password. Don't enter your password to a computer you don't trust or if things "look funny"; someone may be trying to hijack
your password. Use the password for a limited time and change it periodically(不要写下你的密码——记住它。特别是,不要把它写下来,放在任何地方,也不要把它放在任何地方
一个未加密的文件!对由不同组织控制的系统使用不相关的密码。不要给予或分享你的
密码,特别是给自称来自计算机支持或供应商的人的密码。别让任何人看到你进入你的
密码。不要在你不信任的电脑上输入密码,或者如果电脑“看起来很滑稽”;可能有人想抢劫
你的密码。密码在限定时间内使用,并定期修改)
Choose a hard-to-guess password 选择一个难以猜测的密码
passwd through the calls to the pam_cracklib PAM module will try to prevent you from choosing a really bad password, but it
isn't foolproof; create your password wisely. Don't use something you'd find in a dictionary (in any language or jargon).
Don't use a name (including that of a spouse, parent, child, pet, fantasy character, famous person, and location) or any varia‐
tion of your personal or account name. Don't use accessible information about you (such as your phone number, license plate,
or social security number) or your environment. Don't use a birthday or a simple pattern (such as "qwerty", "abc", or "aaa").
Don't use any of those backwards, followed by a digit, or preceded by a digit. Instead, use a mixture of upper and lower case
letters, as well as digits or punctuation. When choosing a new password, make sure it's unrelated to any previous password.
Use long passwords (say at least 8 characters long). You might use a word pair with punctuation inserted, a passphrase (an
understandable sequence of words), or the first letter of each word in a passphrase
通过对pam_cracklib PAM模块的调用,passwd命令会试图阻止你选择一个非常糟糕的密码,但它
不是万无一失;明智地创建你的密码。不要使用你在字典里找到的东西(任何语言或行话)。
不要使用名字(包括配偶、父母、孩子、宠物、幻想中的角色、名人和地点)或任何变化
您的个人或帐户名称。不要使用你的可访问信息(如你的电话号码、车牌、
或社会安全号码)或你的环境。不要使用生日或简单的模式(如“qwerty”、“abc”或“aaa”)。
不要把这些词倒着用,后面跟一个数字或者前面跟一个数字。相反,使用大小写混合
字母、数字或标点符号。选择新密码时,请确保新密码与之前的密码无关。
使用长密码(至少8个字符)。您可以使用插入标点符号的单词对,密码短语(an
可理解的单词序列),或密码短语中每个单词的第一个字母
These principles are partially enforced by the system, but only partly so. Vigilance on your part will make the system much more
secure
这些原则被系统部分地执行,但只是部分地执行。你的警惕将使系统更加完善安全
