chpasswd
Change passwords in batch for users
TLDR
Change the password for a specific user
Change the passwords for multiple users (The input text must not contain any spaces.)
Change the password for a specific user, and specify it in encrypted form
Change the password for a specific user, and use a specific encryption for the stored password
SYNOPSIS
chpasswd [OPTIONS]
(Input is typically provided via standard input, e.g., 'username:password' lines.)
PARAMETERS
-e, --encrypted
Tells chpasswd that the passwords provided in the input are already encrypted. This means the input format should be 'username:encrypted_password' where the encrypted password is a valid crypt(3) hash string.
-c, --crypt-method METHOD
Specifies the crypt method to use for hashing passwords. Valid methods typically include SHA512, SHA256, BCRYPT, MD5, etc., depending on the system's crypt library support. This option overrides the default system hashing method.
-m, --md5
Uses MD5 as the encryption method for passwords. This option is generally considered deprecated in favor of --crypt-method MD5 as it specifies a weaker hashing algorithm compared to modern standards like SHA512 or BCRYPT.
-R, --root CHROOT_DIR
Applies the password changes in a specified chroot environment. This is useful for managing accounts on a system image or a recovery partition without actually booting into it.
DESCRIPTION
chpasswd is a utility designed to update multiple user passwords from a list. It reads username:password pairs, one per line, from standard input or a specified file. This command is particularly useful for system administrators who need to manage a large number of user accounts, automate user provisioning, or migrate user data. Unlike the passwd command which interactively prompts for a single password, chpasswd operates in a non-interactive batch mode, making it ideal for use within scripts or automated processes. It handles the secure hashing of passwords internally, using the system's default hashing algorithm unless otherwise specified. Due to its nature of modifying sensitive system files, chpasswd requires superuser (root) privileges to execute.
CAVEATS
- Security: The input stream or file containing username:password pairs often contains cleartext passwords (unless -e is used). Ensure these inputs are highly secured and promptly deleted after use.
- Permissions: This command requires superuser (root) privileges to modify the /etc/shadow file.
- Input Format: It strictly expects 'username:password' or 'username:encrypted_password' (with -e) pairs, one per line. Any deviation can lead to errors.
- Error Handling: chpasswd typically stops processing on the first error encountered, which might mean only a subset of passwords are updated if an error occurs early in the input.
- Hashing Algorithm: By default, it uses the system's configured password hashing algorithm (often defined in /etc/login.defs or /etc/default/useradd). Consider specifying a strong method with -c if the system default is weak.
INPUT DATA FORMAT
The standard input for chpasswd must consist of lines in the format 'username:password'. Each line represents a single user and their new password. If the -e (encrypted) option is used, the format becomes 'username:encrypted_password', where the 'encrypted_password' is an already hashed password string compatible with crypt(3). Leading or trailing whitespace on a line can cause errors.
PASSWORD HASHING MECHANISM
When plain-text passwords are provided (without -e), chpasswd uses the crypt(3) library function to hash them before storing them in /etc/shadow. The specific hashing algorithm used defaults to the system's configured method, typically found in /etc/login.defs (e.g., ENCRYPT_METHOD) or /etc/default/useradd. This can be explicitly overridden using the --crypt-method option to ensure strong, modern hashing algorithms are employed.
HISTORY
chpasswd is a part of the shadow-utils package, which provides a suite of tools for managing user and group accounts on Linux systems. Its development was driven by the need for efficient, automated password management in environments with large numbers of users, such as enterprise systems, educational institutions, or cloud deployments. It addresses the limitation of interactive password change tools by enabling non-interactive, batch processing, which is crucial for scripting and system provisioning tasks that became common with the rise of automated infrastructure management.