openssl/doc/man1/openssl-passwd.pod

=pod

=head1 NAME

openssl-passwd - compute password hashes

=head1 SYNOPSIS

B<openssl passwd>
[B<-help>]
[B<-crypt>]
[B<-1>]
[B<-apr1>]
[B<-aixmd5>]
[B<-5>]
[B<-6>]
[B<-salt> I<string>]
[B<-in> I<file>]
[B<-stdin>]
[B<-noverify>]
[B<-quiet>]
[B<-table>]
[B<-rand> I<files>]
[B<-writerand> I<file>]
{I<password>}

=for comment ifdef crypt

=head1 DESCRIPTION

The B<passwd> command computes the hash of a password typed at
run-time or the hash of each password in a list.  The password list is
taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
The Unix standard algorithm B<-crypt> and the MD5-based BSD password
algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are
available.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-crypt>

Use the B<crypt> algorithm (default).

=item B<-1>

Use the MD5 based BSD password algorithm B<1>.

=item B<-apr1>

Use the B<apr1> algorithm (Apache variant of the BSD algorithm).

=item B<-aixmd5>

Use the B<AIX MD5> algorithm (AIX variant of the BSD algorithm).

=item B<-5>

=item B<-6>

Use the B<SHA256> / B<SHA512> based algorithms defined by Ulrich Drepper.
See L<https://www.akkadia.org/drepper/SHA-crypt.txt>.

=item B<-salt> I<string>

Use the specified salt.
When reading a password from the terminal, this implies B<-noverify>.

=item B<-in> I<file>

Read passwords from I<file>.

=item B<-stdin>

Read passwords from B<stdin>.

=item B<-noverify>

Don't verify when reading a password from the terminal.

=item B<-quiet>

Don't output warnings when passwords given at the command line are truncated.

=item B<-table>

In the output list, prepend the cleartext password and a TAB character
to each password hash.

=item B<-rand> I<files>

The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.

=item B<-writerand> I<file>

Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.

=back

=head1 EXAMPLES

  % openssl passwd -crypt -salt xx password
  xxj31ZMTZzkVA

  % openssl passwd -1 -salt xxxxxxxx password
  $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.

  % openssl passwd -apr1 -salt xxxxxxxx password
  $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0

  % openssl passwd -aixmd5 -salt xxxxxxxx password
  xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/

=head1 COPYRIGHT

Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
'passwd' tool. 2000-02-11 05:50:52 +08:00			`=pod`

			`=head1 NAME`

Deprecate unprefixed manual entries for openssl commands Initially, the manual page entry for the 'openssl cmd' command used to be available at 'cmd(1)'. Later, the aliases 'openssl-cmd(1)' was introduced, which made it easier to group the openssl commands using the 'apropos(1)' command or the shell's tab completion. In order to reduce cluttering of the global manual page namespace, the manual page entries without the 'openssl-' prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9666) 2019-08-22 07:04:41 +08:00			`openssl-passwd - compute password hashes`
'passwd' tool. 2000-02-11 05:50:52 +08:00
			`=head1 SYNOPSIS`

			`B<openssl passwd>`
GH628: Add -help to all apps docs. Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> 2016-02-06 00:58:45 +08:00			`[B<-help>]`
'passwd' tool. 2000-02-11 05:50:52 +08:00			`[B<-crypt>]`
Update 'openssl passwd' documentation on selection of algorithms. 2000-07-31 20:27:44 +08:00			`[B<-1>]`
Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00			`[B<-apr1>]`
'openssl passwd' command can now compute AIX MD5-based passwords hashes. The difference between the AIX MD5 password algorithm and the standard MD5 password algorithm is that in AIX there is no magic string while in the standard MD5 password algorithm the magic string is "$1$" Documentation of '-aixmd5' option of 'openssl passwd' command is added. 1 test is added in test/recipes/20-test-passwd.t Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2251) 2017-01-20 13:37:43 +08:00			`[B<-aixmd5>]`
Document the new SHA256 and SHA512 password generation options Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-09-14 10:07:04 +08:00			`[B<-5>]`
			`[B<-6>]`
Change the example to show apr1 with an 8-character salt. 2000-02-18 19:51:58 +08:00			`[B<-salt> I<string>]`
			`[B<-in> I<file>]`
Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00			`[B<-stdin>]`
Improve usability of 'openssl passwd' by including password verification where it makes sense. 2000-11-17 17:03:02 +08:00			`[B<-noverify>]`
'passwd' tool. 2000-02-11 05:50:52 +08:00			`[B<-quiet>]`
			`[B<-table>]`
Command docs: remove ellipses for '-rand' Ellipses were used to express that the '-rand' value can specify multiple files, like this: B<-rand> I<file...> Because there are conventions around ellipses, this becomes confusing, because '-rand file...' is normally intepreted to mean that '-rand file1 file2 file3' would be processed as three randomness files, which makes no sense. Rather than making things complicated with more elaborate syntax, we change it to: B<-rand> I<files> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10065) 2019-10-01 16:00:14 +08:00			`[B<-rand> I<files>]`
Consistent formatting of flags with args For documentation of all commands with "-flag arg" format them consistently: "B<-flag> I<arg>", except when arg is literal (for example "B<-inform> B<PEM>\|B<DER>") Update find-doc-nits to complain if badly formatted strings are found. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10022) 2019-09-26 03:20:11 +08:00			`[B<-writerand> I<file>]`
Change the example to show apr1 with an 8-character salt. 2000-02-18 19:51:58 +08:00			`{I<password>}`
'passwd' tool. 2000-02-11 05:50:52 +08:00
Add '=for comment ifdef' to pod pages Make find-doc-nits understand that =for comment ifdef ssl3 ... in a POD page means that the "-ssl3" flag might be ifdef'd out in the local environment, and not to complain about it. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9974) 2019-09-23 07:49:25 +08:00			`=for comment ifdef crypt`

'passwd' tool. 2000-02-11 05:50:52 +08:00			`=head1 DESCRIPTION`

Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00			`The B<passwd> command computes the hash of a password typed at`
			`run-time or the hash of each password in a list. The password list is`
Consistent formatting of flags with args For documentation of all commands with "-flag arg" format them consistently: "B<-flag> I<arg>", except when arg is literal (for example "B<-inform> B<PEM>\|B<DER>") Update find-doc-nits to complain if badly formatted strings are found. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10022) 2019-09-26 03:20:11 +08:00			`taken from the named file for option B<-in>, from stdin for`
Improve usability of 'openssl passwd' by including password verification where it makes sense. 2000-11-17 17:03:02 +08:00			`option B<-stdin>, or from the command line, or from the terminal otherwise.`
Command docs: replacables are in italics, options always start with a dash Quite a lot of replacables were still bold, and some options were mentioned without a beginning dash. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10065) 2019-10-02 00:16:29 +08:00			`The Unix standard algorithm B<-crypt> and the MD5-based BSD password`
			`algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are`
			`available.`
'passwd' tool. 2000-02-11 05:50:52 +08:00
			`=head1 OPTIONS`

			`=over 4`

GH628: Add -help to all apps docs. Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> 2016-02-06 00:58:45 +08:00			`=item B<-help>`

			`Print out a usage message.`

'passwd' tool. 2000-02-11 05:50:52 +08:00			`=item B<-crypt>`

			`Use the B<crypt> algorithm (default).`

Update 'openssl passwd' documentation on selection of algorithms. 2000-07-31 20:27:44 +08:00			`=item B<-1>`

			`Use the MD5 based BSD password algorithm B<1>.`

Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00			`=item B<-apr1>`

Update 'openssl passwd' documentation on selection of algorithms. 2000-07-31 20:27:44 +08:00			`Use the B<apr1> algorithm (Apache variant of the BSD algorithm).`
Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00
'openssl passwd' command can now compute AIX MD5-based passwords hashes. The difference between the AIX MD5 password algorithm and the standard MD5 password algorithm is that in AIX there is no magic string while in the standard MD5 password algorithm the magic string is "$1$" Documentation of '-aixmd5' option of 'openssl passwd' command is added. 1 test is added in test/recipes/20-test-passwd.t Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2251) 2017-01-20 13:37:43 +08:00			`=item B<-aixmd5>`

			`Use the B<AIX MD5> algorithm (AIX variant of the BSD algorithm).`

Document the new SHA256 and SHA512 password generation options Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-09-14 10:07:04 +08:00			`=item B<-5>`

			`=item B<-6>`

			`Use the B<SHA256> / B<SHA512> based algorithms defined by Ulrich Drepper.`
			`See L<https://www.akkadia.org/drepper/SHA-crypt.txt>.`

Change the example to show apr1 with an 8-character salt. 2000-02-18 19:51:58 +08:00			`=item B<-salt> I<string>`
'passwd' tool. 2000-02-11 05:50:52 +08:00
			`Use the specified salt.`
Improve usability of 'openssl passwd' by including password verification where it makes sense. 2000-11-17 17:03:02 +08:00			`When reading a password from the terminal, this implies B<-noverify>.`
'passwd' tool. 2000-02-11 05:50:52 +08:00
Change the example to show apr1 with an 8-character salt. 2000-02-18 19:51:58 +08:00			`=item B<-in> I<file>`
Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00
Change the example to show apr1 with an 8-character salt. 2000-02-18 19:51:58 +08:00			`Read passwords from I<file>.`
Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00
			`=item B<-stdin>`

			`Read passwords from B<stdin>.`

Improve usability of 'openssl passwd' by including password verification where it makes sense. 2000-11-17 17:03:02 +08:00			`=item B<-noverify>`

			`Don't verify when reading a password from the terminal.`

'passwd' tool. 2000-02-11 05:50:52 +08:00			`=item B<-quiet>`

Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00			`Don't output warnings when passwords given at the command line are truncated.`
'passwd' tool. 2000-02-11 05:50:52 +08:00
			`=item B<-table>`

			`In the output list, prepend the cleartext password and a TAB character`
			`to each password hash.`

Command docs: remove ellipses for '-rand' Ellipses were used to express that the '-rand' value can specify multiple files, like this: B<-rand> I<file...> Because there are conventions around ellipses, this becomes confusing, because '-rand file...' is normally intepreted to mean that '-rand file1 file2 file3' would be processed as three randomness files, which makes no sense. Rather than making things complicated with more elaborate syntax, we change it to: B<-rand> I<files> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10065) 2019-10-01 16:00:14 +08:00			`=item B<-rand> I<files>`
Standardize apps use of -rand, etc. Standardized the -rand flag and added a new one: -rand file... Always reads the specified files -writerand file Always writes to the file on exit For apps that use a config file, the RANDFILE config parameter reads the file at startup (to seed the RNG) and write to it on exit if the -writerand flag isn't used. Ensured that every app that took -rand also took -writerand, and made sure all of that agreed with all the documentation. Fix error reporting in write_file and -rand Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3862) 2017-07-05 22:58:48 +08:00
Command docs: remove ellipses for '-rand' Ellipses were used to express that the '-rand' value can specify multiple files, like this: B<-rand> I<file...> Because there are conventions around ellipses, this becomes confusing, because '-rand file...' is normally intepreted to mean that '-rand file1 file2 file3' would be processed as three randomness files, which makes no sense. Rather than making things complicated with more elaborate syntax, we change it to: B<-rand> I<files> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10065) 2019-10-01 16:00:14 +08:00			`The files containing random data used to seed the random number generator.`
Standardize apps use of -rand, etc. Standardized the -rand flag and added a new one: -rand file... Always reads the specified files -writerand file Always writes to the file on exit For apps that use a config file, the RANDFILE config parameter reads the file at startup (to seed the RNG) and write to it on exit if the -writerand flag isn't used. Ensured that every app that took -rand also took -writerand, and made sure all of that agreed with all the documentation. Fix error reporting in write_file and -rand Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3862) 2017-07-05 22:58:48 +08:00			`Multiple files can be specified separated by an OS-dependent character.`
			`The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for`
			`all others.`

Consistent formatting of flags with args For documentation of all commands with "-flag arg" format them consistently: "B<-flag> I<arg>", except when arg is literal (for example "B<-inform> B<PEM>\|B<DER>") Update find-doc-nits to complain if badly formatted strings are found. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10022) 2019-09-26 03:20:11 +08:00			`=item B<-writerand> I<file>`
Standardize apps use of -rand, etc. Standardized the -rand flag and added a new one: -rand file... Always reads the specified files -writerand file Always writes to the file on exit For apps that use a config file, the RANDFILE config parameter reads the file at startup (to seed the RNG) and write to it on exit if the -writerand flag isn't used. Ensured that every app that took -rand also took -writerand, and made sure all of that agreed with all the documentation. Fix error reporting in write_file and -rand Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/3862) 2017-07-05 22:58:48 +08:00
			`Writes random data to the specified I<file> upon exit.`
			`This can be used with a subsequent B<-rand> flag.`

'passwd' tool. 2000-02-11 05:50:52 +08:00			`=back`

Change the example to show apr1 with an 8-character salt. 2000-02-18 19:51:58 +08:00			`=head1 EXAMPLES`
'passwd' tool. 2000-02-11 05:50:52 +08:00
Fix some issues found by Denian's lintian tool Also fix some L<> labels and =item entries found while doing this. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6630) 2018-07-04 00:45:14 +08:00			`% openssl passwd -crypt -salt xx password`
			`xxj31ZMTZzkVA`
Implement MD5-based "apr1" password hash. 2000-02-12 00:25:44 +08:00
Fix some issues found by Denian's lintian tool Also fix some L<> labels and =item entries found while doing this. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6630) 2018-07-04 00:45:14 +08:00			`% openssl passwd -1 -salt xxxxxxxx password`
			`$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.`
Update 'openssl passwd' documentation on selection of algorithms. 2000-07-31 20:27:44 +08:00
Fix some issues found by Denian's lintian tool Also fix some L<> labels and =item entries found while doing this. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6630) 2018-07-04 00:45:14 +08:00			`% openssl passwd -apr1 -salt xxxxxxxx password`
			`$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0`
'passwd' tool. 2000-02-11 05:50:52 +08:00
Fix some issues found by Denian's lintian tool Also fix some L<> labels and =item entries found while doing this. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6630) 2018-07-04 00:45:14 +08:00			`% openssl passwd -aixmd5 -salt xxxxxxxx password`
			`xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/`
'openssl passwd' command can now compute AIX MD5-based passwords hashes. The difference between the AIX MD5 password algorithm and the standard MD5 password algorithm is that in AIX there is no magic string while in the standard MD5 password algorithm the magic string is "$1$" Documentation of '-aixmd5' option of 'openssl passwd' command is added. 1 test is added in test/recipes/20-test-passwd.t Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2251) 2017-01-20 13:37:43 +08:00
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00			`=head1 COPYRIGHT`

Deprecate unprefixed manual entries for openssl commands Initially, the manual page entry for the 'openssl cmd' command used to be available at 'cmd(1)'. Later, the aliases 'openssl-cmd(1)' was introduced, which made it easier to group the openssl commands using the 'apropos(1)' command or the shell's tab completion. In order to reduce cluttering of the global manual page namespace, the manual page entries without the 'openssl-' prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9666) 2019-08-22 07:04:41 +08:00			`Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.`
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00
Following the license change, modify the boilerplates in doc/man1/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7828) 2018-12-06 21:04:11 +08:00			`Licensed under the Apache License 2.0 (the "License"). You may not use`
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00			`this file except in compliance with the License. You can obtain a copy`
			`in the file LICENSE in the source distribution or at`
			`L<https://www.openssl.org/source/license.html>.`

			`=cut`