BSD 4.4 Lite Usr.bin Sources

7 files changed, 803 insertions, 0 deletions

diff --git a/usr.bin/passwd/Makefile b/usr.bin/passwd/Makefile
new file mode 100644
index 0000000..8681573
--- /dev/null
+++ b/usr.bin/passwd/Makefile
@@ -0,0 +1,15 @@
+#	@(#)Makefile	8.3 (Berkeley) 4/2/94
+
+PROG=	passwd
+SRCS=	des_rw.c krb_passwd.c local_passwd.c passwd.c pw_copy.c pw_util.c
+DPADD=	${LIBKRB} ${LIBDES}
+.PATH:  ${.CURDIR}/../../usr.bin/chpass ${.CURDIR}/../../usr.sbin/vipw \
+	${.CURDIR}/../rlogin
+CFLAGS+=-DKERBEROS -DCRYPT -I${.CURDIR} -I${.CURDIR}/../../usr.sbin/vipw \
+	-I${.CURDIR}/../../usr.bin/chpass
+LDADD=	-lkrb -ldes
+BINOWN=	root
+BINMODE=4555
+INSTALLFLAGS=-fschg
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/passwd/extern.h b/usr.bin/passwd/extern.h
new file mode 100644
index 0000000..67d6dee
--- /dev/null
+++ b/usr.bin/passwd/extern.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.1 (Berkeley) 4/2/94
+ */
+
+int	krb_passwd __P((void));
+int	local_passwd __P((char *));
diff --git a/usr.bin/passwd/kpasswd_proto.h b/usr.bin/passwd/kpasswd_proto.h
new file mode 100644
index 0000000..465d4c7
--- /dev/null
+++ b/usr.bin/passwd/kpasswd_proto.h
@@ -0,0 +1,54 @@
+/*-
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)kpasswd_proto.h	8.1 (Berkeley) 6/6/93
+ */
+
+/*
+ * kpasswd_proto
+ *
+ * definitions for the kpasswd "protocol"
+ * (We hope this to be temporary until a real admin protocol is worked out.)
+ */
+
+struct kpasswd_data {
+	des_cblock random_key;
+	char secure_msg[_PASSWORD_LEN];
+};
+
+struct update_data {
+	char pw[_PASSWORD_LEN];
+	char secure_msg[_PASSWORD_LEN];
+};
+#define	SERVICE		"kpasswd"
+#define	SECURE_STRING \
+	"Kerberos password update program -- 12/9/88 UC Berkeley"
diff --git a/usr.bin/passwd/krb_passwd.c b/usr.bin/passwd/krb_passwd.c
new file mode 100644
index 0000000..d4a0f15
--- /dev/null
+++ b/usr.bin/passwd/krb_passwd.c
@@ -0,0 +1,319 @@
+/*-
+ * Copyright (c) 1990, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)krb_passwd.c	8.3 (Berkeley) 4/2/94";
+#endif /* not lint */
+
+#ifdef KERBEROS
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <netinet/in.h>
+#include <kerberosIV/des.h>
+#include <kerberosIV/krb.h>
+
+#include <err.h>
+#include <errno.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "kpasswd_proto.h"
+
+#include "extern.h"
+
+#define	PROTO	"tcp"
+
+static void	send_update __P((int, char *, char *));
+static void	recv_ack __P((int));
+static void	cleanup __P((void));
+static void	finish __P((void));
+
+static struct timeval timeout = { CLIENT_KRB_TIMEOUT, 0 };
+static struct kpasswd_data proto_data;
+static des_cblock okey;
+static Key_schedule osched;
+static KTEXT_ST ticket;
+static Key_schedule random_schedule;
+static long authopts;
+static char realm[REALM_SZ], krbhst[MAX_HSTNM];
+static int sock;
+
+int
+krb_passwd()
+{
+	struct servent *se;
+	struct hostent *host;
+	struct sockaddr_in sin;
+	CREDENTIALS cred;
+	fd_set readfds;
+	int rval;
+	char pass[_PASSWORD_LEN], password[_PASSWORD_LEN];
+	static void finish();
+
+	static struct rlimit rl = { 0, 0 };
+
+	(void)signal(SIGHUP, SIG_IGN);
+	(void)signal(SIGINT, SIG_IGN);
+	(void)signal(SIGTSTP, SIG_IGN);
+
+	if (setrlimit(RLIMIT_CORE, &rl) < 0) {
+		warn("setrlimit");
+		return (1);
+	}
+
+	if ((se = getservbyname(SERVICE, PROTO)) == NULL) {
+		warnx("couldn't find entry for service %s/%s",
+		    SERVICE, PROTO);
+		return (1);
+	}
+
+	if ((rval = krb_get_lrealm(realm,1)) != KSUCCESS) {
+		warnx("couldn't get local Kerberos realm: %s",
+		    krb_err_txt[rval]);
+		return (1);
+	}
+
+	if ((rval = krb_get_krbhst(krbhst, realm, 1)) != KSUCCESS) {
+		warnx("couldn't get Kerberos host: %s",
+		    krb_err_txt[rval]);
+		return (1);
+	}
+
+	if ((host = gethostbyname(krbhst)) == NULL) {
+		warnx("couldn't get host entry for krb host %s",
+		    krbhst);
+		return (1);
+	}
+
+	sin.sin_family = host->h_addrtype;
+	memmove((char *) &sin.sin_addr, host->h_addr, host->h_length);
+	sin.sin_port = se->s_port;
+
+	if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
+		warn("socket");
+		return (1);
+	}
+
+	if (connect(sock, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
+		warn("connect");
+		(void)close(sock);
+		return (1);
+	}
+
+	rval = krb_sendauth(
+		authopts,		/* NOT mutual */
+		sock,
+		&ticket,		/* (filled in) */
+		SERVICE,
+		krbhst,			/* instance (krbhst) */
+		realm,			/* dest realm */
+		(u_long) getpid(),	/* checksum */
+		NULL,			/* msg data */
+		NULL,			/* credentials */ 
+		NULL,			/* schedule */
+		NULL,			/* local addr */
+		NULL,			/* foreign addr */
+		"KPWDV0.1"
+	);
+
+	if (rval != KSUCCESS) {
+		warnx("Kerberos sendauth error: %s", krb_err_txt[rval]);
+		return (1);
+	}
+
+	krb_get_cred("krbtgt", realm, realm, &cred);
+
+	(void)printf("Changing Kerberos password for %s.%s@%s.\n",
+	    cred.pname, cred.pinst, realm);
+
+	if (des_read_pw_string(pass,
+	    sizeof(pass)-1, "Old Kerberos password:", 0)) {
+		warnx("error reading old Kerberos password");
+		return (1);
+	}
+
+	(void)des_string_to_key(pass, okey);
+	(void)des_key_sched(okey, osched);
+	(void)des_set_key(okey, osched);
+
+	/* wait on the verification string */
+
+	FD_ZERO(&readfds);
+	FD_SET(sock, &readfds);
+
+	rval =
+	    select(sock + 1, &readfds, (fd_set *) 0, (fd_set *) 0, &timeout);
+
+	if ((rval < 1) || !FD_ISSET(sock, &readfds)) {
+		if(rval == 0) {
+			warnx("timed out (aborted)");
+			cleanup();
+			return (1);
+		}
+		warnx("select failed (aborted)");
+		cleanup();
+		return (1);
+	}
+
+	/* read verification string */
+
+	if (des_read(sock, &proto_data, sizeof(proto_data)) !=
+	    sizeof(proto_data)) {
+		warnx("couldn't read verification string (aborted)");
+		cleanup();
+		return (1);
+	}
+
+	(void)signal(SIGHUP, finish);
+	(void)signal(SIGINT, finish);
+
+	if (strcmp(SECURE_STRING, proto_data.secure_msg) != 0) {
+		cleanup();
+		/* don't complain loud if user just hit return */
+		if (pass == NULL || (!*pass))
+			return (0);
+		(void)fprintf(stderr, "Sorry\n");
+		return (1);
+	}
+
+	(void)des_key_sched(proto_data.random_key, random_schedule);
+	(void)des_set_key(proto_data.random_key, random_schedule);
+	(void)memset(pass, 0, sizeof(pass));
+
+	if (des_read_pw_string(pass,
+	    sizeof(pass)-1, "New Kerberos password:", 0)) {
+		warnx("error reading new Kerberos password (aborted)");
+		cleanup();
+		return (1);
+	}
+
+	if (des_read_pw_string(password,
+	    sizeof(password)-1, "Retype new Kerberos password:", 0)) {
+		warnx("error reading new Kerberos password (aborted)");
+		cleanup();
+		return (1);
+	}
+
+	if (strcmp(password, pass) != 0) {
+		warnx("password mismatch (aborted)");
+		cleanup();
+		return (1);
+	}
+
+	if (strlen(pass) == 0)
+		(void)printf("using NULL password\n");
+
+	send_update(sock, password, SECURE_STRING);
+
+	/* wait for ACK */
+
+	FD_ZERO(&readfds);
+	FD_SET(sock, &readfds);
+
+	rval =
+	    select(sock + 1, &readfds, (fd_set *) 0, (fd_set *) 0, &timeout);
+	if ((rval < 1) || !FD_ISSET(sock, &readfds)) {
+		if(rval == 0) {
+			warnx("timed out reading ACK (aborted)");
+			cleanup();
+			exit(1);
+		}
+		warnx("select failed (aborted)");
+		cleanup();
+		exit(1);
+	}
+	recv_ack(sock);
+	cleanup();
+	return (0);
+}
+
+static void
+send_update(dest, pwd, str)
+	int dest;
+	char *pwd, *str;
+{
+	static struct update_data ud;
+
+	(void)strncpy(ud.secure_msg, str, _PASSWORD_LEN);
+	(void)strncpy(ud.pw, pwd, sizeof(ud.pw));
+	if (des_write(dest, &ud, sizeof(ud)) != sizeof(ud)) {
+		warnx("couldn't write pw update (abort)");
+		memset((char *)&ud, 0, sizeof(ud));
+		cleanup();
+		exit(1);
+	}
+}
+
+static void
+recv_ack(remote)
+	int remote;
+{
+	int cc;
+	char buf[BUFSIZ];
+
+	cc = des_read(remote, buf, sizeof(buf));
+	if (cc <= 0) {
+		warnx("error reading acknowledgement (aborted)");
+		cleanup();
+		exit(1);
+	}
+	(void)printf("%s", buf);
+}
+
+static void
+cleanup()
+{
+
+	(void)memset((char *)&proto_data, 0, sizeof(proto_data));
+	(void)memset((char *)okey, 0, sizeof(okey));
+	(void)memset((char *)osched, 0, sizeof(osched));
+	(void)memset((char *)random_schedule, 0, sizeof(random_schedule));
+}
+
+static void
+finish()
+{
+
+	(void)close(sock);
+	exit(1);
+}
+
+#endif /* KERBEROS */
diff --git a/usr.bin/passwd/local_passwd.c b/usr.bin/passwd/local_passwd.c
new file mode 100644
index 0000000..804c48e
--- /dev/null
+++ b/usr.bin/passwd/local_passwd.c
@@ -0,0 +1,153 @@
+/*-
+ * Copyright (c) 1990, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)local_passwd.c	8.3 (Berkeley) 4/2/94";
+#endif /* not lint */
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <err.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <pw_copy.h>
+#include <pw_util.h>
+
+#include "extern.h"
+
+static uid_t uid;
+
+char   *tempname;
+
+static unsigned char itoa64[] =		/* 0 ... 63 => ascii - 64 */
+	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+void
+to64(s, v, n)
+	char *s;
+	long v;
+	int n;
+{
+	while (--n >= 0) {
+		*s++ = itoa64[v&0x3f];
+		v >>= 6;
+	}
+}
+
+char *
+getnewpasswd(pw)
+	struct passwd *pw;
+{
+	int tries;
+	char *p, *t;
+	char buf[_PASSWORD_LEN+1], salt[9];
+
+	(void)printf("Changing local password for %s.\n", pw->pw_name);
+
+	if (uid && pw->pw_passwd[0] &&
+	    strcmp(crypt(getpass("Old password:"), pw->pw_passwd),
+	    pw->pw_passwd)) {
+		errno = EACCES;
+		pw_error(NULL, 1, 1);
+	}
+
+	for (buf[0] = '\0', tries = 0;;) {
+		p = getpass("New password:");
+		if (!*p) {
+			(void)printf("Password unchanged.\n");
+			pw_error(NULL, 0, 0);
+		}
+		if (strlen(p) <= 5 && (uid != 0 || ++tries < 2)) {
+			(void)printf("Please enter a longer password.\n");
+			continue;
+		}
+		for (t = p; *t && islower(*t); ++t);
+		if (!*t && (uid != 0 || ++tries < 2)) {
+			(void)printf("Please don't use an all-lower case password.\nUnusual capitalization, control characters or digits are suggested.\n");
+			continue;
+		}
+		(void)strcpy(buf, p);
+		if (!strcmp(buf, getpass("Retype new password:")))
+			break;
+		(void)printf("Mismatch; try again, EOF to quit.\n");
+	}
+	/* grab a random printable character that isn't a colon */
+	(void)srandom((int)time((time_t *)NULL));
+#ifdef NEWSALT
+	salt[0] = _PASSWORD_EFMT1;
+	to64(&salt[1], (long)(29 * 25), 4);
+	to64(&salt[5], random(), 4);
+#else
+	to64(&salt[0], random(), 2);
+#endif
+	return (crypt(buf, salt));
+}
+
+int
+local_passwd(uname)
+	char *uname;
+{
+	struct passwd *pw;
+	int pfd, tfd;
+
+	if (!(pw = getpwnam(uname)))
+		errx(1, "unknown user %s", uname);
+
+	uid = getuid();
+	if (uid && uid != pw->pw_uid)
+		errx(1, "%s", strerror(EACCES));
+
+	pw_init();
+	pfd = pw_lock();
+	tfd = pw_tmp();
+
+	/*
+	 * Get the new password.  Reset passwd change time to zero; when
+	 * classes are implemented, go and get the "offset" value for this
+	 * class and reset the timer.
+	 */
+	pw->pw_passwd = getnewpasswd(pw);
+	pw->pw_change = 0;
+	pw_copy(pfd, tfd, pw);
+
+	if (!pw_mkdb())
+		pw_error((char *)NULL, 0, 1);
+	return (0);
+}
diff --git a/usr.bin/passwd/passwd.1 b/usr.bin/passwd/passwd.1
new file mode 100644
index 0000000..4b07f93
--- /dev/null
+++ b/usr.bin/passwd/passwd.1
@@ -0,0 +1,107 @@
+.\" Copyright (c) 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)passwd.1	8.1 (Berkeley) 6/6/93
+.\"
+.Dd June 6, 1993
+.Dt PASSWD 1
+.Os BSD 4
+.Sh NAME
+.Nm passwd
+.Nd modify a user's password
+.Sh SYNOPSIS
+.Nm passwd
+.Op Fl l
+.Op Ar user
+.Sh DESCRIPTION
+.Nm Passwd
+changes the user's Kerberos password.  First, the user is prompted for their
+current password.
+If the current password is correctly typed, a new password is
+requested.
+The new password must be entered twice to avoid typing errors.
+.Pp
+The new password should be at least six characters long and not
+purely alphabetic.
+Its total length must be less than
+.Dv _PASSWORD_LEN
+(currently 128 characters).
+Numbers, upper case letters and meta characters
+are encouraged.
+.Pp
+Once the password has been verified,
+.Nm passwd
+communicates the new password information to
+the Kerberos authenticating host.
+.Bl -tag -width flag
+.It Fl l
+This option causes the password to be updated only in the local
+password file, and not with the Kerberos database.
+When changing only the local password,
+.Xr pwd_mkdb  8
+is used to update the password databases.
+.El
+.Pp
+To change another user's Kerberos password, one must first
+run
+.Xr kinit 1
+followed by
+.Xr passwd 1 .
+The super-user is not required to provide a user's current password
+if only the local password is modified.
+.Sh FILES
+.Bl -tag -width /etc/master.passwd -compact
+.It Pa /etc/master.passwd
+The user database
+.It Pa /etc/passwd 
+A Version 7 format password file
+.It Pa /etc/passwd.XXXXXX
+Temporary copy of the password file
+.El
+.Sh SEE ALSO
+.Xr chpass 1 ,
+.Xr kerberos 1 ,
+.Xr kinit 1 ,
+.Xr login 1 ,
+.Xr passwd 5 ,
+.Xr kpasswdd 8 ,
+.Xr pwd_mkdb 8 ,
+.Xr vipw 8
+.Rs
+.%A Robert Morris
+.%A Ken Thompson
+.%T "UNIX password security"
+.Re
+.Sh HISTORY
+A
+.Nm passwd
+command appeared in
+.At v6 .
diff --git a/usr.bin/passwd/passwd.c b/usr.bin/passwd/passwd.c
new file mode 100644
index 0000000..8615ab5
--- /dev/null
+++ b/usr.bin/passwd/passwd.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char copyright[] =
+"@(#) Copyright (c) 1988, 1993, 1994\n\
+	The Regents of the University of California.  All rights reserved.\n";
+#endif /* not lint */
+
+#ifndef lint
+static char sccsid[] = "@(#)passwd.c	8.3 (Berkeley) 4/2/94";
+#endif /* not lint */
+
+#include <err.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "extern.h"
+
+void	usage __P((void));
+
+#ifdef KERBEROS
+int use_kerberos = 1;
+#endif
+
+int
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	int ch;
+	char *uname;
+
+	while ((ch = getopt(argc, argv, "l")) != EOF)
+		switch (ch) {
+#ifdef KERBEROS
+		case 'l':		/* change local password file */
+			use_kerberos = 0;
+			break;
+#endif
+		default:
+		case '?':
+			usage();
+		}
+
+	argc -= optind;
+	argv += optind;
+
+	if ((uname = getlogin()) == NULL)
+		err(1, "getlogin");
+
+	switch(argc) {
+	case 0:
+		break;
+	case 1:
+#ifdef	KERBEROS
+		if (use_kerberos && strcmp(argv[0], uname))
+			errx(1,"%s\n\t%s\n%s\n",
+		"to change another user's Kerberos password, do",
+		"\"kinit user; passwd; kdestroy\";",
+		"to change a user's local passwd, use \"passwd -l user\"");
+#endif
+		uname = argv[0];
+		break;
+	default:
+		usage();
+	}
+
+#ifdef	KERBEROS
+	if (use_kerberos)
+		exit(krb_passwd());
+#endif
+	exit(local_passwd(uname));
+}
+
+void
+usage()
+{
+
+#ifdef	KERBEROS
+	(void)fprintf(stderr, "usage: passwd [-l] user\n");
+#else
+	(void)fprintf(stderr, "usage: passwd user\n");
+#endif
+	exit(1);
+}