PASSWD(5) FreeBSD File Formats Manual PASSWD(5)


passwd, master.passwdformat of the password file


The passwd files are the local source of password information. They can be used in conjunction with the Hesiod domains ‘ passwd’ and ‘ uid’, and the NIS maps ‘ passwd.byname’, ‘ passwd.byuid’, ‘ master.passwd.byname’, and ‘ master.passwd.byuid’, as controlled by nsswitch.conf(5).

For consistency, none of these files should ever be modified manually.

The master.passwd file is readable only by root, and consists of newline separated records, one per user, containing ten colon (‘ :’) separated fields. These fields are as follows:

User's login name.
User's encrypted password.
User's id.
User's login group id.
User's login class.
Password change time.
Account expiration time.
General information about the user.
User's home directory.
User's login shell.

The passwd file is generated from the master.passwd file by pwd_mkdb(8), has the class, change, and expire fields removed, and the password field replaced by a ‘ *’ character.

The name field is the login used to access the computer account, and the uid field is the number associated with it. They should both be unique across the system (and often across a group of systems) since they control file access.

While it is possible to have multiple entries with identical login names and/or identical user id's, it is usually a mistake to do so. Routines that manipulate these files will often return only one of the multiple entries, and that one by random selection.

The login name must not begin with a hyphen (‘ -’), and cannot contain 8-bit characters, tabs or spaces, or any of these symbols: ‘ ,:+&#%^()!@~*?<>=|\/"’. The dollar symbol (‘ $’) is allowed only as the last character for use with Samba. No field may contain a colon (‘ :’) as this has been used historically to separate the fields in the user database.

Case is significant. Login names ‘ Lrrr’ and ‘ lrrr’ represent different users. Be aware of this when interoperating with systems that do not have case-sensitive login names.

In the master.passwd file, the password field is the encrypted form of the password, see crypt(3). If the password field is empty, no password will be required to gain access to the machine. This is almost invariably a mistake, so authentication components such as PAM can forcibly disallow remote access to passwordless accounts. Because this file contains the encrypted user passwords, it should not be readable by anyone without appropriate privileges.

A password of ‘ *’ indicates that password authentication is disabled for that account (logins through other forms of authentication, e.g., using ssh(1) keys, will still work). The field only contains encrypted passwords, and ‘ *’ can never be the result of encrypting a password.

An encrypted password prefixed by ‘ *LOCKED*’ means that the account is temporarily locked out and no one can log into it using any authentication. For a convenient command-line interface to account locking, see pw(8).

The group field is the group that the user will be placed in upon login. Since this system supports multiple groups (see groups(1)) this field currently has little special meaning.

The class field is a key for a user's login class. Login classes are defined in login.conf(5), which is a termcap(5) style database of user attributes, accounting, resource, and environment settings.

The change field is the number of seconds from the epoch, UTC, until the password for the account must be changed. This field may be left empty to turn off the password aging feature; a value of zero is equivalent to leaving the field empty.

The expire field is the number of seconds from the epoch, UTC, until the account expires. This field may be left empty to turn off the account aging feature; a value of zero is equivalent to leaving the field empty.

The gecos field normally contains comma (‘ ,’) separated subfields as follows:

user's full name
user's office number
user's work phone number
user's home phone number

The full name may contain an ampersand (‘ &’) which will be replaced by the capitalized login name when the gecos field is displayed or used by various programs such as finger(1), sendmail(8), etc.

The office and phone number subfields are used by the finger(1) program, and possibly other applications.

The user's home directory, home_dir, is the full UNIX path name where the user will be placed on login.

The shell field is the command interpreter the user prefers. If there is nothing in the shell field, the Bourne shell ( /bin/sh) is assumed. The conventional way to disable logging into an account once and for all, as it is done for system accounts, is to set its shell to /sbin/nologin (see nologin(8)).


If ‘ dns’ is specified for the ‘ passwd’ database in nsswitch.conf(5), then passwd lookups occur from the ‘ passwd’ Hesiod domain.


If ‘ nis’ is specified for the ‘ passwd’ database in nsswitch.conf(5), then passwd lookups occur from the ‘ passwd.byname’, ‘ passwd.byuid’, ‘ master.passwd.byname’, and ‘ master.passwd.byuid’ NIS maps.


If ‘ compat’ is specified for the ‘ passwd’ database, and either ‘ dns’ or ‘ nis’ is specified for the ‘ passwd_compat’ database in nsswitch.conf(5), then the passwd file also supports standard ‘ +/ -’ exclusions and inclusions, based on user names and netgroups.

Lines beginning with a ‘ -’ (minus sign) are entries marked as being excluded from any following inclusions, which are marked with a ‘ +’ (plus sign).

If the second character of the line is a ‘ @’ (at sign), the operation involves the user fields of all entries in the netgroup specified by the remaining characters of the name field. Otherwise, the remainder of the name field is assumed to be a specific user name.

The ‘ +’ token may also be alone in the name field, which causes all users from either the Hesiod domain passwd (with ‘ passwd_compat: dns’) or ‘ passwd.byname’ and ‘ passwd.byuid’ NIS maps (with ‘ passwd_compat: nis’) to be included.

If the entry contains non-empty uid or gid fields, the specified numbers will override the information retrieved from the Hesiod domain or the NIS maps. Likewise, if the gecos, dir or shell entries contain text, it will override the information included via Hesiod or NIS. On some systems, the passwd field may also be overridden.


ASCII password file, with passwords removed
db(3)-format password database, with passwords removed
ASCII password file, with passwords intact
db(3)-format password database, with passwords intact


The password file format has changed since 4.3BSD. The following awk script can be used to convert your old-style password file into a new style password file. The additional fields class, change and expire are added, but are turned off by default (setting these fields to zero is equivalent to leaving them blank). Class is currently not implemented, but change and expire are; to set them, use the current day in seconds from the epoch + whatever number of seconds of offset you want.

BEGIN { FS = ":"} 
{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }


A passwd file format appeared in Version 6 AT&T UNIX.

The NIS passwd file format first appeared in SunOS.

The Hesiod support first appeared in FreeBSD 4.1. It was imported from the NetBSD Project, where it first appeared in NetBSD 1.4.


User information should (and eventually will) be stored elsewhere.

Placing ‘ compat’ exclusions in the file after any inclusions will have unexpected results.

May 29, 2014 FreeBSD