The secret is associated with a remote user name that need not be the same as the name of the invoking user on the local system. That remote user name is specified by a certificate signed by signer, and obtained from keyfile. Keyfile identifies a file containing a certificate (default: default). If keyfile is not an absolute pathname, the file used will be /usr/user/keyring/keyfile. User by default is the invoking user's name (read from /dev/user), but the -u option can name another.
Passwd connects to the signer, authenticating using the certificate in keyfile, and checks that the user in the certificate is registered there with an existing secret. Passwd then prompts for the (remote) user's old secret, to double-check identity, then prompts for a new one, which must be confirmed.
Secrets must be at least eight characters long. Try to make them hard to guess.
PASSWD(1 ) | Rev: Tue Mar 31 02:42:38 GMT 2015 |