initial-html-documentation-20010606

[openafs.git] / doc / html / AdminReference / auarf194.htm

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Administration Reference</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3672/auarf000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 3 Oct 2000 at 16:18:30                -->
<META HTTP-EQUIV="updated" CONTENT="Tue, 03 Oct 2000 16:18:29">
<META HTTP-EQUIV="review" CONTENT="Wed, 03 Oct 2001 16:18:29">
<META HTTP-EQUIV="expires" CONTENT="Thu, 03 Oct 2002 16:18:29">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Administration Reference</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf193.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf195.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<P>
<H2><A NAME="HDRKAS_SETPASSWORD" HREF="auarf002.htm#ToC_208">kas setpassword</A></H2>
<A NAME="IDX5147"></A>
<A NAME="IDX5148"></A>
<A NAME="IDX5149"></A>
<A NAME="IDX5150"></A>
<A NAME="IDX5151"></A>
<A NAME="IDX5152"></A>
<A NAME="IDX5153"></A>
<A NAME="IDX5154"></A>
<P><STRONG>Purpose</STRONG>
<P>Changes the key field in an Authentication Database entry
<P><STRONG>Synopsis</STRONG>
<PRE><B>kas setpassword -name</B> &lt;<VAR>name&nbsp;of&nbsp;user</VAR>>  [<B>-new_password</B> &lt;<VAR>new&nbsp;password</VAR>>] 
                [<B>-kvno</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>>] 
                [<B>-admin_username</B> &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication</VAR>>] 
                [<B>-password_for_admin</B> &lt;<VAR>admin&nbsp;password</VAR>>]  [<B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>] 
                [<B>-servers</B> &lt;<VAR>explicit&nbsp;list&nbsp;of&nbsp;authentication&nbsp;servers</VAR>><SUP>+</SUP>]
                [<B>-noauth</B>]  [<B>-help</B>]
   
<B>kas setpasswd -na</B> &lt;<VAR>name&nbsp;of&nbsp;user</VAR>>  [<B>-ne</B> &lt;<VAR>new&nbsp;password</VAR>>]  
              [<B>-k</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>>]
              [<B>-a</B> &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication</VAR>>]  
              [<B>-p</B> &lt;<VAR>admin&nbsp;password</VAR>>]  [-c &lt;<VAR>cell&nbsp;name</VAR>>]  
              [<B>-s</B> &lt;<VAR>explicit&nbsp;list&nbsp;of&nbsp;authentication&nbsp;servers</VAR>><SUP>+</SUP>]  [<B>-no</B>]  [<B>-h</B>]
   
<B>kas setp -na</B> &lt;<VAR>name&nbsp;of&nbsp;user</VAR>>  [<B>-ne</B> &lt;<VAR>new&nbsp;password</VAR>>]  [<B>-k</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>>]
         [<B>-a</B> &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication</VAR>>]  
         [<B>-p</B> &lt;<VAR>admin&nbsp;password</VAR>>]  [-c &lt;<VAR>cell&nbsp;name</VAR>>]  
         [<B>-s</B> &lt;<VAR>explicit&nbsp;list&nbsp;of&nbsp;authentication&nbsp;servers</VAR>><SUP>+</SUP>]  [<B>-no</B>]  [<B>-h</B>]
   
<B>kas sp -na</B> &lt;<VAR>name&nbsp;of&nbsp;user</VAR>>  [<B>-ne</B> &lt;<VAR>new&nbsp;password</VAR>>]  [<B>-k</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>>]
       [<B>-a</B> &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication </VAR>>]  
       [<B>-p</B> &lt;<VAR>admin&nbsp;password</VAR>>]  [<B>-c</B> &lt;<VAR>cell&nbsp;name</VAR>>]  
       [<B>-s</B> &lt;<VAR>explicit&nbsp;list&nbsp;of&nbsp;authentication&nbsp;servers</VAR>><SUP>+</SUP>]  [<B>-no</B>]  [<B>-h</B>]
</PRE>
<P><STRONG>Description</STRONG>
<P>The <B>kas setpassword</B> command accepts a character string of
unlimited length, scrambles it into a form suitable for use as an encryption
key, places it in the key field of the Authentication Database entry named by
the <B>-name</B> argument, and assigns it the key version number specified
by the <B>-kvno</B> argument.
<P>To avoid making the password string visible at the shell prompt, omit the
<B>-new_password</B> argument. Prompts then appear at the shell
which do not echo the password visibly.
<P>When changing the <B>afs</B> server key, also issue <B>bos
addkey</B> command to add the key (with the same key version number) to the
<B>/usr/afs/etc/KeyFile</B> file. See the <I>IBM AFS
Administration Guide</I> for instructions.
<P>The command interpreter checks the password string subject to the following
conditions:
<UL>
<P><LI>If there is a program called <B>kpwvalid</B> in the same directory as
the <B>kas</B> binary, the command interpreter invokes it to process the
password. For details, see the <B>kpwvalid</B> reference
page.
<P><LI>If the <B>-reuse</B> argument to the <B>kas setfields</B> command
has been used to prohibit reuse of previous passwords, the command interpreter
verifies that the password is not too similar too any of the user's
previous 20 passwords. It generates the following error message at the
shell: 
<PRE>   Password was not changed because it seems like a reused password
   
</PRE>
<P>To prevent a user from subverting this restriction by changing the password
twenty times in quick succession (manually or by running a script), use the
<B>-minhours</B> argument on the <B>kaserver</B> initialization
command. The following error message appears if a user attempts to
change a password before the minimum time has passed: 
<PRE>   Password was not changed because you changed it too 
   recently; see your systems administrator
   
</PRE>
</UL>
<P><STRONG>Options</STRONG>
<DL>
<P><DT><B>-name
</B><DD>Names the entry in which to record the new key.
<P><DT><B>-new_password
</B><DD>Specifies the character string the user types when authenticating to
AFS. Omit this argument and type the string at the resulting prompts so
that the password does not echo visibly. Note that some non-AFS
programs cannot handle passwords longer than eight characters.
<P><DT><B>-kvno
</B><DD>Specifies the key version number associated with the new key.
Provide an integer in the range from <B>0</B> through
<B>255</B>. If omitted, the default is 0 (zero), which is probably
not desirable for server keys.
<P><DT><B>-admin_username
</B><DD>Specifies the user identity under which to authenticate with the
Authentication Server for execution of the command. For more details,
see the introductory <B>kas</B> reference page.
<P><DT><B>-password_for_admin
</B><DD>Specifies the password of the command's issuer. If it is
omitted (as recommended), the <B>kas</B> command interpreter prompts for
it and does not echo it visibly. For more details, see the introductory
<B>kas</B> reference page.
<P><DT><B>-cell
</B><DD>Names the cell in which to run the command. For more details, see
the introductory <B>kas</B> reference page.
<P><DT><B>-servers
</B><DD>Names each machine running an Authentication Server with which to
establish a connection. For more details, see the introductory
<B>kas</B> reference page.
<P><DT><B>-noauth
</B><DD>Assigns the unprivileged identity <B>anonymous</B> to the
issuer. For more details, see the introductory <B>kas</B> reference
page.
<P><DT><B>-help
</B><DD>Prints the online help for this command. All other valid options
are ignored.
</DL>
<P><STRONG>Examples</STRONG>
<P>In the following example, an administrator using the <B>admin</B>
account changes the password for <B>pat</B> (presumably because
<B>pat</B> forgot the former password or got locked out of his account in
some other way).
<PRE>   % <B>kas setpassword pat</B>
   Password for admin:
   new_password:
   Verifying, please re-enter new_password:
   
</PRE>
<P><STRONG>Privilege Required</STRONG>
<P>Individual users can change their own passwords. To change another
user's password or the password (server encryption key) for server
entries such as <B>afs</B>, the issuer must have the <TT>ADMIN</TT> flag
set in his or her Authentication Database entry.
<P><STRONG>Related Information</STRONG>
<P><A HREF="auarf095.htm#HDRBOS_ADDKEY">bos addkey</A>
<P><A HREF="auarf181.htm#HDRKAS_INTRO">kas</A>
<P><A HREF="auarf198.htm#HDRKASERVER">kaserver</A>
<P><A HREF="auarf203.htm#HDRKPWVALID">kpwvalid</A>
<P>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf193.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf195.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>