3 kpasswd - Changes the issuer's password in the Authentication Database
7 B<kpasswd> [B<-x>] [B<-principal> <I<user name>>]
8 [B<-password> <I<user's password>>]
9 [B<-newpassword> <I<user's new password>>] [B<-cell> <I<cell name>>]
10 [B<-servers> <I<explicit list of servers>>+] [B<-pipe>] [B<-help>]
12 B<kpasswd> [B<-x>] [B<-pr> <I<user name>>] [B<-pa> <I<user's password>>]
13 [B<-n> <I<user's new password>>] [B<-c> <I<cell name>>]
14 [B<-s> <I<explicit list of servers>>+] [B<-pi>] [B<-h>]
18 The B<kpasswd> command changes the password recorded in an Authentication
19 Database entry. By default, the command interpreter changes the password
20 for the AFS user name that matches the issuer's local identity (UNIX
21 UID). To specify an alternate user, include the B<-principal>
22 argument. The user named by the B<-principal> argument does not have to
23 appear in the local password file (the F</etc/passwd> file or equivalent).
25 By default, the command interpreter sends the password change request to
26 the Authentication Server running on one of the database server machines
27 listed for the local cell in the F</usr/afs/etc/CellServDB> file on the
28 local disk; it chooses the machine at random. It consults the
29 F</usr/vice/etc/ThisCell> file on the local disk to learn the local cell
30 name. To specify an alternate cell, include the B<-cell> argument.
32 Unlike the UNIX B<passwd> command, the B<kpasswd> command does not
33 restrict passwords to eight characters or less; it accepts passwords of
34 virtually any length. All AFS commands that require passwords (including
35 the B<klog>, B<kpasswd>, and AFS-modified login utilities, and the
36 commands in the B<kas> suite) accept passwords longer than eight
37 characters, but some other applications and operating system utilities do
38 not. Selecting an AFS password of eight characters or less enables the
39 user to maintain matching AFS and UNIX passwords.
41 The command interpreter makes the following checks:
47 If the program B<kpwvalid> exists in the same directory as the B<kpasswd>
48 command, the command interpreter pass the new password to it for
49 verification. For details, see L<kpwvalid(8)>.
53 If the B<-reuse> argument to the kas setfields command has been used to
54 prohibit reuse of previous passwords, the command interpreter verifies
55 that the password is not too similar too any of the user's previous 20
56 passwords. It generates the following error message at the shell:
58 Password was not changed because it seems like a reused password
60 To prevent a user from subverting this restriction by changing the
61 password twenty times in quick succession (manually or by running a
62 script), use the B<-minhours> argument on the B<kaserver> initialization
63 command. The following error message appears if a user attempts to change
64 a password before the minimum time has passed:
66 Password was not changed because you changed it too
67 recently; see your systems administrator
77 Appears only for backwards compatibility.
79 =item B<-principal> <I<user name>>
81 Names the Authentication Database entry for which to change the
82 password. If this argument is omitted, the database entry with the same
83 name as the issuer's local identity (UNIX UID) is changed.
85 =item B<-password> <I<user's password>>
87 Specifies the current password. Omit this argument to have the command
88 interpreter prompt for the password, which does not echo visibly:
90 Old password: current_password
92 =item B<-newpassword> <I<user's new password>>
94 Specifies the new password, which the B<kpasswd> command interpreter
95 converts into an encryption key (string of octal numbers) before sending
96 it to the Authentication Server for storage in the user's Authentication
99 Omit this argument to have the command interpreter prompt for the
100 password, which does not echo visibly:
102 New password (RETURN to abort): <new_password>
103 Retype new password: <new_password>
105 =item B<-cell> <I<cell name>>
107 Specifies the cell in which to change the password, by directing the
108 command to that cell's Authentication Servers. The issuer can abbreviate
109 the cell name to the shortest form that distinguishes it from the other
110 cells listed in the local F</usr/vice/etc/CellServDB> file.
112 By default, the command is executed in the local cell, as defined
118 First, by the value of the environment variable AFSCELL.
122 Second, in the F</usr/vice/etc/ThisCell> file on the client machine on
123 which the command is issued.
127 =item B<-servers> <I<explicit list of servers>>
129 Establishes a connection with the Authentication Server running on each
130 specified machine, rather than with all of the database server machines
131 listed for the relevant cell in the local copy of the
132 F</usr/vice/etc/CellServDB> file. The B<kpasswd> command interpreter then
133 sends the password-changing request to one machine chosen at random from
138 Suppresses all output to the standard output stream or standard error
139 stream. The B<kpasswd> command interpreter expects to receive all
140 necessary arguments, each on a separate line, from the standard input
141 stream. Do not use this argument, which is provided for use by application
142 programs rather than human users.
146 Prints the online help for this command. All other valid options are
153 The following example shows user pat changing her password in the ABC
157 Changing password for 'pat' in cell 'abc.com'.
159 New password (RETURN to abort):
160 Verifying, please re-enter new_password:
162 =head1 PRIVILEGE REQUIRED
169 L<kas_setpassword(8)>,
175 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
177 This documentation is covered by the IBM Public License Version 1.0. It was
178 converted from HTML to POD by software written by Chas Williams and Russ
179 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
git://git.openafs.org / openafs.git / blob