3 kpasswd - Changes the issuer's password in the Authentication Database
10 B<kpasswd> [B<-x>] S<<< [B<-principal> <I<user name>>] >>>
11 S<<< [B<-password> <I<user's password>>] >>>
12 S<<< [B<-newpassword> <I<user's new password>>] >>> S<<< [B<-cell> <I<cell name>>] >>>
13 S<<< [B<-servers> <I<explicit list of servers>>+] >>> [B<-pipe>] [B<-help>]
15 B<kpasswd> [B<-x>] S<<< [B<-pr> <I<user name>>] >>> S<<< [B<-pa> <I<user's password>>] >>>
16 S<<< [B<-n> <I<user's new password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
17 S<<< [B<-s> <I<explicit list of servers>>+] >>> [B<-pi>] [B<-h>]
24 The B<kpasswd> command changes the password recorded in an Authentication
25 Database entry. By default, the command interpreter changes the password
26 for the AFS user name that matches the issuer's local identity (UNIX
27 UID). To specify an alternate user, include the B<-principal>
28 argument. The user named by the B<-principal> argument does not have to
29 appear in the local password file (the F</etc/passwd> file or equivalent).
31 By default, the command interpreter sends the password change request to
32 the Authentication Server running on one of the database server machines
33 listed for the local cell in the F</usr/afs/etc/CellServDB> file on the
34 local disk; it chooses the machine at random. It consults the
35 F</usr/vice/etc/ThisCell> file on the local disk to learn the local cell
36 name. To specify an alternate cell, include the B<-cell> argument.
38 Unlike the UNIX B<passwd> command, the B<kpasswd> command does not
39 restrict passwords to eight characters or less; it accepts passwords of
40 virtually any length. All AFS commands that require passwords (including
41 the B<klog>, B<kpasswd>, and AFS-modified login utilities, and the
42 commands in the B<kas> suite) accept passwords longer than eight
43 characters, but some other applications and operating system utilities do
44 not. Selecting an AFS password of eight characters or less enables the
45 user to maintain matching AFS and UNIX passwords.
47 The command interpreter makes the following checks:
53 If the program B<kpwvalid> exists in the same directory as the B<kpasswd>
54 command, the command interpreter pass the new password to it for
55 verification. For details, see L<kpwvalid(8)>.
59 If the B<-reuse> argument to the kas setfields command has been used to
60 prohibit reuse of previous passwords, the command interpreter verifies
61 that the password is not too similar too any of the user's previous 20
62 passwords. It generates the following error message at the shell:
64 Password was not changed because it seems like a reused password
66 To prevent a user from subverting this restriction by changing the
67 password twenty times in quick succession (manually or by running a
68 script), use the B<-minhours> argument on the B<kaserver> initialization
69 command. The following error message appears if a user attempts to change
70 a password before the minimum time has passed:
72 Password was not changed because you changed it too
73 recently; see your systems administrator
83 Appears only for backwards compatibility.
85 =item B<-principal> <I<user name>>
87 Names the Authentication Database entry for which to change the
88 password. If this argument is omitted, the database entry with the same
89 name as the issuer's local identity (UNIX UID) is changed.
91 =item B<-password> <I<user's password>>
93 Specifies the current password. Omit this argument to have the command
94 interpreter prompt for the password, which does not echo visibly:
96 Old password: current_password
98 =item B<-newpassword> <I<user's new password>>
100 Specifies the new password, which the B<kpasswd> command interpreter
101 converts into an encryption key (string of octal numbers) before sending
102 it to the Authentication Server for storage in the user's Authentication
105 Omit this argument to have the command interpreter prompt for the
106 password, which does not echo visibly:
108 New password (RETURN to abort): <new_password>
109 Retype new password: <new_password>
111 =item B<-cell> <I<cell name>>
113 Specifies the cell in which to change the password, by directing the
114 command to that cell's Authentication Servers. The issuer can abbreviate
115 the cell name to the shortest form that distinguishes it from the other
116 cells listed in the local F</usr/vice/etc/CellServDB> file.
118 By default, the command is executed in the local cell, as defined
124 First, by the value of the environment variable AFSCELL.
128 Second, in the F</usr/vice/etc/ThisCell> file on the client machine on
129 which the command is issued.
133 =item B<-servers> <I<explicit list of servers>>
135 Establishes a connection with the Authentication Server running on each
136 specified machine, rather than with all of the database server machines
137 listed for the relevant cell in the local copy of the
138 F</usr/vice/etc/CellServDB> file. The B<kpasswd> command interpreter then
139 sends the password-changing request to one machine chosen at random from
144 Suppresses all output to the standard output stream or standard error
145 stream. The B<kpasswd> command interpreter expects to receive all
146 necessary arguments, each on a separate line, from the standard input
147 stream. Do not use this argument, which is provided for use by application
148 programs rather than human users.
152 Prints the online help for this command. All other valid options are
159 The following example shows user pat changing her password in the ABC
163 Changing password for 'pat' in cell 'abc.com'.
165 New password (RETURN to abort):
166 Verifying, please re-enter new_password:
168 =head1 PRIVILEGE REQUIRED
175 L<kas_setpassword(8)>,
181 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
183 This documentation is covered by the IBM Public License Version 1.0. It was
184 converted from HTML to POD by software written by Chas Williams and Russ
185 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.