1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
3 <TITLE>Administration Reference</TITLE>
4 <!-- Begin Header Records ========================================== -->
5 <!-- /tmp/idwt3672/auarf000.scr converted by idb2h R4.2 (359) ID -->
6 <!-- Workbench Version (AIX) on 3 Oct 2000 at 16:18:30 -->
7 <META HTTP-EQUIV="updated" CONTENT="Tue, 03 Oct 2000 16:18:29">
8 <META HTTP-EQUIV="review" CONTENT="Wed, 03 Oct 2001 16:18:29">
9 <META HTTP-EQUIV="expires" CONTENT="Thu, 03 Oct 2002 16:18:29">
11 <!-- (C) IBM Corporation 2000. All Rights Reserved -->
12 <BODY bgcolor="ffffff">
13 <!-- End Header Records ============================================ -->
14 <A NAME="Top_Of_Page"></A>
15 <H1>Administration Reference</H1>
16 <HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf201.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf203.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
18 <H2><A NAME="HDRKPASSWD" HREF="auarf002.htm#ToC_216">kpasswd</A></H2>
19 <A NAME="IDX5187"></A>
20 <A NAME="IDX5188"></A>
21 <A NAME="IDX5189"></A>
22 <A NAME="IDX5190"></A>
23 <A NAME="IDX5191"></A>
24 <A NAME="IDX5192"></A>
25 <A NAME="IDX5193"></A>
26 <P><STRONG>Purpose</STRONG>
27 <P>Changes the issuer's password in the Authentication Database
28 <P><STRONG>Synopsis</STRONG>
29 <PRE><B>kpasswd</B> [<B>-x</B>] [<B>-principal</B> <<VAR>user name</VAR>>] [<B>-password</B> <<VAR>user's password</VAR>>]
30 [<B>-newpassword</B> <<VAR>user's new password</VAR>>] [<B>-cell</B> <<VAR>cell name</VAR>>]
31 [<B>-servers</B> <<VAR>explicit list of servers</VAR>><SUP>+</SUP>] [<B>-pipe</B>] [<B>-help</B>]
33 <B>kpasswd</B> [<B>-x</B>] [<B>-pr</B> <<VAR>user name</VAR>>] [<B>-pa</B> <<VAR>user's password</VAR>>]
34 [<B>-n</B> <<VAR>user's new password</VAR>>] [<B>-c</B> <<VAR>cell name</VAR>>]
35 [<B>-s</B> <<VAR>explicit list of servers</VAR>><SUP>+</SUP>] [<B>-pi</B>] [<B>-h</B>]
37 <P><STRONG>Description</STRONG>
38 <P>The <B>kpasswd</B> command changes the password recorded in an
39 Authentication Database entry. By default, the command interpreter
40 changes the password for the AFS user name that matches the issuer's
41 local identity (UNIX UID). To specify an alternate user, include the
42 <B>-principal</B> argument. The user named by the
43 <B>-principal</B> argument does not have to appear in the local password
44 file (the <B>/etc/passwd</B> file or equivalent).
45 <P>By default, the command interpreter sends the password change request to
46 the Authentication Server running on one of the database server machines
47 listed for the local cell in the <B>/usr/afs/etc/CellServDB</B> file on
48 the local disk; it chooses the machine at random. It consults the
49 <B>/usr/vice/etc/ThisCell</B> file on the local disk to learn the local
50 cell name. To specify an alternate cell, include the <B>-cell</B>
52 <P>Unlike the UNIX <B>passwd</B> command, the <B>kpasswd</B> command
53 does not restrict passwords to eight characters or less; it accepts
54 passwords of virtually any length. All AFS commands that require
55 passwords (including the <B>klog</B>, <B>kpasswd</B>, and AFS-modified
56 login utilities, and the commands in the <B>kas</B> suite) accept
57 passwords longer than eight characters, but some other applications and
58 operating system utilities do not. Selecting an AFS password of eight
59 characters or less enables the user to maintain matching AFS and UNIX
61 <P>The command interpreter makes the following checks:
63 <P><LI>If the program <B>kpwvalid</B> exists in the same directory as the
64 <B>kpasswd</B> command, the command interpreter pass the new password to
65 it for verification. For details, see the <B>kpwvalid</B> reference
67 <P><LI>If the <B>-reuse</B> argument to the <B>kas setfields</B> command
68 has been used to prohibit reuse of previous passwords, the command interpreter
69 verifies that the password is not too similar too any of the user's
70 previous 20 passwords. It generates the following error message at the
72 <PRE> Password was not changed because it seems like a reused password
75 <P>To prevent a user from subverting this restriction by changing the password
76 twenty times in quick succession (manually or by running a script), use the
77 <B>-minhours</B> argument on the <B>kaserver</B> initialization
78 command. The following error message appears if a user attempts to
79 change a password before the minimum time has passed:
80 <PRE> Password was not changed because you changed it too
81 recently; see your systems administrator
84 <P><STRONG>Options</STRONG>
87 </B><DD>Appears only for backwards compatibility.
89 </B><DD>Names the Authentication Database entry for which to change the
90 password. If this argument is omitted, the database entry with the same
91 name as the issuer's local identity (UNIX UID) is changed.
93 </B><DD>Specifies the current password. Omit this argument to have the
94 command interpreter prompt for the password, which does not echo
96 <PRE> Old password: <VAR>current_password</VAR>
99 <P><DT><B>-newpassword
100 </B><DD>Specifies the new password, which the <B>kpasswd</B> command
101 interpreter converts into an encryption key (string of octal numbers) before
102 sending it to the Authentication Server for storage in the user's
103 Authentication Database entry.
104 <P>Omit this argument to have the command interpreter prompt for the password,
105 which does not echo visibly:
106 <PRE> New password (RETURN to abort): <VAR>new_password</VAR>
107 Retype new password: <VAR>new_password</VAR>
111 </B><DD>Specifies the cell in which to change the password, by directing the
112 command to that cell's Authentication Servers. The issuer can
113 abbreviate the cell name to the shortest form that distinguishes it from the
114 other cells listed in the local <B>/usr/vice/etc/CellServDB</B>
116 <P>By default, the command is executed in the local cell, as defined
118 <P><LI>First, by the value of the environment variable AFSCELL
119 <P><LI>Second, in the <B>/usr/vice/etc/ThisCell</B> file on the client
120 machine on which the command is issued
123 </B><DD>Establishes a connection with the Authentication Server running on each
124 specified machine, rather than with all of the database server machines listed
125 for the relevant cell in the local copy of the
126 <B>/usr/vice/etc/CellServDB</B> file. The <B>kpasswd</B>
127 command interpreter then sends the password-changing request to one machine
128 chosen at random from the set.
130 </B><DD>Suppresses all output to the standard output stream or standard error
131 stream. The <B>kpasswd</B> command interpreter expects to receive
132 all necessary arguments, each on a separate line, from the standard input
133 stream. Do not use this argument, which is provided for use by
134 application programs rather than human users.
136 </B><DD>Prints the online help for this command. All other valid options
139 <P><STRONG>Examples</STRONG>
140 <P>The following example shows user <B>pat</B> changing her password in
141 the ABC Corporation cell.
142 <PRE> % <B>kpasswd</B>
143 Changing password for 'pat' in cell 'abc.com'.
145 New password (RETURN to abort):
146 Verifying, please re-enter new_password:
149 <P><STRONG>Privilege Required</STRONG>
151 <P><STRONG>Related Information</STRONG>
152 <P><A HREF="auarf193.htm#HDRKAS_SETFIELDS">kas setfields</A>
153 <P><A HREF="auarf194.htm#HDRKAS_SETPASSWORD">kas setpassword</A>
154 <P><A HREF="auarf200.htm#HDRKLOG">klog</A>
155 <P><A HREF="auarf203.htm#HDRKPWVALID">kpwvalid</A>
157 <HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf201.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf203.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
158 <!-- Begin Footer Records ========================================== -->
160 <br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
162 <!-- End Footer Records ============================================ -->
163 <A NAME="Bot_Of_Page"></A>