3 kpasswd - Changes the issuer's password in the Authentication Database
7 kpasswd [B<-x>] [B<-principal> I<user name>] [B<-password> I<user's password>]
8 [B<-newpassword> I<user's new password>] [B<-cell> I<cell name>]
9 [B<-servers> I<explicit list of servers> [I<explicit list of servers> ...]] [B<-pipe>] [B<-help>]
11 kpasswd [B<-x>] [B<-pr> I<user name>] [B<-pa> I<user's password>]
12 [B<-n> I<user's new password>] [B<-c> I<cell name>]
13 [B<-s> I<explicit list of servers> [I<explicit list of servers> ...]] [B<-pi>] [B<-h>]
17 The C<kpasswd> command changes the password recorded in an Authentication
18 Database entry. By default, the command interpreter changes the
19 password for the AFS user name that matches the issuer's local
20 identity (UNIX UID). To specify an alternate user, include the
21 B<-principal> argument. The user named by the B<-principal> argument does
22 not have to appear in the local password file (the B</etc/passwd> file or
25 By default, the command interpreter sends the password change request
26 to the Authentication Server running on one of the database server
27 machines listed for the local cell in the B</usr/afs/etc/CellServDB> file
28 on the local disk; it chooses the machine at random. It consults the
29 B</usr/vice/etc/ThisCell> file on the local disk to learn the local cell
30 name. To specify an alternate cell, include the B<-cell> argument.
32 Unlike the UNIX C<passwd> command, the C<kpasswd> command does not restrict
33 passwords to eight characters or less; it accepts passwords of
34 virtually any length. All AFS commands that require passwords
35 (including the C<klog>, C<kpasswd>, and AFS-modified login utilities, and
36 the commands in the C<kas> suite) accept passwords longer than eight
37 characters, but some other applications and operating system utilities
38 do not. Selecting an AFS password of eight characters or less enables
39 the user to maintain matching AFS and UNIX passwords.
41 The command interpreter makes the following checks:
47 If the program B<kpwvalid> exists in the same directory as the
48 C<kpasswd> command, the command interpreter pass the new password to
49 it for verification. For details, see the L<kpwvalid(1)> reference page.
53 If the B<-reuse> argument to the C<kas setfields> command has been used
54 to prohibit reuse of previous passwords, the command interpreter
55 verifies that the password is not too similar too any of the
56 user's previous 20 passwords. It generates the following error
59 Password was not changed because it seems like a reused password
61 To prevent a user from subverting this restriction by changing the
62 password twenty times in quick succession (manually or by running
63 a script), use the B<-minhours> argument on the B<kaserver>
64 initialization command. The following error message appears if a
65 user attempts to change a password before the minimum time has
68 Password was not changed because you changed it too
69 recently; see your systems administrator
79 Appears only for backwards compatibility.
81 =item B<-principal> I<user name>
83 Names the Authentication Database entry for which to change the
84 password. If this argument is omitted, the database entry with
85 the same name as the issuer's local identity (UNIX UID) is
88 =item B<-password> I<user's password>
90 Specifies the current password. Omit this argument to have the
91 command interpreter prompt for the password, which does not
94 Old password: I<current_password>
96 =item B<-newpassword> I<user's new password>
98 Specifies the new password, which the C<kpasswd> command
99 interpreter converts into an encryption key (string of octal
100 numbers) before sending it to the Authentication Server for
101 storage in the user's Authentication Database entry.
103 Omit this argument to have the command interpreter prompt for
104 the password, which does not echo visibly:
106 New password (RETURN to abort): new_password
107 Retype new password: new_password
109 =item B<-cell> I<cell name>
111 Specifies the cell in which to change the password, by
112 directing the command to that cell's Authentication Servers.
113 The issuer can abbreviate the cell name to the shortest form
114 that distinguishes it from the other cells listed in the local
115 B</usr/vice/etc/CellServDB> file.
117 By default, the command is executed in the local cell, as
124 First, by the value of the environment variable AFSCELL
128 Second, in the B</usr/vice/etc/ThisCell> file on the client
129 machine on which the command is issued
133 =item B<-servers> I<explicit list of servers> ...
135 Establishes a connection with the Authentication Server running
136 on each specified machine, rather than with all of the database
137 server machines listed for the relevant cell in the local copy
138 of the B</usr/vice/etc/CellServDB> file. The C<kpasswd> command
139 interpreter then sends the password-changing request to one
140 machine chosen at random from the set.
144 Suppresses all output to the standard output stream or standard
145 error stream. The C<kpasswd> command interpreter expects to
146 receive all necessary arguments, each on a separate line, from
147 the standard input stream. Do not use this argument, which is
148 provided for use by application programs rather than human
153 Prints the online help for this command. All other valid
160 The following example shows user B<pat> changing her password in the ABC
164 Changing password for 'pat' in cell 'abc.com'.
166 New password (RETURN to abort):
167 Verifying, please re-enter new_password:
169 =head1 PRIVILEGE REQUIRED
175 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
177 Converted from html to pod by Alf Wachsmann <alfw@slac.stanford.edu>, 2003,
178 and Elizabeth Cassell <e_a_c@mailsnare.net>, 2004,
179 Stanford Linear Accelerator Center, a department of Stanford University.
184 L<kas_setpassword(1)>,