3 kpasswd - Changes the issuer's password in the Authentication Database
10 B<kpasswd> [B<-x>] S<<< [B<-principal> <I<user name>>] >>>
11 S<<< [B<-password> <I<user's password>>] >>>
12 S<<< [B<-newpassword> <I<user's new password>>] >>> S<<< [B<-cell> <I<cell name>>] >>>
13 S<<< [B<-servers> <I<explicit list of servers>>+] >>> [B<-pipe>] [B<-help>]
15 B<kpasswd> [B<-x>] S<<< [B<-pr> <I<user name>>] >>> S<<< [B<-pa> <I<user's password>>] >>>
16 S<<< [B<-n> <I<user's new password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
17 S<<< [B<-s> <I<explicit list of servers>>+] >>> [B<-pi>] [B<-h>]
24 The B<kpasswd> command changes the password recorded in an Authentication
25 Database entry on the obsolete Authentication Server. By default, the
26 command interpreter changes the password for the AFS user name that
27 matches the issuer's local identity (UNIX UID). To specify an alternate
28 user, include the B<-principal> argument. The user named by the
29 B<-principal> argument does not have to appear in the local password file
30 (the F</etc/passwd> file or equivalent).
32 By default, the command interpreter sends the password change request to
33 the Authentication Server running on one of the database server machines
34 listed for the local cell in the F</usr/afs/etc/CellServDB> file on the
35 local disk; it chooses the machine at random. It consults the
36 F</usr/vice/etc/ThisCell> file on the local disk to learn the local cell
37 name. To specify an alternate cell, include the B<-cell> argument.
39 Unlike the UNIX B<passwd> command, the B<kpasswd> command does not
40 restrict passwords to eight characters or less; it accepts passwords of
41 virtually any length. All AFS commands that require passwords (including
42 the B<klog>, B<kpasswd>, and AFS-modified login utilities, and the
43 commands in the B<kas> suite) accept passwords longer than eight
44 characters, but some other applications and operating system utilities do
45 not. Selecting an AFS password of eight characters or less enables the
46 user to maintain matching AFS and UNIX passwords.
48 The command interpreter makes the following checks:
54 If the program B<kpwvalid> exists in the same directory as the B<kpasswd>
55 command, the command interpreter pass the new password to it for
56 verification. For details, see L<kpwvalid(8)>.
60 If the B<-reuse> argument to the kas setfields command has been used to
61 prohibit reuse of previous passwords, the command interpreter verifies
62 that the password is not too similar too any of the user's previous 20
63 passwords. It generates the following error message at the shell:
65 Password was not changed because it seems like a reused password
67 To prevent a user from subverting this restriction by changing the
68 password twenty times in quick succession (manually or by running a
69 script), use the B<-minhours> argument on the B<kaserver> initialization
70 command. The following error message appears if a user attempts to change
71 a password before the minimum time has passed:
73 Password was not changed because you changed it too
74 recently; see your systems administrator
80 The B<kpasswd> command is only used by the obsolete Authentication Server
81 It is provided for sites that have not yet migrated to a Kerberos version
82 5 KDC. The Authentication Server and supporting commands, including
83 B<kpwvalid>, will be removed in a future version of OpenAFS.
91 Appears only for backwards compatibility.
93 =item B<-principal> <I<user name>>
95 Names the Authentication Database entry for which to change the
96 password. If this argument is omitted, the database entry with the same
97 name as the issuer's local identity (UNIX UID) is changed.
99 =item B<-password> <I<user's password>>
101 Specifies the current password. Omit this argument to have the command
102 interpreter prompt for the password, which does not echo visibly:
104 Old password: current_password
106 =item B<-newpassword> <I<user's new password>>
108 Specifies the new password, which the B<kpasswd> command interpreter
109 converts into an encryption key (string of octal numbers) before sending
110 it to the Authentication Server for storage in the user's Authentication
113 Omit this argument to have the command interpreter prompt for the
114 password, which does not echo visibly:
116 New password (RETURN to abort): <new_password>
117 Retype new password: <new_password>
119 =item B<-cell> <I<cell name>>
121 Specifies the cell in which to change the password, by directing the
122 command to that cell's Authentication Servers. The issuer can abbreviate
123 the cell name to the shortest form that distinguishes it from the other
124 cells listed in the local F</usr/vice/etc/CellServDB> file.
126 By default, the command is executed in the local cell, as defined
132 First, by the value of the environment variable AFSCELL.
136 Second, in the F</usr/vice/etc/ThisCell> file on the client machine on
137 which the command is issued.
141 =item B<-servers> <I<explicit list of servers>>
143 Establishes a connection with the Authentication Server running on each
144 specified machine, rather than with all of the database server machines
145 listed for the relevant cell in the local copy of the
146 F</usr/vice/etc/CellServDB> file. The B<kpasswd> command interpreter then
147 sends the password-changing request to one machine chosen at random from
152 Suppresses all output to the standard output stream or standard error
153 stream. The B<kpasswd> command interpreter expects to receive all
154 necessary arguments, each on a separate line, from the standard input
155 stream. Do not use this argument, which is provided for use by application
156 programs rather than human users.
160 Prints the online help for this command. All other valid options are
167 The following example shows user pat changing her password in the Example
171 Changing password for 'pat' in cell 'example.com'.
173 New password (RETURN to abort):
174 Verifying, please re-enter new_password:
176 =head1 PRIVILEGE REQUIRED
183 L<kas_setpassword(8)>,
189 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
191 This documentation is covered by the IBM Public License Version 1.0. It was
192 converted from HTML to POD by software written by Chas Williams and Russ
193 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.