Provided by: openafs-kpasswd_1.4.12+dfsg-3_i386 bug

NAME

       kas_setpassword - Changes the key field in an Authentication Database
       entry

SYNOPSIS

       kas setpassword -name <name of user>
           [-new_password <new password>] [-kvno <key version number>]
           [-admin_username <admin principal to use for authentication>]
           [-password_for_admin <admin password>] [-cell <cell name>]
           [-servers <explicit list of authentication servers>+]
           [-noauth] [-help]

       kas setpasswd -na <name of user> [-ne <new password>]
           [-k <key version number>]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-s <explicit list of authentication servers>+] [-no] [-h]

       kas setp -na <name of user> [-ne <new password>]
           [-k <key version number>]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-s <explicit list of authentication servers>+] [-no] [-h]

       kas sp -na <name of user> [-ne <new password>]
           [-k <key version number>]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-s <explicit list of authentication servers>+] [-no] [-h]

DESCRIPTION

       The kas setpassword command accepts a character string of unlimited
       length, scrambles it into a form suitable for use as an encryption key,
       places it in the key field of the Authentication Database entry named
       by the -name argument, and assigns it the key version number specified
       by the -kvno argument.

       To avoid making the password string visible at the shell prompt, omit
       the -new_password argument. Prompts then appear at the shell which do
       not echo the password visibly.

       When changing the afs server key, also issue bos addkey command to add
       the key (with the same key version number) to the
       /etc/openafs/server/KeyFile file. See the IBM AFS Administration Guide
       for instructions.

       The command interpreter checks the password string subject to the
       following conditions:

       ·   If there is a program called kpwvalid in the same directory as the
           kas binary, the command interpreter invokes it to process the
           password. For details, see kpwvalid(8).

       ·   If the -reuse argument to the kas setfields command has been used
           to prohibit reuse of previous passwords, the command interpreter
           verifies that the password is not too similar too any of the user’s
           previous 20 passwords. It generates the following error message at
           the shell:

              Password was not changed because it seems like a reused password

           To prevent a user from subverting this restriction by changing the
           password twenty times in quick succession (manually or by running a
           script), use the -minhours argument on the kaserver initialization
           command. The following error message appears if a user attempts to
           change a password before the minimum time has passed:

              Password was not changed because you changed it too
              recently; see your systems administrator

OPTIONS

       -name <name of user>
           Names the entry in which to record the new key.

       -new_password <new password>
           Specifies the character string the user types when authenticating
           to AFS. Omit this argument and type the string at the resulting
           prompts so that the password does not echo visibly. Note that some
           non-AFS programs cannot handle passwords longer than eight
           characters.

       -kvno <key version number>
           Specifies the key version number associated with the new key.
           Provide an integer in the range from 0 through 255. If omitted, the
           default is 0 (zero), which is probably not desirable for server
           keys.

       -admin_username <admin principal>
           Specifies the user identity under which to authenticate with the
           Authentication Server for execution of the command. For more
           details, see kas(8).

       -password_for_admin <admin password>
           Specifies the password of the command’s issuer. If it is omitted
           (as recommended), the kas command interpreter prompts for it and
           does not echo it visibly. For more details, see kas(8).

       -cell <cell name>
           Names the cell in which to run the command. For more details, see
           kas(8).

       -servers <authentication servers>+
           Names each machine running an Authentication Server with which to
           establish a connection. For more details, see kas(8).

       -noauth
           Assigns the unprivileged identity "anonymous" to the issuer. For
           more details, see kas(8).

       -help
           Prints the online help for this command. All other valid options
           are ignored.

EXAMPLES

       In the following example, an administrator using the "admin" account
       changes the password for "pat" (presumably because "pat" forgot the
       former password or got locked out of his account in some other way).

          % kas setpassword pat
          Password for admin:
          new_password:
          Verifying, please re-enter new_password:

PRIVILEGE REQUIRED

       Individual users can change their own passwords. To change another
       user’s password or the password (server encryption key) for server
       entries such as "afs", the issuer must have the "ADMIN" flag set in his
       or her Authentication Database entry.

SEE ALSO

       bos_addkey(8), kas(8), kaserver(8), kpwvalid(8)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.
       It was converted from HTML to POD by software written by Chas Williams
       and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.