Provided by: openafs-kpasswd_1.6.1-1_i386 bug

NAME

       kpasswd - Changes the issuer's password in the Authentication Database

SYNOPSIS

       kpasswd [-x] [-principal <user name>]
           [-password <user's password>]
           [-newpassword <user's new password>] [-cell <cell name>]
           [-servers <explicit list of servers>+] [-pipe] [-help]

       kpasswd [-x] [-pr <user name>] [-pa <user's password>]
           [-n <user's new password>] [-c <cell name>]
           [-s <explicit list of servers>+] [-pi] [-h]

DESCRIPTION

       The kpasswd command changes the password recorded in an Authentication
       Database entry on the obsolete Authentication Server. By default, the
       command interpreter changes the password for the AFS user name that
       matches the issuer's local identity (UNIX UID). To specify an alternate
       user, include the -principal argument. The user named by the -principal
       argument does not have to appear in the local password file (the
       /etc/passwd file or equivalent).

       By default, the command interpreter sends the password change request
       to the Authentication Server running on one of the database server
       machines listed for the local cell in the
       /etc/openafs/server/CellServDB file on the local disk; it chooses the
       machine at random. It consults the /etc/openafs/ThisCell file on the
       local disk to learn the local cell name. To specify an alternate cell,
       include the -cell argument.

       Unlike the UNIX passwd command, the kpasswd command does not restrict
       passwords to eight characters or less; it accepts passwords of
       virtually any length. All AFS commands that require passwords
       (including the klog, kpasswd, and AFS-modified login utilities, and the
       commands in the kas suite) accept passwords longer than eight
       characters, but some other applications and operating system utilities
       do not. Selecting an AFS password of eight characters or less enables
       the user to maintain matching AFS and UNIX passwords.

       The command interpreter makes the following checks:

       o   If the program kpwvalid exists in the same directory as the kpasswd
           command, the command interpreter pass the new password to it for
           verification. For details, see kpwvalid(8).

       o   If the -reuse argument to the kas setfields command has been used
           to prohibit reuse of previous passwords, the command interpreter
           verifies that the password is not too similar too any of the user's
           previous 20 passwords. It generates the following error message at
           the shell:

              Password was not changed because it seems like a reused password

           To prevent a user from subverting this restriction by changing the
           password twenty times in quick succession (manually or by running a
           script), use the -minhours argument on the kaserver initialization
           command. The following error message appears if a user attempts to
           change a password before the minimum time has passed:

              Password was not changed because you changed it too
              recently; see your systems administrator

CAUTIONS

       The kpasswd command is only used by the obsolete Authentication Server
       It is provided for sites that have not yet migrated to a Kerberos
       version 5 KDC. The Authentication Server and supporting commands,
       including kpwvalid, will be removed in a future version of OpenAFS.

OPTIONS

       -x  Appears only for backwards compatibility.

       -principal <user name>
           Names the Authentication Database entry for which to change the
           password. If this argument is omitted, the database entry with the
           same name as the issuer's local identity (UNIX UID) is changed.

       -password <user's password>
           Specifies the current password. Omit this argument to have the
           command interpreter prompt for the password, which does not echo
           visibly:

              Old password: current_password

       -newpassword <user's new password>
           Specifies the new password, which the kpasswd command interpreter
           converts into an encryption key (string of octal numbers) before
           sending it to the Authentication Server for storage in the user's
           Authentication Database entry.

           Omit this argument to have the command interpreter prompt for the
           password, which does not echo visibly:

              New password (RETURN to abort): <new_password>
              Retype new password: <new_password>

       -cell <cell name>
           Specifies the cell in which to change the password, by directing
           the command to that cell's Authentication Servers. The issuer can
           abbreviate the cell name to the shortest form that distinguishes it
           from the other cells listed in the local /etc/openafs/CellServDB
           file.

           By default, the command is executed in the local cell, as defined

           o   First, by the value of the environment variable AFSCELL.

           o   Second, in the /etc/openafs/ThisCell file on the client machine
               on which the command is issued.

       -servers <explicit list of servers>
           Establishes a connection with the Authentication Server running on
           each specified machine, rather than with all of the database server
           machines listed for the relevant cell in the local copy of the
           /etc/openafs/CellServDB file. The kpasswd command interpreter then
           sends the password-changing request to one machine chosen at random
           from the set.

       -pipe
           Suppresses all output to the standard output stream or standard
           error stream. The kpasswd command interpreter expects to receive
           all necessary arguments, each on a separate line, from the standard
           input stream. Do not use this argument, which is provided for use
           by application programs rather than human users.

       -help
           Prints the online help for this command. All other valid options
           are ignored.

EXAMPLES

       The following example shows user pat changing her password in the ABC
       Corporation cell.

          % kpasswd
          Changing password for 'pat' in cell 'abc.com'.
          Old password:
          New password (RETURN to abort):
          Verifying, please re-enter new_password:

PRIVILEGE REQUIRED

       None

SEE ALSO

       kas_setfields(8), kas_setpassword(8), klog(1), kpwvalid(8)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.
       It was converted from HTML to POD by software written by Chas Williams
       and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.