Provided by: openafs-kpasswd_1.6.7-1ubuntu1.1_amd64 bug


       kpasswd - Changes the issuer's password in the Authentication Database


       kpasswd [-x] [-principal <user name>]
           [-password <user's password>]
           [-newpassword <user's new password>] [-cell <cell name>]
           [-servers <explicit list of servers>+] [-pipe] [-help]

       kpasswd [-x] [-pr <user name>] [-pa <user's password>]
           [-n <user's new password>] [-c <cell name>]
           [-s <explicit list of servers>+] [-pi] [-h]


       The kpasswd command changes the password recorded in an Authentication Database entry on
       the obsolete Authentication Server. By default, the command interpreter changes the
       password for the AFS user name that matches the issuer's local identity (UNIX UID). To
       specify an alternate user, include the -principal argument. The user named by the
       -principal argument does not have to appear in the local password file (the /etc/passwd
       file or equivalent).

       By default, the command interpreter sends the password change request to the
       Authentication Server running on one of the database server machines listed for the local
       cell in the /etc/openafs/server/CellServDB file on the local disk; it chooses the machine
       at random. It consults the /etc/openafs/ThisCell file on the local disk to learn the local
       cell name. To specify an alternate cell, include the -cell argument.

       Unlike the UNIX passwd command, the kpasswd command does not restrict passwords to eight
       characters or less; it accepts passwords of virtually any length. All AFS commands that
       require passwords (including the klog, kpasswd, and AFS-modified login utilities, and the
       commands in the kas suite) accept passwords longer than eight characters, but some other
       applications and operating system utilities do not. Selecting an AFS password of eight
       characters or less enables the user to maintain matching AFS and UNIX passwords.

       The command interpreter makes the following checks:

       •   If the program kpwvalid exists in the same directory as the kpasswd command, the
           command interpreter pass the new password to it for verification. For details, see

       •   If the -reuse argument to the kas setfields command has been used to prohibit reuse of
           previous passwords, the command interpreter verifies that the password is not too
           similar too any of the user's previous 20 passwords. It generates the following error
           message at the shell:

              Password was not changed because it seems like a reused password

           To prevent a user from subverting this restriction by changing the password twenty
           times in quick succession (manually or by running a script), use the -minhours
           argument on the kaserver initialization command. The following error message appears
           if a user attempts to change a password before the minimum time has passed:

              Password was not changed because you changed it too
              recently; see your systems administrator


       The kpasswd command is only used by the obsolete Authentication Server It is provided for
       sites that have not yet migrated to a Kerberos version 5 KDC. The Authentication Server
       and supporting commands, including kpwvalid, will be removed in a future version of


       -x  Appears only for backwards compatibility.

       -principal <user name>
           Names the Authentication Database entry for which to change the password. If this
           argument is omitted, the database entry with the same name as the issuer's local
           identity (UNIX UID) is changed.

       -password <user's password>
           Specifies the current password. Omit this argument to have the command interpreter
           prompt for the password, which does not echo visibly:

              Old password: current_password

       -newpassword <user's new password>
           Specifies the new password, which the kpasswd command interpreter converts into an
           encryption key (string of octal numbers) before sending it to the Authentication
           Server for storage in the user's Authentication Database entry.

           Omit this argument to have the command interpreter prompt for the password, which does
           not echo visibly:

              New password (RETURN to abort): <new_password>
              Retype new password: <new_password>

       -cell <cell name>
           Specifies the cell in which to change the password, by directing the command to that
           cell's Authentication Servers. The issuer can abbreviate the cell name to the shortest
           form that distinguishes it from the other cells listed in the local
           /etc/openafs/CellServDB file.

           By default, the command is executed in the local cell, as defined

           •   First, by the value of the environment variable AFSCELL.

           •   Second, in the /etc/openafs/ThisCell file on the client machine on which the
               command is issued.

       -servers <explicit list of servers>
           Establishes a connection with the Authentication Server running on each specified
           machine, rather than with all of the database server machines listed for the relevant
           cell in the local copy of the /etc/openafs/CellServDB file. The kpasswd command
           interpreter then sends the password-changing request to one machine chosen at random
           from the set.

           Suppresses all output to the standard output stream or standard error stream. The
           kpasswd command interpreter expects to receive all necessary arguments, each on a
           separate line, from the standard input stream. Do not use this argument, which is
           provided for use by application programs rather than human users.

           Prints the online help for this command. All other valid options are ignored.


       The following example shows user pat changing her password in the ABC Corporation cell.

          % kpasswd
          Changing password for 'pat' in cell ''.
          Old password:
          New password (RETURN to abort):
          Verifying, please re-enter new_password:




       kas_setfields(8), kas_setpassword(8), klog(1), kpwvalid(8)


       IBM Corporation 2000. <> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.