NAME

       kas_setpassword - Changes the key field in an Authentication Database entry

SYNOPSIS

       kas setpassword -name <name of user>
           [-new_password <new password>] [-kvno <key version number>]
           [-admin_username <admin principal to use for authentication>]
           [-password_for_admin <admin password>] [-cell <cell name>]
           [-servers <explicit list of authentication servers>+]
           [-noauth] [-help]

       kas setpasswd -na <name of user> [-ne <new password>]
           [-k <key version number>]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-s <explicit list of authentication servers>+] [-no] [-h]

       kas setp -na <name of user> [-ne <new password>]
           [-k <key version number>]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-s <explicit list of authentication servers>+] [-no] [-h]

       kas sp -na <name of user> [-ne <new password>]
           [-k <key version number>]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-s <explicit list of authentication servers>+] [-no] [-h]

DESCRIPTION

       The kas setpassword command accepts a character string of unlimited length, scrambles it into a form
       suitable for use as an encryption key, places it in the key field of the Authentication Database entry
       named by the -name argument, and assigns it the key version number specified by the -kvno argument.

       To avoid making the password string visible at the shell prompt, omit the -new_password argument. Prompts
       then appear at the shell which do not echo the password visibly.

       When changing the afs server key, also issue bos addkey command to add the key (with the same key version
       number) to the /etc/openafs/server/KeyFile file. See the OpenAFS Administration Guide for instructions.

       The command interpreter checks the password string subject to the following conditions:

       •   If  there  is  a  program  called  kpwvalid  in  the  same  directory  as the kas binary, the command
           interpreter invokes it to process the password. For details, see kpwvalid(8).

       •   If the -reuse argument to the kas setfields command has been  used  to  prohibit  reuse  of  previous
           passwords,  the  command  interpreter  verifies  that  the password is not too similar too any of the
           user's previous 20 passwords. It generates the following error message at the shell:

              Password was not changed because it seems like a reused password

           To prevent a user from subverting this restriction by changing the password  twenty  times  in  quick
           succession  (manually  or  by  running  a  script),  use  the  -minhours  argument  on  the  kaserver
           initialization command. The following error message appears if a user attempts to change  a  password
           before the minimum time has passed:

              Password was not changed because you changed it too
              recently; see your systems administrator

OPTIONS

       -name <name of user>
           Names the entry in which to record the new key.

       -new_password <new password>
           Specifies the character string the user types when authenticating to AFS. Omit this argument and type
           the  string  at the resulting prompts so that the password does not echo visibly. Note that some non-
           AFS programs cannot handle passwords longer than eight characters.

       -kvno <key version number>
           Specifies the key version number associated with the new key.  Provide an integer in the range from 0
           through 255. If omitted, the default is 0 (zero), which is probably not desirable for server keys.

       -admin_username <admin principal>
           Specifies the user identity under which to authenticate with the Authentication Server for  execution
           of the command. For more details, see kas(8).

       -password_for_admin <admin password>
           Specifies  the  password  of the command's issuer. If it is omitted (as recommended), the kas command
           interpreter prompts for it and does not echo it visibly. For more details, see kas(8).

       -cell <cell name>
           Names the cell in which to run the command. For more details, see kas(8).

       -servers <authentication servers>+
           Names each machine running an Authentication Server with which to establish a  connection.  For  more
           details, see kas(8).

       -noauth
           Assigns the unprivileged identity "anonymous" to the issuer. For more details, see kas(8).

       -help
           Prints the online help for this command. All other valid options are ignored.

EXAMPLES

       In  the  following  example,  an  administrator  using the "admin" account changes the password for "pat"
       (presumably because "pat" forgot the former password or got locked out of his account in some other way).

          % kas setpassword pat
          Password for admin:
          new_password:
          Verifying, please re-enter new_password:

PRIVILEGE REQUIRED

       Individual users can change their own passwords. To  change  another  user's  password  or  the  password
       (server  encryption  key)  for server entries such as "afs", the issuer must have the "ADMIN" flag set in
       his or her Authentication Database entry.

SEE ALSO

       bos_addkey(8), kas(8), kaserver(8), kpwvalid(8)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML  to  POD
       by  software  written  by  Chas  Williams  and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.

OpenAFS                                            2021-04-01                                 KAS_SETPASSWORD(8)