openafs/doc/html/AdminReference/auarf202.htm

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Administration Reference</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3672/auarf000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 3 Oct 2000 at 16:18:30                -->
<META HTTP-EQUIV="updated" CONTENT="Tue, 03 Oct 2000 16:18:29">
<META HTTP-EQUIV="review" CONTENT="Wed, 03 Oct 2001 16:18:29">
<META HTTP-EQUIV="expires" CONTENT="Thu, 03 Oct 2002 16:18:29">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Administration Reference</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf201.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf203.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<P>
<H2><A NAME="HDRKPASSWD" HREF="auarf002.htm#ToC_216">kpasswd</A></H2>
<A NAME="IDX5187"></A>
<A NAME="IDX5188"></A>
<A NAME="IDX5189"></A>
<A NAME="IDX5190"></A>
<A NAME="IDX5191"></A>
<A NAME="IDX5192"></A>
<A NAME="IDX5193"></A>
<P><STRONG>Purpose</STRONG>
<P>Changes the issuer's password in the Authentication Database
<P><STRONG>Synopsis</STRONG>
<PRE><B>kpasswd</B> [<B>-x</B>]  [<B>-principal</B> &lt;<VAR>user&nbsp;name</VAR>>]  [<B>-password</B> &lt;<VAR>user's&nbsp;password</VAR>>]
        [<B>-newpassword</B> &lt;<VAR>user's&nbsp;new&nbsp;password</VAR>>]  [<B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>]
        [<B>-servers</B> &lt;<VAR>explicit&nbsp;list&nbsp;of&nbsp;servers</VAR>><SUP>+</SUP>]  [<B>-pipe</B>]  [<B>-help</B>]
   
<B>kpasswd</B> [<B>-x</B>]  [<B>-pr</B> &lt;<VAR>user&nbsp;name</VAR>>]  [<B>-pa</B> &lt;<VAR>user's&nbsp;password</VAR>>]  
        [<B>-n</B> &lt;<VAR>user's&nbsp;new&nbsp;password</VAR>>]  [<B>-c</B> &lt;<VAR>cell&nbsp;name</VAR>>]  
        [<B>-s</B> &lt;<VAR>explicit&nbsp;list&nbsp;of&nbsp;servers</VAR>><SUP>+</SUP>]  [<B>-pi</B>]  [<B>-h</B>] 
</PRE>
<P><STRONG>Description</STRONG>
<P>The <B>kpasswd</B> command changes the password recorded in an
Authentication Database entry. By default, the command interpreter
changes the password for the AFS user name that matches the issuer's
local identity (UNIX UID). To specify an alternate user, include the
<B>-principal</B> argument. The user named by the
<B>-principal</B> argument does not have to appear in the local password
file (the <B>/etc/passwd</B> file or equivalent).
<P>By default, the command interpreter sends the password change request to
the Authentication Server running on one of the database server machines
listed for the local cell in the <B>/usr/afs/etc/CellServDB</B> file on
the local disk; it chooses the machine at random. It consults the
<B>/usr/vice/etc/ThisCell</B> file on the local disk to learn the local
cell name. To specify an alternate cell, include the <B>-cell</B>
argument.
<P>Unlike the UNIX <B>passwd</B> command, the <B>kpasswd</B> command
does not restrict passwords to eight characters or less; it accepts
passwords of virtually any length. All AFS commands that require
passwords (including the <B>klog</B>, <B>kpasswd</B>, and AFS-modified
login utilities, and the commands in the <B>kas</B> suite) accept
passwords longer than eight characters, but some other applications and
operating system utilities do not. Selecting an AFS password of eight
characters or less enables the user to maintain matching AFS and UNIX
passwords.
<P>The command interpreter makes the following checks:
<UL>
<P><LI>If the program <B>kpwvalid</B> exists in the same directory as the
<B>kpasswd</B> command, the command interpreter pass the new password to
it for verification. For details, see the <B>kpwvalid</B> reference
page.
<P><LI>If the <B>-reuse</B> argument to the <B>kas setfields</B> command
has been used to prohibit reuse of previous passwords, the command interpreter
verifies that the password is not too similar too any of the user's
previous 20 passwords. It generates the following error message at the
shell: 
<PRE>   Password was not changed because it seems like a reused password
   
</PRE>
<P>To prevent a user from subverting this restriction by changing the password
twenty times in quick succession (manually or by running a script), use the
<B>-minhours</B> argument on the <B>kaserver</B> initialization
command. The following error message appears if a user attempts to
change a password before the minimum time has passed:
<PRE>   Password was not changed because you changed it too 
   recently; see your systems administrator
</PRE>
</UL>
<P><STRONG>Options</STRONG>
<DL>
<P><DT><B>-x
</B><DD>Appears only for backwards compatibility.
<P><DT><B>-principal
</B><DD>Names the Authentication Database entry for which to change the
password. If this argument is omitted, the database entry with the same
name as the issuer's local identity (UNIX UID) is changed.
<P><DT><B>-password
</B><DD>Specifies the current password. Omit this argument to have the
command interpreter prompt for the password, which does not echo
visibly:
<PRE>   Old password: <VAR>current_password</VAR>
   
</PRE>
<P><DT><B>-newpassword
</B><DD>Specifies the new password, which the <B>kpasswd</B> command
interpreter converts into an encryption key (string of octal numbers) before
sending it to the Authentication Server for storage in the user's
Authentication Database entry.
<P>Omit this argument to have the command interpreter prompt for the password,
which does not echo visibly:
<PRE>   New password (RETURN to abort): <VAR>new_password</VAR> 
   Retype new password: <VAR>new_password</VAR>
   
</PRE>
<P><DT><B>-cell
</B><DD>Specifies the cell in which to change the password, by directing the
command to that cell's Authentication Servers. The issuer can
abbreviate the cell name to the shortest form that distinguishes it from the
other cells listed in the local <B>/usr/vice/etc/CellServDB</B>
file.
<P>By default, the command is executed in the local cell, as defined 
<UL>
<P><LI>First, by the value of the environment variable AFSCELL
<P><LI>Second, in the <B>/usr/vice/etc/ThisCell</B> file on the client
machine on which the command is issued
</UL>
<P><DT><B>-servers
</B><DD>Establishes a connection with the Authentication Server running on each
specified machine, rather than with all of the database server machines listed
for the relevant cell in the local copy of the
<B>/usr/vice/etc/CellServDB</B> file. The <B>kpasswd</B>
command interpreter then sends the password-changing request to one machine
chosen at random from the set.
<P><DT><B>-pipe
</B><DD>Suppresses all output to the standard output stream or standard error
stream. The <B>kpasswd</B> command interpreter expects to receive
all necessary arguments, each on a separate line, from the standard input
stream. Do not use this argument, which is provided for use by
application programs rather than human users.
<P><DT><B>-help
</B><DD>Prints the online help for this command. All other valid options
are ignored.
</DL>
<P><STRONG>Examples</STRONG>
<P>The following example shows user <B>pat</B> changing her password in
the ABC Corporation cell.
<PRE>   % <B>kpasswd</B>
   Changing password for 'pat' in cell 'abc.com'.
   Old password:
   New password (RETURN to abort):
   Verifying, please re-enter new_password:
   
</PRE>
<P><STRONG>Privilege Required</STRONG>
<P>None
<P><STRONG>Related Information</STRONG>
<P><A HREF="auarf193.htm#HDRKAS_SETFIELDS">kas setfields</A>
<P><A HREF="auarf194.htm#HDRKAS_SETPASSWORD">kas setpassword</A>
<P><A HREF="auarf200.htm#HDRKLOG">klog</A>
<P><A HREF="auarf203.htm#HDRKPWVALID">kpwvalid</A>
<P>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf201.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf203.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>
initial-html-documentation-20010606 pull in all documentation from IBM 2001-06-06 20:09:07 +01:00			`<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">`
			`<HTML><HEAD>`
			`<TITLE>Administration Reference</TITLE>`
			`<!-- Begin Header Records ========================================== -->`
			`<!-- /tmp/idwt3672/auarf000.scr converted by idb2h R4.2 (359) ID -->`
			`<!-- Workbench Version (AIX) on 3 Oct 2000 at 16:18:30 -->`
			`<META HTTP-EQUIV="updated" CONTENT="Tue, 03 Oct 2000 16:18:29">`
			`<META HTTP-EQUIV="review" CONTENT="Wed, 03 Oct 2001 16:18:29">`
			`<META HTTP-EQUIV="expires" CONTENT="Thu, 03 Oct 2002 16:18:29">`
			`</HEAD><BODY>`
			`<!-- (C) IBM Corporation 2000. All Rights Reserved -->`
			`<BODY bgcolor="ffffff">`
			`<!-- End Header Records ============================================ -->`
			`<A NAME="Top_Of_Page"></A>`
			`<H1>Administration Reference</H1>`
			<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf201.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf203.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
			`<P>`
			`<H2><A NAME="HDRKPASSWD" HREF="auarf002.htm#ToC_216">kpasswd</A></H2>`
			`<A NAME="IDX5187"></A>`
			`<A NAME="IDX5188"></A>`
			`<A NAME="IDX5189"></A>`
			`<A NAME="IDX5190"></A>`
			`<A NAME="IDX5191"></A>`
			`<A NAME="IDX5192"></A>`
			`<A NAME="IDX5193"></A>`
			`<P><STRONG>Purpose</STRONG>`
			`<P>Changes the issuer's password in the Authentication Database`
			`<P><STRONG>Synopsis</STRONG>`
			`<PRE><B>kpasswd</B> [<B>-x</B>] [<B>-principal</B> <<VAR>user name</VAR>>] [<B>-password</B> <<VAR>user's password</VAR>>]`
			`[<B>-newpassword</B> <<VAR>user's new password</VAR>>] [<B>-cell</B> <<VAR>cell name</VAR>>]`
			`[<B>-servers</B> <<VAR>explicit list of servers</VAR>><SUP>+</SUP>] [<B>-pipe</B>] [<B>-help</B>]`

			`<B>kpasswd</B> [<B>-x</B>] [<B>-pr</B> <<VAR>user name</VAR>>] [<B>-pa</B> <<VAR>user's password</VAR>>]`
			`[<B>-n</B> <<VAR>user's new password</VAR>>] [<B>-c</B> <<VAR>cell name</VAR>>]`
			`[<B>-s</B> <<VAR>explicit list of servers</VAR>><SUP>+</SUP>] [<B>-pi</B>] [<B>-h</B>]`
			`</PRE>`
			`<P><STRONG>Description</STRONG>`
			`<P>The <B>kpasswd</B> command changes the password recorded in an`
			`Authentication Database entry. By default, the command interpreter`
			`changes the password for the AFS user name that matches the issuer's`
			`local identity (UNIX UID). To specify an alternate user, include the`
			`<B>-principal</B> argument. The user named by the`
			`<B>-principal</B> argument does not have to appear in the local password`
			`file (the <B>/etc/passwd</B> file or equivalent).`
			`<P>By default, the command interpreter sends the password change request to`
			`the Authentication Server running on one of the database server machines`
			`listed for the local cell in the <B>/usr/afs/etc/CellServDB</B> file on`
			`the local disk; it chooses the machine at random. It consults the`
			`<B>/usr/vice/etc/ThisCell</B> file on the local disk to learn the local`
			`cell name. To specify an alternate cell, include the <B>-cell</B>`
			`argument.`
			`<P>Unlike the UNIX <B>passwd</B> command, the <B>kpasswd</B> command`
			`does not restrict passwords to eight characters or less; it accepts`
			`passwords of virtually any length. All AFS commands that require`
			`passwords (including the <B>klog</B>, <B>kpasswd</B>, and AFS-modified`
			`login utilities, and the commands in the <B>kas</B> suite) accept`
			`passwords longer than eight characters, but some other applications and`
			`operating system utilities do not. Selecting an AFS password of eight`
			`characters or less enables the user to maintain matching AFS and UNIX`
			`passwords.`
			`<P>The command interpreter makes the following checks:`
			`<UL>`
			`<P><LI>If the program <B>kpwvalid</B> exists in the same directory as the`
			`<B>kpasswd</B> command, the command interpreter pass the new password to`
			`it for verification. For details, see the <B>kpwvalid</B> reference`
			`page.`
			`<P><LI>If the <B>-reuse</B> argument to the <B>kas setfields</B> command`
			`has been used to prohibit reuse of previous passwords, the command interpreter`
			`verifies that the password is not too similar too any of the user's`
			`previous 20 passwords. It generates the following error message at the`
			`shell:`
			`<PRE> Password was not changed because it seems like a reused password`

			`</PRE>`
			`<P>To prevent a user from subverting this restriction by changing the password`
			`twenty times in quick succession (manually or by running a script), use the`
			`<B>-minhours</B> argument on the <B>kaserver</B> initialization`
			`command. The following error message appears if a user attempts to`
			`change a password before the minimum time has passed:`
			`<PRE> Password was not changed because you changed it too`
			`recently; see your systems administrator`
			`</PRE>`
			`</UL>`
			`<P><STRONG>Options</STRONG>`
			`<DL>`
			`<P><DT><B>-x`
			`</B><DD>Appears only for backwards compatibility.`
			`<P><DT><B>-principal`
			`</B><DD>Names the Authentication Database entry for which to change the`
			`password. If this argument is omitted, the database entry with the same`
			`name as the issuer's local identity (UNIX UID) is changed.`
			`<P><DT><B>-password`
			`</B><DD>Specifies the current password. Omit this argument to have the`
			`command interpreter prompt for the password, which does not echo`
			`visibly:`
			`<PRE> Old password: <VAR>current_password</VAR>`

			`</PRE>`
			`<P><DT><B>-newpassword`
			`</B><DD>Specifies the new password, which the <B>kpasswd</B> command`
			`interpreter converts into an encryption key (string of octal numbers) before`
			`sending it to the Authentication Server for storage in the user's`
			`Authentication Database entry.`
			`<P>Omit this argument to have the command interpreter prompt for the password,`
			`which does not echo visibly:`
			`<PRE> New password (RETURN to abort): <VAR>new_password</VAR>`
			`Retype new password: <VAR>new_password</VAR>`

			`</PRE>`
			`<P><DT><B>-cell`
			`</B><DD>Specifies the cell in which to change the password, by directing the`
			`command to that cell's Authentication Servers. The issuer can`
			`abbreviate the cell name to the shortest form that distinguishes it from the`
			`other cells listed in the local <B>/usr/vice/etc/CellServDB</B>`
			`file.`
			`<P>By default, the command is executed in the local cell, as defined`
			`<UL>`
			`<P><LI>First, by the value of the environment variable AFSCELL`
			`<P><LI>Second, in the <B>/usr/vice/etc/ThisCell</B> file on the client`
			`machine on which the command is issued`
			`</UL>`
			`<P><DT><B>-servers`
			`</B><DD>Establishes a connection with the Authentication Server running on each`
			`specified machine, rather than with all of the database server machines listed`
			`for the relevant cell in the local copy of the`
			`<B>/usr/vice/etc/CellServDB</B> file. The <B>kpasswd</B>`
			`command interpreter then sends the password-changing request to one machine`
			`chosen at random from the set.`
			`<P><DT><B>-pipe`
			`</B><DD>Suppresses all output to the standard output stream or standard error`
			`stream. The <B>kpasswd</B> command interpreter expects to receive`
			`all necessary arguments, each on a separate line, from the standard input`
			`stream. Do not use this argument, which is provided for use by`
			`application programs rather than human users.`
			`<P><DT><B>-help`
			`</B><DD>Prints the online help for this command. All other valid options`
			`are ignored.`
			`</DL>`
			`<P><STRONG>Examples</STRONG>`
			`<P>The following example shows user <B>pat</B> changing her password in`
			`the ABC Corporation cell.`
			`<PRE> % <B>kpasswd</B>`
			`Changing password for 'pat' in cell 'abc.com'.`
			`Old password:`
			`New password (RETURN to abort):`
			`Verifying, please re-enter new_password:`

			`</PRE>`
			`<P><STRONG>Privilege Required</STRONG>`
			`<P>None`
			`<P><STRONG>Related Information</STRONG>`
			`<P><A HREF="auarf193.htm#HDRKAS_SETFIELDS">kas setfields</A>`
			`<P><A HREF="auarf194.htm#HDRKAS_SETPASSWORD">kas setpassword</A>`
			`<P><A HREF="auarf200.htm#HDRKLOG">klog</A>`
			`<P><A HREF="auarf203.htm#HDRKPWVALID">kpwvalid</A>`
			`<P>`
			<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf201.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf203.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
			`<!-- Begin Footer Records ========================================== -->`
			`<P><HR><B>`
			`<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved`
			`</B>`
			`<!-- End Footer Records ============================================ -->`
			`<A NAME="Bot_Of_Page"></A>`
			`</BODY></HTML>`