jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-19 07:20:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f2cba414c1
openafs/doc/man-pages/pod8/kas_setpassword.pod
Russ Allbery 5f70221b2c Remove references to IBM AFS 
Change references to the documentation sets that we still ship to
reference the OpenAFS manuals instead of the IBM AFS manuals.  Remove
references to the IBM AFS/DFS Migration documentation, since that
doesn't appear to be available anywhere any more, replacing them where
relevant to more generic references to the DFS documentation.  Add
links to docs.openafs.org for mentions of the manuals in SEE ALSO, and
standardize on one link format.  Replace a few references to the IBM
AFS Release Notes with the actual information in those notes, or drop
the reference if it doesn't seem particularly useful.

Change-Id: Ie9666842f1315891c6a9c37c0424200f4b78bff7
Reviewed-on: http://gerrit.openafs.org/2031
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
2010-05-26 12:05:45 -07:00

173 lines
5.9 KiB
Plaintext
Raw Blame History

=head1 NAME
kas_setpassword - Changes the key field in an Authentication Database entry
=head1 SYNOPSIS
=for html
<div class="synopsis">
B<kas setpassword> S<<< B<-name> <I<name of user>> >>>
S<<< [B<-new_password> <I<new password>>] >>> S<<< [B<-kvno> <I<key version number>>] >>>
S<<< [B<-admin_username> <I<admin principal to use for authentication>>] >>>
S<<< [B<-password_for_admin> <I<admin password>>] >>> S<<< [B<-cell> <I<cell name>>] >>>
S<<< [B<-servers> <I<explicit list of authentication servers>>+] >>>
[B<-noauth>] [B<-help>]
B<kas setpasswd> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>>
S<<< [B<-k> <I<key version number>>] >>>
S<<< [B<-a> <I<admin principal to use for authentication>>] >>>
S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>]
B<kas setp> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>>
S<<< [B<-k> <I<key version number>>] >>>
S<<< [B<-a> <I<admin principal to use for authentication>>] >>>
S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>]
B<kas sp> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>>
S<<< [B<-k> <I<key version number>>] >>>
S<<< [B<-a> <I<admin principal to use for authentication>>] >>>
S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>]
=for html
</div>
=head1 DESCRIPTION
The B<kas setpassword> command accepts a character string of unlimited
length, scrambles it into a form suitable for use as an encryption key,
places it in the key field of the Authentication Database entry named by
the B<-name> argument, and assigns it the key version number specified by
the B<-kvno> argument.
To avoid making the password string visible at the shell prompt, omit the
B<-new_password> argument. Prompts then appear at the shell which do not
echo the password visibly.
When changing the B<afs> server key, also issue B<bos addkey> command to
add the key (with the same key version number) to the
F</usr/afs/etc/KeyFile> file. See the I<OpenAFS Administration Guide> for
instructions.
The command interpreter checks the password string subject to the
following conditions:
=over 4
=item *
If there is a program called kpwvalid in the same directory as the B<kas>
binary, the command interpreter invokes it to process the password. For
details, see L<kpwvalid(8)>.
=item *
If the B<-reuse> argument to the B<kas setfields> command has been used to
prohibit reuse of previous passwords, the command interpreter verifies
that the password is not too similar too any of the user's previous 20
passwords. It generates the following error message at the shell:
Password was not changed because it seems like a reused password
To prevent a user from subverting this restriction by changing the
password twenty times in quick succession (manually or by running a
script), use the B<-minhours> argument on the B<kaserver> initialization
command. The following error message appears if a user attempts to change
a password before the minimum time has passed:
Password was not changed because you changed it too
recently; see your systems administrator
=back
=head1 OPTIONS
=over 4
=item B<-name> <I<name of user>>
Names the entry in which to record the new key.
=item B<-new_password> <I<new password>>
Specifies the character string the user types when authenticating to
AFS. Omit this argument and type the string at the resulting prompts so
that the password does not echo visibly. Note that some non-AFS programs
cannot handle passwords longer than eight characters.
=item B<-kvno> <I<key version number>>
Specifies the key version number associated with the new key. Provide an
integer in the range from C<0> through C<255>. If omitted, the default is
C<0> (zero), which is probably not desirable for server keys.
=item B<-admin_username> <I<admin principal>>
Specifies the user identity under which to authenticate with the
Authentication Server for execution of the command. For more details, see
L<kas(8)>.
=item B<-password_for_admin> <I<admin password>>
Specifies the password of the command's issuer. If it is omitted (as
recommended), the B<kas> command interpreter prompts for it and does not
echo it visibly. For more details, see L<kas(8)>.
=item B<-cell> <I<cell name>>
Names the cell in which to run the command. For more details, see
L<kas(8)>.
=item B<-servers> <I<authentication servers>>+
Names each machine running an Authentication Server with which to
establish a connection. For more details, see L<kas(8)>.
=item B<-noauth>
Assigns the unprivileged identity C<anonymous> to the issuer. For more
details, see L<kas(8)>.
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
=head1 EXAMPLES
In the following example, an administrator using the C<admin> account
changes the password for C<pat> (presumably because C<pat> forgot the
former password or got locked out of his account in some other way).
% kas setpassword pat
Password for admin:
new_password:
Verifying, please re-enter new_password:
=head1 PRIVILEGE REQUIRED
Individual users can change their own passwords. To change another user's
password or the password (server encryption key) for server entries such
as C<afs>, the issuer must have the C<ADMIN> flag set in his or her
Authentication Database entry.
=head1 SEE ALSO
L<bos_addkey(8)>,
L<kas(8)>,
L<kaserver(8)>,
L<kpwvalid(8)>
=head1 COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
Reference in New Issue View Git Blame Copy Permalink