kpasswd(1) User Commands kpasswd(1)NAME
kpasswd - change a user's Kerberos password
SYNOPSIS
/usr/bin/kpasswd [principal]
DESCRIPTION
The kpasswd command is used to change a Kerberos principal's password. kpasswd prompts for the current Kerberos password, which is used to
obtain a changepw ticket from the KDC for the user's Kerberos realm. If kpasswd successfully obtains the changepw ticket, the user is
prompted twice for the new password, and the password is changed.
If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new
password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other charac-
ters.)
OPERANDS
The following operand is supported:
principal
Change the password for the Kerberos principal principal. Otherwise, the principal is derived from the identity of the user invoking
the kpasswd command.
FILES
/tmp/ovsec_adm.xxxxxx
Temporary credentials cache for the lifetime of the password changing operation. (xxxxxx is a random string.)
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWkrbu |
+-----------------------------+-----------------------------+
|CSI |Enabled |
+-----------------------------+-----------------------------+
SEE ALSO SEAM(5)BUGS
If kpasswd is suspended, the changepw tickets may not be destroyed.
SunOS 5.10 30 Jul 2001 kpasswd(1)
Check Out this Related Man Page
KPASSWD(1) AFS Command Reference KPASSWD(1)NAME
kpasswd - Changes the issuer's password in the Authentication Database
SYNOPSIS
kpasswd [-x] [-principal <user name>]
[-password <user's password>]
[-newpassword <user's new password>] [-cell <cell name>]
[-servers <explicit list of servers>+] [-pipe] [-help]
kpasswd [-x] [-pr <user name>] [-pa <user's password>]
[-n <user's new password>] [-c <cell name>]
[-s <explicit list of servers>+] [-pi] [-h]
DESCRIPTION
The kpasswd command changes the password recorded in an Authentication Database entry on the obsolete Authentication Server. By default,
the command interpreter changes the password for the AFS user name that matches the issuer's local identity (UNIX UID). To specify an
alternate user, include the -principal argument. The user named by the -principal argument does not have to appear in the local password
file (the /etc/passwd file or equivalent).
By default, the command interpreter sends the password change request to the Authentication Server running on one of the database server
machines listed for the local cell in the /etc/openafs/server/CellServDB file on the local disk; it chooses the machine at random. It
consults the /etc/openafs/ThisCell file on the local disk to learn the local cell name. To specify an alternate cell, include the -cell
argument.
Unlike the UNIX passwd command, the kpasswd command does not restrict passwords to eight characters or less; it accepts passwords of
virtually any length. All AFS commands that require passwords (including the klog, kpasswd, and AFS-modified login utilities, and the
commands in the kas suite) accept passwords longer than eight characters, but some other applications and operating system utilities do
not. Selecting an AFS password of eight characters or less enables the user to maintain matching AFS and UNIX passwords.
The command interpreter makes the following checks:
o If the program kpwvalid exists in the same directory as the kpasswd command, the command interpreter pass the new password to it for
verification. For details, see kpwvalid(8).
o If the -reuse argument to the kas setfields command has been used to prohibit reuse of previous passwords, the command interpreter
verifies that the password is not too similar too any of the user's previous 20 passwords. It generates the following error message at
the shell:
Password was not changed because it seems like a reused password
To prevent a user from subverting this restriction by changing the password twenty times in quick succession (manually or by running a
script), use the -minhours argument on the kaserver initialization command. The following error message appears if a user attempts to
change a password before the minimum time has passed:
Password was not changed because you changed it too
recently; see your systems administrator
CAUTIONS
The kpasswd command is only used by the obsolete Authentication Server It is provided for sites that have not yet migrated to a Kerberos
version 5 KDC. The Authentication Server and supporting commands, including kpwvalid, will be removed in a future version of OpenAFS.
OPTIONS -x Appears only for backwards compatibility.
-principal <user name>
Names the Authentication Database entry for which to change the password. If this argument is omitted, the database entry with the same
name as the issuer's local identity (UNIX UID) is changed.
-password <user's password>
Specifies the current password. Omit this argument to have the command interpreter prompt for the password, which does not echo
visibly:
Old password: current_password
-newpassword <user's new password>
Specifies the new password, which the kpasswd command interpreter converts into an encryption key (string of octal numbers) before
sending it to the Authentication Server for storage in the user's Authentication Database entry.
Omit this argument to have the command interpreter prompt for the password, which does not echo visibly:
New password (RETURN to abort): <new_password>
Retype new password: <new_password>
-cell <cell name>
Specifies the cell in which to change the password, by directing the command to that cell's Authentication Servers. The issuer can
abbreviate the cell name to the shortest form that distinguishes it from the other cells listed in the local /etc/openafs/CellServDB
file.
By default, the command is executed in the local cell, as defined
o First, by the value of the environment variable AFSCELL.
o Second, in the /etc/openafs/ThisCell file on the client machine on which the command is issued.
-servers <explicit list of servers>
Establishes a connection with the Authentication Server running on each specified machine, rather than with all of the database server
machines listed for the relevant cell in the local copy of the /etc/openafs/CellServDB file. The kpasswd command interpreter then sends
the password-changing request to one machine chosen at random from the set.
-pipe
Suppresses all output to the standard output stream or standard error stream. The kpasswd command interpreter expects to receive all
necessary arguments, each on a separate line, from the standard input stream. Do not use this argument, which is provided for use by
application programs rather than human users.
-help
Prints the online help for this command. All other valid options are ignored.
EXAMPLES
The following example shows user pat changing her password in the ABC Corporation cell.
% kpasswd
Changing password for 'pat' in cell 'abc.com'.
Old password:
New password (RETURN to abort):
Verifying, please re-enter new_password:
PRIVILEGE REQUIRED
None
SEE ALSO kas_setfields(8), kas_setpassword(8), klog(1), kpwvalid(8)COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas
Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
OpenAFS 2012-03-26 KPASSWD(1)