Commit | Line | Data |
---|---|---|
805e021f CE |
1 | =head1 NAME |
2 | ||
3 | kas_setpassword - Changes the key field in an Authentication Database entry | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | =for html | |
8 | <div class="synopsis"> | |
9 | ||
10 | B<kas setpassword> S<<< B<-name> <I<name of user>> >>> | |
11 | S<<< [B<-new_password> <I<new password>>] >>> S<<< [B<-kvno> <I<key version number>>] >>> | |
12 | S<<< [B<-admin_username> <I<admin principal to use for authentication>>] >>> | |
13 | S<<< [B<-password_for_admin> <I<admin password>>] >>> S<<< [B<-cell> <I<cell name>>] >>> | |
14 | S<<< [B<-servers> <I<explicit list of authentication servers>>+] >>> | |
15 | [B<-noauth>] [B<-help>] | |
16 | ||
17 | B<kas setpasswd> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>> | |
18 | S<<< [B<-k> <I<key version number>>] >>> | |
19 | S<<< [B<-a> <I<admin principal to use for authentication>>] >>> | |
20 | S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>> | |
21 | S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>] | |
22 | ||
23 | B<kas setp> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>> | |
24 | S<<< [B<-k> <I<key version number>>] >>> | |
25 | S<<< [B<-a> <I<admin principal to use for authentication>>] >>> | |
26 | S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>> | |
27 | S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>] | |
28 | ||
29 | B<kas sp> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>> | |
30 | S<<< [B<-k> <I<key version number>>] >>> | |
31 | S<<< [B<-a> <I<admin principal to use for authentication>>] >>> | |
32 | S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>> | |
33 | S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>] | |
34 | ||
35 | =for html | |
36 | </div> | |
37 | ||
38 | =head1 DESCRIPTION | |
39 | ||
40 | The B<kas setpassword> command accepts a character string of unlimited | |
41 | length, scrambles it into a form suitable for use as an encryption key, | |
42 | places it in the key field of the Authentication Database entry named by | |
43 | the B<-name> argument, and assigns it the key version number specified by | |
44 | the B<-kvno> argument. | |
45 | ||
46 | To avoid making the password string visible at the shell prompt, omit the | |
47 | B<-new_password> argument. Prompts then appear at the shell which do not | |
48 | echo the password visibly. | |
49 | ||
50 | When changing the B<afs> server key, also issue B<bos addkey> command to | |
51 | add the key (with the same key version number) to the | |
52 | F</usr/afs/etc/KeyFile> file. See the I<OpenAFS Administration Guide> for | |
53 | instructions. | |
54 | ||
55 | The command interpreter checks the password string subject to the | |
56 | following conditions: | |
57 | ||
58 | =over 4 | |
59 | ||
60 | =item * | |
61 | ||
62 | If there is a program called kpwvalid in the same directory as the B<kas> | |
63 | binary, the command interpreter invokes it to process the password. For | |
64 | details, see L<kpwvalid(8)>. | |
65 | ||
66 | =item * | |
67 | ||
68 | If the B<-reuse> argument to the B<kas setfields> command has been used to | |
69 | prohibit reuse of previous passwords, the command interpreter verifies | |
70 | that the password is not too similar too any of the user's previous 20 | |
71 | passwords. It generates the following error message at the shell: | |
72 | ||
73 | Password was not changed because it seems like a reused password | |
74 | ||
75 | To prevent a user from subverting this restriction by changing the | |
76 | password twenty times in quick succession (manually or by running a | |
77 | script), use the B<-minhours> argument on the B<kaserver> initialization | |
78 | command. The following error message appears if a user attempts to change | |
79 | a password before the minimum time has passed: | |
80 | ||
81 | Password was not changed because you changed it too | |
82 | recently; see your systems administrator | |
83 | ||
84 | =back | |
85 | ||
86 | =head1 OPTIONS | |
87 | ||
88 | =over 4 | |
89 | ||
90 | =item B<-name> <I<name of user>> | |
91 | ||
92 | Names the entry in which to record the new key. | |
93 | ||
94 | =item B<-new_password> <I<new password>> | |
95 | ||
96 | Specifies the character string the user types when authenticating to | |
97 | AFS. Omit this argument and type the string at the resulting prompts so | |
98 | that the password does not echo visibly. Note that some non-AFS programs | |
99 | cannot handle passwords longer than eight characters. | |
100 | ||
101 | =item B<-kvno> <I<key version number>> | |
102 | ||
103 | Specifies the key version number associated with the new key. Provide an | |
104 | integer in the range from C<0> through C<255>. If omitted, the default is | |
105 | C<0> (zero), which is probably not desirable for server keys. | |
106 | ||
107 | =item B<-admin_username> <I<admin principal>> | |
108 | ||
109 | Specifies the user identity under which to authenticate with the | |
110 | Authentication Server for execution of the command. For more details, see | |
111 | L<kas(8)>. | |
112 | ||
113 | =item B<-password_for_admin> <I<admin password>> | |
114 | ||
115 | Specifies the password of the command's issuer. If it is omitted (as | |
116 | recommended), the B<kas> command interpreter prompts for it and does not | |
117 | echo it visibly. For more details, see L<kas(8)>. | |
118 | ||
119 | =item B<-cell> <I<cell name>> | |
120 | ||
121 | Names the cell in which to run the command. For more details, see | |
122 | L<kas(8)>. | |
123 | ||
124 | =item B<-servers> <I<authentication servers>>+ | |
125 | ||
126 | Names each machine running an Authentication Server with which to | |
127 | establish a connection. For more details, see L<kas(8)>. | |
128 | ||
129 | =item B<-noauth> | |
130 | ||
131 | Assigns the unprivileged identity C<anonymous> to the issuer. For more | |
132 | details, see L<kas(8)>. | |
133 | ||
134 | =item B<-help> | |
135 | ||
136 | Prints the online help for this command. All other valid options are | |
137 | ignored. | |
138 | ||
139 | =back | |
140 | ||
141 | =head1 EXAMPLES | |
142 | ||
143 | In the following example, an administrator using the C<admin> account | |
144 | changes the password for C<pat> (presumably because C<pat> forgot the | |
145 | former password or got locked out of his account in some other way). | |
146 | ||
147 | % kas setpassword pat | |
148 | Password for admin: | |
149 | new_password: | |
150 | Verifying, please re-enter new_password: | |
151 | ||
152 | =head1 PRIVILEGE REQUIRED | |
153 | ||
154 | Individual users can change their own passwords. To change another user's | |
155 | password or the password (server encryption key) for server entries such | |
156 | as C<afs>, the issuer must have the C<ADMIN> flag set in his or her | |
157 | Authentication Database entry. | |
158 | ||
159 | =head1 SEE ALSO | |
160 | ||
161 | L<bos_addkey(8)>, | |
162 | L<kas(8)>, | |
163 | L<kaserver(8)>, | |
164 | L<kpwvalid(8)> | |
165 | ||
166 | =head1 COPYRIGHT | |
167 | ||
168 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. | |
169 | ||
170 | This documentation is covered by the IBM Public License Version 1.0. It was | |
171 | converted from HTML to POD by software written by Chas Williams and Russ | |
172 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |