3 kas_setpassword - Changes the key field in an Authentication Database entry
10 B<kas setpassword> S<<< B<-name> <I<name of user>> >>>
11 S<<< [B<-new_password> <I<new password>>] >>> S<<< [B<-kvno> <I<key version number>>] >>>
12 S<<< [B<-admin_username> <I<admin principal to use for authentication>>] >>>
13 S<<< [B<-password_for_admin> <I<admin password>>] >>> S<<< [B<-cell> <I<cell name>>] >>>
14 S<<< [B<-servers> <I<explicit list of authentication servers>>+] >>>
15 [B<-noauth>] [B<-help>]
17 B<kas setpasswd> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>>
18 S<<< [B<-k> <I<key version number>>] >>>
19 S<<< [B<-a> <I<admin principal to use for authentication>>] >>>
20 S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
21 S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>]
23 B<kas setp> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>>
24 S<<< [B<-k> <I<key version number>>] >>>
25 S<<< [B<-a> <I<admin principal to use for authentication>>] >>>
26 S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
27 S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>]
29 B<kas sp> S<<< B<-na> <I<name of user>> >>> S<<< [B<-ne> <I<new password>>] >>>
30 S<<< [B<-k> <I<key version number>>] >>>
31 S<<< [B<-a> <I<admin principal to use for authentication>>] >>>
32 S<<< [B<-p> <I<admin password>>] >>> S<<< [B<-c> <I<cell name>>] >>>
33 S<<< [B<-s> <I<explicit list of authentication servers>>+] >>> [B<-no>] [B<-h>]
40 The B<kas setpassword> command accepts a character string of unlimited
41 length, scrambles it into a form suitable for use as an encryption key,
42 places it in the key field of the Authentication Database entry named by
43 the B<-name> argument, and assigns it the key version number specified by
44 the B<-kvno> argument.
46 To avoid making the password string visible at the shell prompt, omit the
47 B<-new_password> argument. Prompts then appear at the shell which do not
48 echo the password visibly.
50 When changing the B<afs> server key, also issue B<bos addkey> command to
51 add the key (with the same key version number) to the
52 F</usr/afs/etc/KeyFile> file. See the I<OpenAFS Administration Guide> for
55 The command interpreter checks the password string subject to the
62 If there is a program called kpwvalid in the same directory as the B<kas>
63 binary, the command interpreter invokes it to process the password. For
64 details, see L<kpwvalid(8)>.
68 If the B<-reuse> argument to the B<kas setfields> command has been used to
69 prohibit reuse of previous passwords, the command interpreter verifies
70 that the password is not too similar too any of the user's previous 20
71 passwords. It generates the following error message at the shell:
73 Password was not changed because it seems like a reused password
75 To prevent a user from subverting this restriction by changing the
76 password twenty times in quick succession (manually or by running a
77 script), use the B<-minhours> argument on the B<kaserver> initialization
78 command. The following error message appears if a user attempts to change
79 a password before the minimum time has passed:
81 Password was not changed because you changed it too
82 recently; see your systems administrator
90 =item B<-name> <I<name of user>>
92 Names the entry in which to record the new key.
94 =item B<-new_password> <I<new password>>
96 Specifies the character string the user types when authenticating to
97 AFS. Omit this argument and type the string at the resulting prompts so
98 that the password does not echo visibly. Note that some non-AFS programs
99 cannot handle passwords longer than eight characters.
101 =item B<-kvno> <I<key version number>>
103 Specifies the key version number associated with the new key. Provide an
104 integer in the range from C<0> through C<255>. If omitted, the default is
105 C<0> (zero), which is probably not desirable for server keys.
107 =item B<-admin_username> <I<admin principal>>
109 Specifies the user identity under which to authenticate with the
110 Authentication Server for execution of the command. For more details, see
113 =item B<-password_for_admin> <I<admin password>>
115 Specifies the password of the command's issuer. If it is omitted (as
116 recommended), the B<kas> command interpreter prompts for it and does not
117 echo it visibly. For more details, see L<kas(8)>.
119 =item B<-cell> <I<cell name>>
121 Names the cell in which to run the command. For more details, see
124 =item B<-servers> <I<authentication servers>>+
126 Names each machine running an Authentication Server with which to
127 establish a connection. For more details, see L<kas(8)>.
131 Assigns the unprivileged identity C<anonymous> to the issuer. For more
132 details, see L<kas(8)>.
136 Prints the online help for this command. All other valid options are
143 In the following example, an administrator using the C<admin> account
144 changes the password for C<pat> (presumably because C<pat> forgot the
145 former password or got locked out of his account in some other way).
147 % kas setpassword pat
150 Verifying, please re-enter new_password:
152 =head1 PRIVILEGE REQUIRED
154 Individual users can change their own passwords. To change another user's
155 password or the password (server encryption key) for server entries such
156 as C<afs>, the issuer must have the C<ADMIN> flag set in his or her
157 Authentication Database entry.
168 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
170 This documentation is covered by the IBM Public License Version 1.0. It was
171 converted from HTML to POD by software written by Chas Williams and Russ
172 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
HCoop / hcoop / debian / openafs.git / blob