.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.if !\nF .nr F 0
.if \nF>0 \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    if !\nF==2 \{\
.        nr % 0
.        nr F 2
.    \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "KPASSWD 1"
.TH KPASSWD 1 "2017-12-15" "OpenAFS" "AFS Command Reference"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
kpasswd \- Changes the issuer's password in the Authentication Database
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBkpasswd\fR [\fB\-x\fR] [\fB\-principal\fR\ <\fIuser\ name\fR>]
    [\fB\-password\fR\ <\fIuser's\ password\fR>]
    [\fB\-newpassword\fR\ <\fIuser's\ new\ password\fR>] [\fB\-cell\fR\ <\fIcell\ name\fR>]
    [\fB\-servers\fR\ <\fIexplicit\ list\ of\ servers\fR>+] [\fB\-pipe\fR] [\fB\-help\fR]
.PP
\&\fBkpasswd\fR [\fB\-x\fR] [\fB\-pr\fR\ <\fIuser\ name\fR>] [\fB\-pa\fR\ <\fIuser's\ password\fR>]
    [\fB\-n\fR\ <\fIuser's\ new\ password\fR>] [\fB\-c\fR\ <\fIcell\ name\fR>]
    [\fB\-s\fR\ <\fIexplicit\ list\ of\ servers\fR>+] [\fB\-pi\fR] [\fB\-h\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBkpasswd\fR command changes the password recorded in an Authentication
Database entry on the obsolete Authentication Server. By default, the
command interpreter changes the password for the \s-1AFS\s0 user name that
matches the issuer's local identity (\s-1UNIX UID\s0). To specify an alternate
user, include the \fB\-principal\fR argument. The user named by the
\&\fB\-principal\fR argument does not have to appear in the local password file
(the \fI/etc/passwd\fR file or equivalent).
.PP
By default, the command interpreter sends the password change request to
the Authentication Server running on one of the database server machines
listed for the local cell in the \fI/etc/openafs/server/CellServDB\fR file on the
local disk; it chooses the machine at random. It consults the
\&\fI/etc/openafs/ThisCell\fR file on the local disk to learn the local cell
name. To specify an alternate cell, include the \fB\-cell\fR argument.
.PP
Unlike the \s-1UNIX\s0 \fBpasswd\fR command, the \fBkpasswd\fR command does not
restrict passwords to eight characters or less; it accepts passwords of
virtually any length. All \s-1AFS\s0 commands that require passwords (including
the \fBklog\fR, \fBkpasswd\fR, and AFS-modified login utilities, and the
commands in the \fBkas\fR suite) accept passwords longer than eight
characters, but some other applications and operating system utilities do
not. Selecting an \s-1AFS\s0 password of eight characters or less enables the
user to maintain matching \s-1AFS\s0 and \s-1UNIX\s0 passwords.
.PP
The command interpreter makes the following checks:
.IP "\(bu" 4
If the program \fBkpwvalid\fR exists in the same directory as the \fBkpasswd\fR
command, the command interpreter pass the new password to it for
verification. For details, see \fIkpwvalid\fR\|(8).
.IP "\(bu" 4
If the \fB\-reuse\fR argument to the kas setfields command has been used to
prohibit reuse of previous passwords, the command interpreter verifies
that the password is not too similar too any of the user's previous 20
passwords. It generates the following error message at the shell:
.Sp
.Vb 1
\&   Password was not changed because it seems like a reused password
.Ve
.Sp
To prevent a user from subverting this restriction by changing the
password twenty times in quick succession (manually or by running a
script), use the \fB\-minhours\fR argument on the \fBkaserver\fR initialization
command. The following error message appears if a user attempts to change
a password before the minimum time has passed:
.Sp
.Vb 2
\&   Password was not changed because you changed it too
\&   recently; see your systems administrator
.Ve
.SH "CAUTIONS"
.IX Header "CAUTIONS"
The \fBkpasswd\fR command is only used by the obsolete Authentication Server
It is provided for sites that have not yet migrated to a Kerberos version
5 \s-1KDC.\s0 The Authentication Server and supporting commands, including
\&\fBkpwvalid\fR, will be removed in a future version of OpenAFS.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-x\fR" 4
.IX Item "-x"
Appears only for backwards compatibility.
.IP "\fB\-principal\fR <\fIuser name\fR>" 4
.IX Item "-principal <user name>"
Names the Authentication Database entry for which to change the
password. If this argument is omitted, the database entry with the same
name as the issuer's local identity (\s-1UNIX UID\s0) is changed.
.IP "\fB\-password\fR <\fIuser's password\fR>" 4
.IX Item "-password <user's password>"
Specifies the current password. Omit this argument to have the command
interpreter prompt for the password, which does not echo visibly:
.Sp
.Vb 1
\&   Old password: current_password
.Ve
.IP "\fB\-newpassword\fR <\fIuser's new password\fR>" 4
.IX Item "-newpassword <user's new password>"
Specifies the new password, which the \fBkpasswd\fR command interpreter
converts into an encryption key (string of octal numbers) before sending
it to the Authentication Server for storage in the user's Authentication
Database entry.
.Sp
Omit this argument to have the command interpreter prompt for the
password, which does not echo visibly:
.Sp
.Vb 2
\&   New password (RETURN to abort): <new_password>
\&   Retype new password: <new_password>
.Ve
.IP "\fB\-cell\fR <\fIcell name\fR>" 4
.IX Item "-cell <cell name>"
Specifies the cell in which to change the password, by directing the
command to that cell's Authentication Servers. The issuer can abbreviate
the cell name to the shortest form that distinguishes it from the other
cells listed in the local \fI/etc/openafs/CellServDB\fR file.
.Sp
By default, the command is executed in the local cell, as defined
.RS 4
.IP "\(bu" 4
First, by the value of the environment variable \s-1AFSCELL.\s0
.IP "\(bu" 4
Second, in the \fI/etc/openafs/ThisCell\fR file on the client machine on
which the command is issued.
.RE
.RS 4
.RE
.IP "\fB\-servers\fR <\fIexplicit list of servers\fR>" 4
.IX Item "-servers <explicit list of servers>"
Establishes a connection with the Authentication Server running on each
specified machine, rather than with all of the database server machines
listed for the relevant cell in the local copy of the
\&\fI/etc/openafs/CellServDB\fR file. The \fBkpasswd\fR command interpreter then
sends the password-changing request to one machine chosen at random from
the set.
.IP "\fB\-pipe\fR" 4
.IX Item "-pipe"
Suppresses all output to the standard output stream or standard error
stream. The \fBkpasswd\fR command interpreter expects to receive all
necessary arguments, each on a separate line, from the standard input
stream. Do not use this argument, which is provided for use by application
programs rather than human users.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Prints the online help for this command. All other valid options are
ignored.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The following example shows user pat changing her password in the \s-1ABC\s0
Corporation cell.
.PP
.Vb 5
\&   % kpasswd
\&   Changing password for \*(Aqpat\*(Aq in cell \*(Aqabc.com\*(Aq.
\&   Old password:
\&   New password (RETURN to abort):
\&   Verifying, please re\-enter new_password:
.Ve
.SH "PRIVILEGE REQUIRED"
.IX Header "PRIVILEGE REQUIRED"
None
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIkas_setfields\fR\|(8),
\&\fIkas_setpassword\fR\|(8),
\&\fIklog\fR\|(1),
\&\fIkpwvalid\fR\|(8)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
\&\s-1IBM\s0 Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
.PP
This documentation is covered by the \s-1IBM\s0 Public License Version 1.0.  It was
converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.