You can change your Kerberos password in two ways:
With the usual UNIX passwd command. With SEAM installed, the Solaris passwd command also automatically prompts for a new Kerberos password.
The advantage of using passwd instead of kpasswd is that you can set both passwords (UNIX and Kerberos) at the same time. However, generally you do not have to change both passwords with passwd; often you can change only your UNIX password and leave the Kerberos password untouched, or vice-versa.
The behavior of passwd depends on how the PAM module is configured. You may be required to change both passwords in some configurations. For some sites the UNIX password must be changed, while others require the Kerberos password to change.
With the kpasswd command. kpasswd is very similar to passwd. One difference is that kpasswd changes only Kerberos passwords -- you must use passwd if you want to change your UNIX password.
Another difference is that kpasswd can change a password for a Kerberos principal that is not a valid UNIX user. For example, david/admin is a Kerberos principal, but not an actual UNIX user, so you must use kpasswd instead of passwd.
Using kpasswd requires the use of the SEAM 1.0 administration system which is included in the SEAS 3.0 release. In addition, privacy support must be loaded to protect the requests to change the password.
After you change your password, it takes some time for the change to propagate through a system (especially over a large network). Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password first. If the new password doesn't work, try again using the old one.
Kerberos V5 allows system administrators to set criteria about allowable passwords for each user. Such criteria is defined by the policy set for each user (or by a default policy)-- see XREF for more on policies. For example, suppose that jennifer's policy (call it jenpol) mandates that passwords be at least eight letters long and include a mix of at least two kinds of characters. kpasswd will therefore reject an attempt to use sloth as a password:
% kpasswd kpasswd: Changing password for jennifer@ENG.ACME.COM. Old password: <jennifer enters her existing password> kpasswd: jennifer@ENG.ACME.COM's password is controlled by the policy jenpol which requires a minimum of 8 characters from at least 2 classes (the five classes are lowercase, uppercase, numbers, punctuation, and all other characters). New password: <jennifer enters 'sloth'> New password (again): <jennifer re-enters 'sloth'> kpasswd: New password is too short. Please choose a password which is at least 4 characters long. |
Here jennifer uses slothrop49 as a password. slothrop49 meets the criteria, because it is over eight letters long and contains two different kinds of characters (numbers and lowercase letters):
% kpasswd kpasswd: Changing password for jennifer@ENG.ACME.COM. Old password: <jennifer enters her existing password> kpasswd: jennifer@ENG.ACME.COM's password is controlled by the policy jenpol which requires a minimum of 8 characters from at least 2 classes (the five classes are lowercase, uppercase, numbers, punctuation, and all other characters). New password: <jennifer enters 'slothrop49'> New password (again): <jennifer re-enters 'slothrop49'> Kerberos password changed. |
The following example shows david changing both his UNIX and Kerberos passwords with passwd.
% passwd passwd: Changing password for david Enter login (NIS+) password: <enter the current UNIX password> New password: <enter the new UNIX password> Re-enter password: <confirm the new UNIX password> Old KRB5 password: <enter the current Kerberos password> New KRB5 password: <enter the new Kerberos password> Re-enter new KRB5 password: <confirm the new Kerberos password> |
In the above example passwd asks for both the UNIX and Kerberos password; however, if try_first_pass is set in the PAM module, the Kerberos password is automatically set to be the same as the UNIX password. (That is the default configuration.) In that case, david must use kpasswd to set his Kerberos password to something else, as shown next.
This example shows him changing only his Kerberos password with kpasswd:
% kpasswd kpasswd: Changing password for david@ENG.ACME.COM. Old password: <enter the current Kerberos password> New password: <enter the new Kerberos password> New password (again): <confirm the new Kerberos password> Kerberos password changed. |
In this example, david changes the password for the Kerberos principal david/admin (which is not a valid UNIX user). To do this he must use kpasswd.
% kpasswd david/admin kpasswd: Changing password for david/admin. Old password: <enter the current Kerberos password> New password: <enter the new Kerberos password> New password (again): <confirm the new Kerberos password> Kerberos password changed. |