kpwvalid - Checks quality of new password




The kpwvalid command checks the quality of a new password passed to it from the kpasswd or kas setpassword command for the obsolete Authentication Server. It is optional. If it exists, it must reside in the same AFS directory as the binaries for the kpasswd and kas command suites (create a symbolic link from the client machine's local disk to this directory). The directory's ACL must extend the a (administer) and w (write) permissions to the system:administrators group only. These requirements prevent unauthorized users from substituting a spurious kpwvalid binary.

The AFS distribution includes an example kpwvalid program that checks that the password is at least eight characters long; the code for it appears in EXAMPLES below.

The script or program must accept a sequence of password strings, one per line, on the standard input stream. The first is the current password and is ignored. Each subsequent string is a candidate password to be checked. The program must write the following to the standard output stream for each one:

Further, it must write any error messages only to the standard error stream, not to the standard output stream.


The kpwvalid command is only used by the obsolete Authentication Server It is provided for sites that have not yet migrated to a Kerberos version 5 KDC. The Authentication Server and supporting commands, including kpwvalid, will be removed in a future version of OpenAFS.


The following example program, included in the AFS distribution, verifies that the requested password includes eight or more characters.

   #include <stdio.h>
   /* prints 0 if the password is long enough, otherwise non-zero */
   char oldpassword[512];
   char password[512];

   if (fgets(oldpassword, 512, stdin))
      while (fgets(password, 512, stdin)) {
         if (strlen(password) > 8) { /* password includes a newline */
         else {
            fputs("Passwords must contain at least 8 characters.\n",
   return 0;


kas_setpassword(8), kpasswd(1)


IBM Corporation 2000. <> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.