NAME

passwd, netkey – change or verify user password

SYNOPSIS

passwd [ username[@domain] ]
netkey
auth/cram [ –dn6 ] [ –u user ] [ –s server ] auth/plain [ –dn6 ] [ –u user ] [ –s server ]

DESCRIPTION

Passwd changes the invoker's Plan 9 password and/or APOP secret. The Plan 9 password is used to login to a terminal while the APOP secret is used for a number of external services: POP3, IMAP, and VPN access. The optional argument specifies the user name and authentication domain to use if different than the one associated with the machine passwd is run on.
The program first prompts for the old Plan 9 password in the specified domain to establish identity. It then prompts for changes to the password and the secret. New passwords and secrets must be typed twice, to forestall mistakes. New passwords must be sufficiently hard to guess. They may be of any length greater than seven characters.
Netkey prompts for a password to encrypt network challenges. It is a substitute for a SecureNet box.
Auth/cram and auth/plan generates a “cram” or “plain” response using factotum(4) and a key specified as follows (example for cram)
proto=cram role=client server=%q
proto=cram role=client server=%q user=%q
The –6 flag base–64 encodes the result. The –d flag turns on debugging. The output is suitable for interacting with cram authentication by hand.
These commands may be run only on a terminal, to avoid transmitting clear text passwords over the network.

SOURCE

/sys/src/cmd/auth/passwd.c
/sys/src/cmd/auth/netkey.c

SEE ALSO

readnvram in authsrv(2), encrypt(2), cons(3), auth(8), securenet(8)
Robert Morris and Ken Thompson, ``UNIX Password Security,'' AT&T Bell Laboratories Technical Journal Vol 63 (1984), pp. 1649–1672

BUGS

Now that cpu connections are always encrypted, the only good reason to require that these commands be run only on terminals is concern that the CPU server might be subverted.