keypasswd Command

Purpose

keypasswd manages the passwords which are used to access a user's private keystore.

Syntax

keypasswd [-S servicename] [-p privatekeystore | -k username]

Description

The keypasswd command allows a user to change the password of a private keystore. The user will be asked to enter the old and new password of the keystore. The -S option specifies which end-entity services and libraries to use while changing the password. Available services are defined in the /usr/lib/security/pki/ca.cfg file. When invoked without -S, keypasswd will use the local service. You will get an error if you specify a servicename which does not have an entry in the /usr/lib/security/pki/ca.cfg file. The -p option specifies the private keystore for which the password is going to be changed. The -k option specifies the user's default private keystore. You will get an error if you specify both the -k and -p options.

Flags

Item Description
-S servicename Specifies which service module to use.
-p privatekeystore Specifies the private keystore whose password is going to be changed.
-k Specifies that the keystore to be used is that of username.

Security

This is a privileged (set-UID root) command.

To change the password of a keystore one must know the password of the keystore.

Root and invokers belonging to group security are allowed to change the password of any keystore as long as they know the password of the keystore. A non-privileged user is allowed to change only the keystore file that they own.

Audit

This command records the following event information:

KEY_Password <username>

Examples

  1. To change the password of the default private keystore that is owned by Bob, enter:
    $ keypasswd
    where the invoker is Bob.
  2. To change the password of any other private keystore, enter:
    $ keypasswd -p bob.keystore

Files

/usr/lib/security/ca.cfg

/usr/lib/security/policy.cfg