2 files changed, 26 insertions, 20 deletions

diff --git a/sys/man/1/passwd b/sys/man/1/passwd
index 70d60532f..28343c054 100644
--- a/sys/man/1/passwd
+++ b/sys/man/1/passwd
@@ -4,6 +4,9 @@ passwd, netkey \- change or verify user password
 .SH SYNOPSIS
 .B passwd
 [
+.IR -1
+]
+[
 .IR username [@ domain ]
 ]
 .PP
@@ -28,6 +31,16 @@ New passwords and secrets must be typed twice, to forestall mistakes.
 New passwords must be sufficiently hard to guess.
 They may be of any length greater than seven characters.
 .PP
+By default, passwd requires the auth server to support
+.IR dp9ik (6).
+The
+.I -1
+flag forces
+.B passwd
+to authenticate using
+.IR p9sk1 (6).
+
+.PP
 .I Netkey
 prompts for a password to encrypt network challenges.
 It is a substitute for a SecureNet box. It may only be run on a terminal.
diff --git a/sys/src/cmd/auth/passwd.c b/sys/src/cmd/auth/passwd.c
index db551d67c..eb14ddca8 100644
--- a/sys/src/cmd/auth/passwd.c
+++ b/sys/src/cmd/auth/passwd.c
@@ -7,7 +7,7 @@
 void
 main(int argc, char **argv)
 {
-	int fd, n, try;
+	int fd, n, dp9ik;
 	Ticketreq tr;
 	Ticket t;
 	Passwordreq pr;
@@ -15,7 +15,14 @@ main(int argc, char **argv)
 	char buf[512];
 	char *s, *user;
 
+	dp9ik = 1;
 	ARGBEGIN{
+	case '1':
+		dp9ik = 0;
+		break;
+	default:
+		fprint(2, "%s [-1]\n", argv0);
+		exits("usage");
 	}ARGEND
 
 	argv0 = "passwd";
@@ -48,31 +55,17 @@ main(int argc, char **argv)
 	memset(&pr, 0, sizeof(pr));
 	getpass(&key, pr.old, 0, 0);
 
-	/*
-	 *  negotiate PAK key. we need to retry in case the AS does
-	 *  not support the AuthPAK request or when the user has
-	 *  not yet setup a new key and the AS made one up.
-	 */
-	try = 0;
-	authpak_hash(&key, tr.uid);
-	if(_asgetpakkey(fd, &tr, &key) < 0){
-Retry:
-		try++;
-		close(fd);
-		fd = authdial(nil, s);
-		if(fd < 0)
-			error("authdial: %r");
+	if(dp9ik){
+		authpak_hash(&key, tr.uid);
+		if(_asgetpakkey(fd, &tr, &key) < 0)
+			error("%r");
 	}
-	/* send ticket request to AS */
 	if(_asrequest(fd, &tr) < 0)
 		error("%r");
 	if(_asgetresp(fd, &t, nil, &key) < 0)
 		error("%r");
-	if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0){
-		if(try == 0)
-			goto Retry;
+	if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0)
 		error("bad password");
-	}
 
 	/* loop trying new passwords */
 	for(;;){