Changing AFS Passwords

After setting an initial password during account creation, you normally do not need to change user passwords, since they can use the kpasswd command themselves by following the instructions in the OpenAFS User Guide. In the rare event that a user forgets the password or otherwise cannot log in, you can use the kas setpassword command to set a new password.

If entries in the local password file (/etc/passwd or equivalent) have actual scrambled passwords in their password field, remember to change the password there also. For further discussion, see Specifying Passwords in the Local Password File.

To change an AFS password

  1. Issue the kas setpassword command to change the password. To avoid having the new password echo visibly on the screen, omit the -new_password argument; instead enter the password at the prompts that appear when you omit the argument, as shown.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas setpassword <name of user>  \
                         -admin <admin principal to use for authentication> 
       Administrator's (admin_user) password: <admin_password>
       new_password: <new_password>
       Verifying, please re-enter new_password: <new_password>



    Is an acceptable alias for setpassword (setp is the shortest acceptable abbreviation).

    name of user

    Names the Authentication Database entry for which to set the password.


    Names an administrative account that has the ADMIN flag on its Authentication Database entry, such as admin. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.


    Specifies the user's new password. It is subject to the restrictions imposed by the kpwvalid program, if you use it.