kas_setpassword - Changes the key field in an Authentication Database entry


kas setpassword -name <name of user> [-new_password <new password>] [-kvno <key version number>] [-admin_username <admin principal to use for authentication>] [-password_for_admin <admin password>] [-cell <cell name>] [-servers <explicit list of authentication servers>+] [-noauth] [-help]

kas setpasswd -na <name of user> [-ne <new password>] [-k <key version number>] [-a <admin principal to use for authentication>] [-p <admin password>] [-c <cell name>] [-s <explicit list of authentication servers>+] [-no] [-h]

kas setp -na <name of user> [-ne <new password>] [-k <key version number>] [-a <admin principal to use for authentication>] [-p <admin password>] [-c <cell name>] [-s <explicit list of authentication servers>+] [-no] [-h]

kas sp -na <name of user> [-ne <new password>] [-k <key version number>] [-a <admin principal to use for authentication>] [-p <admin password>] [-c <cell name>] [-s <explicit list of authentication servers>+] [-no] [-h]


The kas setpassword command accepts a character string of unlimited length, scrambles it into a form suitable for use as an encryption key, places it in the key field of the Authentication Database entry named by the -name argument, and assigns it the key version number specified by the -kvno argument.

To avoid making the password string visible at the shell prompt, omit the -new_password argument. Prompts then appear at the shell which do not echo the password visibly.

When changing the afs server key, also issue bos addkey command to add the key (with the same key version number) to the /usr/afs/etc/KeyFile file. See the OpenAFS Administration Guide for instructions.

The command interpreter checks the password string subject to the following conditions:


-name <name of user>

Names the entry in which to record the new key.

-new_password <new password>

Specifies the character string the user types when authenticating to AFS. Omit this argument and type the string at the resulting prompts so that the password does not echo visibly. Note that some non-AFS programs cannot handle passwords longer than eight characters.

-kvno <key version number>

Specifies the key version number associated with the new key. Provide an integer in the range from 0 through 255. If omitted, the default is 0 (zero), which is probably not desirable for server keys.

-admin_username <admin principal>

Specifies the user identity under which to authenticate with the Authentication Server for execution of the command. For more details, see kas(8).

-password_for_admin <admin password>

Specifies the password of the command's issuer. If it is omitted (as recommended), the kas command interpreter prompts for it and does not echo it visibly. For more details, see kas(8).

-cell <cell name>

Names the cell in which to run the command. For more details, see kas(8).

-servers <authentication servers>+

Names each machine running an Authentication Server with which to establish a connection. For more details, see kas(8).


Assigns the unprivileged identity anonymous to the issuer. For more details, see kas(8).


Prints the online help for this command. All other valid options are ignored.


In the following example, an administrator using the admin account changes the password for pat (presumably because pat forgot the former password or got locked out of his account in some other way).

   % kas setpassword pat
   Password for admin:
   Verifying, please re-enter new_password:


Individual users can change their own passwords. To change another user's password or the password (server encryption key) for server entries such as afs, the issuer must have the ADMIN flag set in his or her Authentication Database entry.


bos_addkey(8), kas(8), kaserver(8), kpwvalid(8)


IBM Corporation 2000. <> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.