Changing Passwords
To change a principal's password use the kadmin change_password
command, which requires the "modify" administrative privilege (unless
the principal is changing his/her own password). The syntax is:
change_password [options] principal
The change_password option has the alias cpw.
change_password takes the following options:
- -randkey
- Sets the key of the principal to a random value.
- -pw password
- Sets the password to the string password. MIT does not
recommend using this option.
- -e "enc:salt..."
- Uses the specified list of enctype-salttype pairs for setting the key
of the principal. The quotes are necessary if there are multiple
enctype-salttype pairs. This will not function against kadmin daemons
earlier than krb5-1.2. See Supported Encryption Types and
Salts for possible values.
- -keepold
- Keeps the previous kvno's keys around. There is no easy way to delete
the old keys, and this flag is usually not necessary except perhaps for
TGS keys. Don't use this flag unless you know what you're doing.
For example:
kadmin: cpw david
Enter password for principal david@ATHENA.MIT.EDU: <= Type the new password.
Re-enter password for principal david@ATHENA.MIT.EDU: <= Type it again.
Password for david@ATHENA.MIT.EDU changed.
kadmin:
Note that change_password will not let you change the password to
one that is in the principal's password history.
