Ah yes - so the steps to reset for security purposes was made more difficult. Letting users reset the password was a security risk since anyone could walk into a server lab and console access.
So step 1 will generate the new key, step 2 will scp that key so that you don't have to type it all, step 3 is activating the key. Emailing the hash to TAC is the only way to get the translation since it's encrypted with gpg keys.
Then once you activate -> login w/ the ampadmin user, go to Security -> Reset OS pw to change the pw to something easier (but still secure).