.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .if !\nF .nr F 0 .if \nF>0 \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "KAS 8" .TH KAS 8 "2017-12-15" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" kas \- Introduction to the kas command suite .SH "DESCRIPTION" .IX Header "DESCRIPTION" The commands in the \fBkas\fR command suite are the administrative interface to the Authentication Server, an obsolete \s-1AFS\s0 server process that maintains the Authentication Database and provides the authentication tickets that client applications must present to \s-1AFS\s0 servers in order to obtain access to \s-1AFS\s0 data and other services. It is used only for cells still running the Authentication Server until they can migrate to a Kerberos version 5 \s-1KDC.\s0 .PP There are several categories of commands in the \fBkas\fR command suite: .IP "\(bu" 4 Commands to create, modify, examine and delete entries in the Authentication Database, including passwords: \&\fBkas create\fR, \&\fBkas delete\fR, \&\fBkas examine\fR, \&\fBkas list\fR, \&\fBkas setfields\fR, \&\fBkas setkey\fR, \&\fBkas setpassword\fR, and \fBkas unlock\fR. .IP "\(bu" 4 Commands to create, delete, and examine tokens and server tickets: \&\fBkas forgetticket\fR, \&\fBkas listtickets\fR, \&\fBkas noauthentication\fR, and \fBkas stringtokey\fR. .IP "\(bu" 4 A command to enter interactive mode: \&\fBkas interactive\fR. .IP "\(bu" 4 A command to trace Authentication Server operations: \&\fBkas statistics\fR. .IP "\(bu" 4 Commands to obtain help: \&\fBkas apropos\fR and \fBkas help\fR. .IP "\(bu" 4 A command to display the OpenAFS command suite version: \fBkas version\fR. .PP Because of the sensitivity of information in the Authentication Database, the Authentication Server authenticates issuers of \fBkas\fR commands directly, rather than accepting the standard token generated by the Ticket Granting Service. Any \fBkas\fR command that requires administrative privilege prompts the issuer for a password. The resulting ticket is valid for six hours unless the maximum ticket lifetime for the issuer or the Authentication Server's Ticket Granting Service is shorter. .PP To avoid having to provide a password repeatedly when issuing a sequence of \fBkas\fR commands, enter \fIinteractive mode\fR by issuing the \fBkas interactive\fR command, typing \fBkas\fR without any operation code, or typing \&\fBkas\fR followed by a user and cell name, separated by an at-sign (\f(CW\*(C`@\*(C'\fR; an example is \f(CW\*(C`kas smith.admin@abc.com\*(C'\fR). After prompting once for a password, the Authentication Server accepts the resulting token for every command issued during the interactive session. See \fIkas_interactive\fR\|(8) for a discussion of when to use each method for entering interactive mode and of the effects of entering a session. .PP The Authentication Server maintains two databases on the local disk of the machine where it runs: .IP "\(bu" 4 The Authentication Database (\fI/var/lib/openafs/db/kaserver.DB0\fR) stores the information used to provide \s-1AFS\s0 authentication services to users and servers, including the password scrambled as an encryption key. The reference page for the \fBkas examine\fR command describes the information in a database entry. .IP "\(bu" 4 An auxiliary file (\fI/var/lib/openafs/local/kaauxdb\fR by default) that tracks how often the user has provided an incorrect password to the local Authentication Server. The reference page for the \fBkas setfields\fR command describes how the Authentication Server uses this file to enforce the limit on consecutive authentication failures. To designate an alternate directory for the file, use the \fBkaserver\fR command's \fB\-localfiles\fR argument. .SH "CAUTIONS" .IX Header "CAUTIONS" The \fBkas\fR command suite is provided only for administration of the obsolete Authentication Server for cells that have not yet migrated to a Kerberos version 5 \s-1KDC.\s0 New deployments should not use the Authentication Server, and it and the \fBkas\fR command suite will be removed in a future version of OpenAFS. .SH "OPTIONS" .IX Header "OPTIONS" The following arguments and flags are available on many commands in the \&\fBkas\fR suite. (Some of them are unavailable on commands entered in interactive mode, because the information they specify is established when entering interactive mode and cannot be changed except by leaving interactive mode.) The reference page for each command also lists them, but they are described here in greater detail. .IP "\fB\-admin_username\fR <\fIuser name\fR>" 4 .IX Item "-admin_username " Specifies the user identity under which to authenticate with the Authentication Server for execution of the command. If this argument is omitted, the \fBkas\fR command interpreter requests authentication for the identity under which the issuer is logged onto the local machine. Do not combine this argument with the \fB\-noauth\fR flag. .IP "\fB\-cell\fR <\fIcell name\fR>" 4 .IX Item "-cell " Names the cell in which to run the command. It is acceptable to abbreviate the cell name to the shortest form that distinguishes it from the other entries in the \fI/etc/openafs/CellServDB\fR file on the local machine. If the \fB\-cell\fR argument is omitted, the command interpreter determines the name of the local cell by reading the following in order: .RS 4 .IP "\(bu" 4 The value of the \s-1AFSCELL\s0 environment variable. .IP "\(bu" 4 The local \fI/etc/openafs/ThisCell\fR file. .RE .RS 4 .Sp The \fB\-cell\fR argument is not available on commands issued in interactive mode. The cell defined when the \fBkas\fR command interpreter enters interactive mode applies to all commands issued during the interactive session. .RE .IP "\fB\-help\fR" 4 .IX Item "-help" Prints a command's online help message on the standard output stream. Do not combine this flag with any of the command's other options; when it is provided, the command interpreter ignores all other options, and only prints the help message. .IP "\fB\-noauth\fR" 4 .IX Item "-noauth" Establishes an unauthenticated connection to the Authentication Server, in which the Authentication Server treats the issuer as the unprivileged user \&\f(CW\*(C`anonymous\*(C'\fR. It is useful only when authorization checking is disabled on the server machine (during the installation of a server machine or when the \fBbos setauth\fR command has been used during other unusual circumstances). In normal circumstances, the Authentication Server allows only privileged users to issue most \fBkas\fR commands, and refuses to perform such an action even if the \fB\-noauth\fR flag is provided. Do not combine this flag with the \fB\-admin_username\fR and \fB\-password_for_admin\fR arguments. .IP "\fB\-password_for_admin\fR <\fIpassword\fR>" 4 .IX Item "-password_for_admin " Specifies the password of the command's issuer. It is best to omit this argument, which echoes the password visibly in the command shell, instead enter the password at the prompt. Do not combine this argument with the \&\fB\-noauth\fR flag. .IP "\fB\-servers\fR <\fImachine name\fR>+" 4 .IX Item "-servers +" Establishes a connection with the Authentication Server running on each specified database server machine, instead of on each machine listed in the local \fI/etc/openafs/CellServDB\fR file. In either case, the \fBkas\fR command interpreter then chooses one of the machines at random to contact for execution of each subsequent command. The issuer can abbreviate the machine name to the shortest form that allows the local name service to identify it uniquely. .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" To issue most kas commands, the issuer must have the \f(CW\*(C`ADMIN\*(C'\fR flag set in his or her Authentication Database entry (use the \fBkas setfields\fR command to turn the flag on). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fICellServDB\fR\|(5), \&\fIkaserver.DB0\fR\|(5), \&\fIkaserverauxdb\fR\|(5), \&\fIkas_apropos\fR\|(8), \&\fIkas_create\fR\|(8), \&\fIkas_delete\fR\|(8), \&\fIkas_examine\fR\|(8), \&\fIkas_forgetticket\fR\|(8), \&\fIkas_help\fR\|(8), \&\fIkas_interactive\fR\|(8), \&\fIkas_list\fR\|(8), \&\fIkas_listtickets\fR\|(8), \&\fIkas_noauthentication\fR\|(8), \&\fIkas_quit\fR\|(8), \&\fIkas_setfields\fR\|(8), \&\fIkas_setpassword\fR\|(8), \&\fIkas_statistics\fR\|(8), \&\fIkas_stringtokey\fR\|(8), \&\fIkas_unlock\fR\|(8), \&\fIkaserver\fR\|(8) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.