.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .if !\nF .nr F 0 .if \nF>0 \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "KAS_EXAMINE 8" .TH KAS_EXAMINE 8 "2017-12-15" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" kas_examine \- Displays information from an Authentication Database entry .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBkas examine\fR \fB\-name\fR\ <\fIname\ of\ user\fR> [\fB\-showkey\fR] [\fB\-admin_username\fR\ <\fIadmin\ principal\ to\ use\ for\ authentication\fR>] [\fB\-password_for_admin\fR\ <\fIadmin\ password\fR>] [\fB\-cell\fR\ <\fIcell\ name\fR>] [\fB\-servers\fR\ <\fIexplicit\ list\ of\ authentication\ servers\fR>+] [\fB\-noauth\fR] [\fB\-help\fR] .PP \&\fBkas e\fR \fB\-na\fR\ <\fIname\ of\ user\fR> [\fB\-sh\fR] [\fB\-a\fR\ <\fIadmin\ principal\ to\ use\ for\ authentication\fR>] [\fB\-p\fR\ <\fIadmin\ password\fR>] [\fB\-c\fR\ <\fIcell\ name\fR>] [\fB\-se\fR\ <\fIexplicit\ list\ of\ authentication\ servers\fR>+] [\fB\-no\fR] [\fB\-h\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBkas examine\fR command formats and displays information from the Authentication Database entry of the user named by the \fB\-name\fR argument. .PP To alter the settings displayed with this command, issue the \fBkas setfields\fR command. .SH "CAUTIONS" .IX Header "CAUTIONS" Displaying actual keys on the standard output stream by including the \&\fB\-showkey\fR flag constitutes a security exposure. For most purposes, it is sufficient to display a checksum. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-name\fR <\fIname of user\fR>" 4 .IX Item "-name " Names the Authentication Database entry from which to display information. .IP "\fB\-showkey\fR" 4 .IX Item "-showkey" Displays the octal digits that constitute the key. The issuer must have the \f(CW\*(C`ADMIN\*(C'\fR flag on his or her Authentication Database entry. .IP "\fB\-admin_username\fR <\fIadmin principal\fR>" 4 .IX Item "-admin_username " Specifies the user identity under which to authenticate with the Authentication Server for execution of the command. For more details, see \&\fIkas\fR\|(8). .IP "\fB\-password_for_admin\fR <\fIadmin password\fR>" 4 .IX Item "-password_for_admin " Specifies the password of the command's issuer. If it is omitted (as recommended), the \fBkas\fR command interpreter prompts for it and does not echo it visibly. For more details, see \fIkas\fR\|(8). .IP "\fB\-cell\fR <\fIcell name\fR>" 4 .IX Item "-cell " Names the cell in which to run the command. For more details, see \&\fIkas\fR\|(8). .IP "\fB\-servers\fR <\fIauthentication servers\fR>+" 4 .IX Item "-servers +" Names each machine running an Authentication Server with which to establish a connection. For more details, see \fIkas\fR\|(8). .IP "\fB\-noauth\fR" 4 .IX Item "-noauth" Assigns the unprivileged identity \f(CW\*(C`anonymous\*(C'\fR to the issuer. For more details, see \fIkas\fR\|(8). .IP "\fB\-help\fR" 4 .IX Item "-help" Prints the online help for this command. All other valid options are ignored. .SH "OUTPUT" .IX Header "OUTPUT" The output includes: .IP "\(bu" 4 The entry name, following the string \f(CW\*(C`User data for\*(C'\fR. .IP "\(bu" 4 One or more status flags in parentheses; they appear only if an administrator has used the \fBkas setfields\fR command to change them from their default values. A plus sign (\f(CW\*(C`+\*(C'\fR) separates the flags if there is more than one. The nondefault values that can appear, and their meanings, are as follows: .RS 4 .IP "\s-1ADMIN\s0" 4 .IX Item "ADMIN" Enables the user to issue privileged \fBkas\fR commands (default is \&\f(CW\*(C`NOADMIN\*(C'\fR). .IP "\s-1NOTGS\s0" 4 .IX Item "NOTGS" Prevents the user from obtaining tickets from the Authentication Server's Ticket Granting Service (default is \f(CW\*(C`TGS\*(C'\fR). .IP "\s-1NOSEAL\s0" 4 .IX Item "NOSEAL" Prevents the Ticket Granting Service from using the entry's key field as an encryption key (default is \f(CW\*(C`SEAL\*(C'\fR). .IP "\s-1NOCPW\s0" 4 .IX Item "NOCPW" Prevents the user from changing his or her password (default is \f(CW\*(C`CPW\*(C'\fR). .RE .RS 4 .RE .IP "\(bu" 4 The key version number, in parentheses, following the word \f(CW\*(C`key\*(C'\fR, then one of the following. .RS 4 .IP "\(bu" 4 A checksum equivalent of the key, following the string \f(CW\*(C`cksum is\*(C'\fR, if the \&\fB\-showkey\fR flag is not included. The checksum is a decimal number derived by encrypting a constant with the key. In the case of the \f(CW\*(C`afs\*(C'\fR entry, this number must match the checksum with the corresponding key version number in the output of the \fBbos listkeys\fR command; if not, follow the instructions in the \fIOpenAFS Administration Guide\fR for creating a new server encryption key. .IP "\(bu" 4 The actual key, following a colon, if the \fB\-showkey\fR flag is included. The key consists of eight octal numbers, each represented as a backslash followed by three decimal digits. .RE .RS 4 .RE .IP "\(bu" 4 The date the user last changed his or her own password, following the string \f(CW\*(C`last cpw\*(C'\fR (which stands for \*(L"last change of password\*(R"). .IP "\(bu" 4 The string \f(CW\*(C`password will never expire\*(C'\fR indicates that the associated password never expires; the string \f(CW\*(C`password will expire\*(C'\fR is followed by the password's expiration date. After the indicated date, the user cannot authenticate, but has 30 days after it in which to use the \fBkpasswd\fR or \&\fBkas setpassword\fR command to set a new password. After 30 days, only an administrator (one whose account is marked with the \f(CW\*(C`ADMIN\*(C'\fR flag) can change the password by using the \fBkas setpassword\fR command. To set the password expiration date, use the \fBkas setfields\fR command's \fB\-pwexpires\fR argument. .IP "\(bu" 4 The number of times the user can fail to provide the correct password before the account locks, followed by the string \f(CW\*(C`consecutive unsuccessful authentications are permitted\*(C'\fR, or the string \f(CW\*(C`An unlimited number of unsuccessful authentications is permitted\*(C'\fR to indicate that there is no limit. To set the limit, use the \fBkas setfields\fR command's \&\fB\-attempts\fR argument. To unlock a locked account, use the \fBkas unlock\fR command. The \fBkas setfields\fR reference page discusses how the implementation of the lockout feature interacts with this setting. .IP "\(bu" 4 The number of minutes for which the Authentication Server refuses the user's login attempts after the limit on consecutive unsuccessful authentication attempts is exceeded, following the string \f(CW\*(C`The lock time for this user is\*(C'\fR. Use the \fBkas\fR command's \fB\-locktime\fR argument to set the lockout time. This line appears only if a limit on the number of unsuccessful authentication attempts has been set with the \fBkas setfields\fR command's \fB\-attempts\fR argument. .IP "\(bu" 4 An indication of whether the Authentication Server is currently refusing the user's login attempts. The string \f(CW\*(C`User is not locked\*(C'\fR indicates that authentication can succeed, whereas the string \f(CW\*(C`User is locked until\*(C'\fR \&\fItime\fR indicates that the user cannot authenticate until the indicated time. Use the \fBkas unlock\fR command to enable a user to attempt authentication. This line appears only if a limit on the number of unsuccessful authentication attempts has been set with the \fBkas setfields\fR command's \fB\-attempts\fR argument. .IP "\(bu" 4 The date on which the Authentication Server entry expires, or the string \&\f(CW\*(C`entry never expires\*(C'\fR to indicate that the entry does not expire. A user becomes unable to authenticate when his or her entry expires. Use the \&\fBkas setfields\fR command's \fB\-expiration\fR argument to set the expiration date. .IP "\(bu" 4 The maximum possible lifetime of the tokens that the Authentication Server grants the user. This value interacts with several others to determine the actual lifetime of the token, as described in \fIklog\fR\|(1). Use the \fBkas setfields\fR command's \fB\-lifetime\fR argument to set this value. .IP "\(bu" 4 The date on which the entry was last modified, following the string \f(CW\*(C`last mod on\*(C'\fR and the user name of the administrator who modified it. The date on which a user changed his or her own password is recorded on the second line of output as \f(CW\*(C`last cpw\*(C'\fR instead. .IP "\(bu" 4 An indication of whether the user can reuse one of his or her last twenty passwords when issuing the \fBkpasswd\fR, \fBkas setpassword\fR, or \fBkas setkey\fR commands. Use the \fBkas setfields\fR command's \fB\-reuse\fR argument to set this restriction. .SH "EXAMPLES" .IX Header "EXAMPLES" The following example command shows the user smith displaying her own Authentication Database entry. Note the \f(CW\*(C`ADMIN\*(C'\fR flag, which shows that \&\f(CW\*(C`smith\*(C'\fR is privileged. .PP .Vb 11 \& % kas examine smith \& Password for smith: \& User data for smith (ADMIN) \& key (0) cksum is 3414844392, last cpw: Thu Mar 25 16:05:44 1999 \& password will expire: Fri Apr 30 20:44:36 1999 \& 5 consecutive unsuccessful authentications are permitted. \& The lock time for this user is 25.5 minutes. \& User is not locked. \& entry never expires. Max ticket lifetime 100.00 hours. \& last mod on Tue Jan 5 08:22:29 1999 by admin \& permit password reuse .Ve .PP In the following example, the user \f(CW\*(C`pat\*(C'\fR examines his Authentication Database entry to determine when the account lockout currently in effect will end. .PP .Vb 11 \& % kas examine pat \& Password for pat: \& User data for pat \& key (0) cksum is 73829292912, last cpw: Wed Apr 7 11:23:01 1999 \& password will expire: Fri Jun 11 11:23:01 1999 \& 5 consecutive unsuccessful authentications are permitted. \& The lock time for this user is 25.5 minutes. \& User is locked until Tue Sep 21 12:25:07 1999 \& entry expires on never. Max ticket lifetime 100.00 hours. \& last mod on Thu Feb 4 08:22:29 1999 by admin \& permit password reuse .Ve .PP In the following example, an administrator logged in as \f(CW\*(C`admin\*(C'\fR uses the \&\fB\-showkey\fR flag to display the octal digits that constitute the key in the \f(CW\*(C`afs\*(C'\fR entry. .PP .Vb 7 \& % kas examine \-name afs \-showkey \& Password for admin: I \& User data for afs \& key (12): \e357\e253\e304\e352\e234\e236\e253\e352, last cpw: no date \& entry never expires. Max ticket lifetime 100.00 hours. \& last mod on Thu Mar 25 14:53:29 1999 by admin \& permit password reuse .Ve .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" A user can examine his or her own entry. To examine others' entries or to include the \fB\-showkey\fR flag, the issuer must have the \f(CW\*(C`ADMIN\*(C'\fR flag set in his or her Authentication Database entry. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIbos_addkey\fR\|(8), \&\fIbos_listkeys\fR\|(8), \&\fIbos_setauth\fR\|(8), \&\fIkas\fR\|(8), \&\fIkas_setfields\fR\|(8), \&\fIkas_setpassword\fR\|(8), \&\fIkas_unlock\fR\|(8), \&\fIklog\fR\|(1), \&\fIkpasswd\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.