.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.if !\nF .nr F 0
.if \nF>0 \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    if !\nF==2 \{\
.        nr % 0
.        nr F 2
.    \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "KLOG 1"
.TH KLOG 1 "2017-12-15" "OpenAFS" "AFS Command Reference"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
klog, klog.krb \- Authenticates with the Authentication Server
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBklog\fR [\fB\-x\fR] [\fB\-principal\fR\ <\fIuser\ name\fR>]
    [\-password <\fIuser's password\fR>] [\fB\-cell\fR\ <\fIcell\ name\fR>]
    [\fB\-servers\fR\ <\fIexplicit\ list\ of\ servers\fR>+]
    [\fB\-pipe\fR] [\fB\-silent\fR]
    [\fB\-lifetime\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>]
    [\fB\-setpag\fR] [\fB\-tmp\fR] [\fB\-help\fR]
.PP
\&\fBklog\fR [\fB\-x\fR] [\fB\-pr\fR\ <\fIuser\ name\fR>] [\fB\-pa\fR\ <\fIuser's\ password\fR>]
    [\fB\-c\fR\ <\fIcell\ name\fR>]  [\fB\-s\fR\ <\fIexplicit\ list\ of\ servers\fR>+]
    [\fB\-pi\fR] [\fB\-si\fR] [\fB\-l\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>]
    [\fB\-se\fR] [\fB\-t\fR] [\fB\-h\fR]
.PP
\&\fBklog.krb\fR [\fB\-x\fR] [\fB\-principal\fR\ <\fIuser\ name\fR>]
    [\-password <\fIuser's password\fR>] [\fB\-cell\fR\ <\fIcell\ name\fR>]
    [\fB\-servers\fR\ <\fIexplicit\ list\ of\ servers\fR>+]
    [\fB\-pipe\fR] [\fB\-silent\fR]
    [\fB\-lifetime\fR\ <\fIticket\ lifetime\ in\ hh[:mm[:ss]]\fR>]
    [\fB\-setpag\fR] [\fB\-tmp\fR] [\fB\-help\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBklog\fR and \fBklog.krb\fR commands are obsolete and should not be used.
Instead, use \fBkinit\fR followed by \fBaklog\fR or \fBklog.krb5\fR. See \fIaklog\fR\|(1) and
\&\fIklog.krb5\fR\|(1) for more information.
.PP
The \fBklog\fR command obtains an \s-1AFS\s0 token from the obsolete Authentication
Server or a Kerberos \s-1KDC\s0 that speaks the same protocol, such as \fBfakeka\fR
or a Heimdal Kerberos \s-1KDC.\s0 The Cache Manager on the local machine stores
the token in a credential structure in kernel memory and uses it when
obtaining authenticated access to the \s-1AFS\s0 filespace. This command does not
affect the issuer's identity (\s-1UNIX UID\s0) in the local file system.
.PP
The \fBklog.krb\fR command obtains an \s-1AFS\s0 token from the obsolete Authentication
Server or a Kerberos v4 \s-1KDC\s0 and also places the issuer's Kerberos v4 tickets
in the file named by the \s-1KRBTKFILE\s0 environment variable. The Kerberos v4 ticket
may used by Kerberos v4 aware programs.  The \fBpagsh.krb\fR command defines the
\&\s-1KRBTKFILE\s0 environment variable as \fI/tmp/tktp\fIX\fI\fR where \fIX\fR is the number of
the user's \s-1PAG.\s0
.PP
By default, the command interpreter obtains a token for the \s-1AFS\s0 user name
that matches the issuer's identity in the local file system. To specify an
alternate user, include the \fB\-principal\fR argument.  The user named by the
\&\fB\-principal\fR argument does not have to appear in the local password file
(the \fI/etc/passwd\fR file or equivalent).
.PP
By default, the command interpreter obtains a token for the local cell, as
defined by the \s-1AFSCELL\s0 environment variable set in the command shell or by
the \fI/etc/openafs/ThisCell\fR file on the local machine. To specify an
alternate cell, include the \fB\-cell\fR argument. The command interpreter
contacts an Authentication Server chosen at random from the cell's entry
in the local \fI/etc/openafs/server/CellServDB\fR file, unless the \fB\-servers\fR
argument is used to name one or more database server machines.
.PP
A user can have tokens in multiple cells simultaneously, but only one
token per cell per connection to the client machine. If the user's
credential structure already contains a token for the requested cell, the
token resulting from this command replaces it.
.PP
The lifetime of the token resulting from this command is the smallest of
the following.
.IP "\(bu" 4
The lifetime specified by the issuer with the \fB\-lifetime\fR argument. If
the issuer does not include this argument, the value defaults to 720 hours
(30 days).
.IP "\(bu" 4
The maximum ticket lifetime recorded for the afs entry in the
Authentication Database. The default is 100 hours.
.IP "\(bu" 4
The maximum ticket lifetime recorded in the specified user's
Authentication Database entry. The default is 25 hours for user entries
created by an Authentication Server running \s-1AFS 3.1\s0 or later.
.IP "\(bu" 4
The maximum ticket lifetime recorded in the krbtgt.\fI\s-1CELLNAME\s0\fR entry in
the Authentication Database; this entry corresponds to the ticket-granting
ticket used internally in generating the token. The default is 720 hours
(30 days).
.PP
The output from the kas examine command displays an Authentication
Database entry's maximum ticket lifetime as \f(CW\*(C`Max ticket
lifetime\*(C'\fR. Administrators can display any entry, and users can display
their own entries.
.PP
If none of the defaults have been changed, the token lifetime is 25 hours
for user accounts created by an Authentication Server running \s-1AFS 3.1\s0 or
higher. The maximum lifetime for any token is 720 hours (30 days), and the
minimum is 5 minutes.
.PP
Between the minimum and maximum values, the Authentication Server uses a
defined set of values, according to the following rules. Requested
lifetimes between 5 minutes and 10 hours 40 minutes are granted at 5
minute intervals, rounding up. For example, if the issuer requests a
lifetime of 12 minutes, the token's actual lifetime is 15 minutes.
.PP
For token lifetimes greater than 10 hours 40 minutes, consult the
following table, which presents all the possible times in units of
\&\fIhours\fR\fB:\fR\fIminutes\fR\fB:\fR\fIseconds\fR.  The number in parentheses is an
approximation of the corresponding time in days and hours (as indicated by
the \f(CW\*(C`d\*(C'\fR and \f(CW\*(C`h\*(C'\fR letters). For example, \f(CW\*(C`282:22:17\*(C'\fR means 282 hours, 22
minutes, and 17 seconds, which translates to approximately 11 days and 18
hours (\f(CW\*(C`11d 18h\*(C'\fR). The Authentication Server rounds up a requested
lifetime to the next highest possible lifetime.
.PP
.Vb 10
\&   11:24:15 (0d 11h)    46:26:01 (1d 22h)  189:03:38 (7d 21h)
\&   12:11:34 (0d 12h)    49:38:40 (2d 01h)  202:08:00 (8d 10h)
\&   13:02:09 (0d 13h)    53:04:37 (2d 05h)  216:06:35 (9d 00h)
\&   13:56:14 (0d 13h)    56:44:49 (2d 08h)  231:03:09 (9d 15h)
\&   14:54:03 (0d 14h)    60:40:15 (2d 12h)  247:01:43 (10d 07h)
\&   15:55:52 (0d 15h)    64:51:57 (2d 16h)  264:06:34 (11d 00h)
\&   17:01:58 (0d 17h)    69:21:04 (2d 21h)  282:22:17 (11d 18h)
\&   18:12:38 (0d 18h)    74:08:46 (3d 02h)  301:53:45 (12d 13h)
\&   19:28:11 (0d 19h)    79:16:23 (3d 07h)  322:46:13 (13d 10h)
\&   20:48:57 (0d 20h)    84:45:16 (3d 12h)  345:05:18 (14d 09h)
\&   22:15:19 (0d 22h)    90:36:53 (3d 18h)  368:56:58 (15d 08h)
\&   23:47:38 (0d 23h)    96:52:49 (4d 00h)  394:27:37 (16d 10h)
\&   25:26:21 (1d 01h)   103:34:45 (4d 07h)  421:44:07 (17d 13h)
\&   27:11:54 (1d 03h)   110:44:28 (4d 14h)  450:53:46 (18d 18h)
\&   29:04:44 (1d 05h)   118:23:54 (4d 22h)  482:04:24 (20d 02h)
\&   31:05:22 (1d 07h)   126:35:05 (5d 06h)  515:24:22 (21d 11h)
\&   33:14:21 (1d 09h)   135:20:15 (5d 15h)  551:02:38 (22d 23h)
\&   35:32:15 (1d 11h)   144:41:44 (6d 00h)  589:08:45 (24d 13h)
\&   37:59:41 (1d 13h)   154:42:01 (6d 10h)  629:52:56 (26d 05h)
\&   40:37:19 (1d 16h)   165:23:50 (6d 21h)  673:26:07 (28d 01h)
\&   43:25:50 (1d 19h)   176:50:01 (7d 08h)
.Ve
.SH "CAUTIONS"
.IX Header "CAUTIONS"
\&\fBklog\fR speaks a protocol specific to the obsolete Authentication Server
and is provided primarily to support cells that have not yet migrated to a
Kerberos version 5 \s-1KDC.\s0 It is still useful at cells not running the
Authentication Server if the associated Kerberos realm supports
Authentication Server queries (such as a Heimdal \s-1KDC\s0 or \fBfakeka\fR), but
using \fBklog.krb5\fR or \fBkinit\fR plus \fBaklog\fR instead of this command is
recommended.
.PP
By default, this command does not create a new process authentication
group (\s-1PAG\s0); see the description of the \fBpagsh\fR command to learn about
PAGs. If a cell does not use an AFS-modified login utility, users must
include \fB\-setpag\fR option to this command, or issue the \fBpagsh\fR command
before this one, to have their tokens stored in a credential structure
that is identified by \s-1PAG\s0 rather than by local \s-1UID.\s0
.PP
When a credential structure is identified by local \s-1UID,\s0 the potential
security exposure is that the local superuser \f(CW\*(C`root\*(C'\fR can use the \s-1UNIX\s0
\&\fBsu\fR command to assume any other identity and automatically inherit the
tokens associated with that \s-1UID.\s0 Identifying the credential structure by
\&\s-1PAG\s0 eliminates this exposure.
.PP
If the \fB\-password\fR argument is used, the specified password cannot begin
with a hyphen, because it is interpreted as another option name.  Use of
the \fB\-password\fR argument is not recommended in any case.
.PP
By default, it is possible to issue this command on a properly configured
\&\s-1NFS\s0 client machine that is accessing \s-1AFS\s0 via the \s-1NFS/AFS\s0 Translator,
assuming that the \s-1NFS\s0 client machine is a supported system type. However,
if the translator machine's administrator has enabled \s-1UID\s0 checking by
including the \fB\-uidcheck on\fR argument to the \fBfs exportafs\fR command, the
command fails with an error message similar to the following:
.PP
.Vb 2
\&   Warning: Remote pioctl to <translator_machine> has failed (err=8). . .
\&   Unable to authenticate to AFS because a pioctl failed.
.Ve
.PP
Enabling \s-1UID\s0 checking means that the credential structure in which tokens
are stored on the translator machine must be identified by a \s-1UID\s0 that
matches the local \s-1UID\s0 of the process that is placing the tokens in the
credential structure. After the \fBklog\fR command interpreter obtains the
token on the \s-1NFS\s0 client, it passes it to the remote executor daemon on the
translator machine, which makes the system call that stores the token in a
credential structure on the translator machine. The remote executor
generally runs as the local superuser \f(CW\*(C`root\*(C'\fR, so in most cases its local
\&\s-1UID\s0 (normally zero) does not match the local \s-1UID\s0 of the user who issued
the \fBklog\fR command on the \s-1NFS\s0 client machine.
.PP
Issuing the \fBklog\fR command on an \s-1NFS\s0 client machine creates a security
exposure: the command interpreter passes the token across the network to
the remote executor daemon in clear text mode.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-x\fR" 4
.IX Item "-x"
Appears only for backwards compatibility. Its former function is now the
default behavior of this command.
.IP "\fB\-principal\fR <\fIuser name\fR>" 4
.IX Item "-principal <user name>"
Specifies the user name to authenticate. If this argument is omitted, the
Authentication Server attempts to authenticate the user logged into the
local system.
.IP "\fB\-password\fR <\fIuser's password\fR>" 4
.IX Item "-password <user's password>"
Specifies the issuer's password (or that of the alternate user identified
by the \fB\-principal\fR argument). Omit this argument to have the command
interpreter prompt for the password, in which case it does not echo
visibly in the command shell.
.IP "\fB\-cell\fR <\fIcell name\fR>" 4
.IX Item "-cell <cell name>"
Specifies the cell for which to obtain a token. The command is directed to
that cell's Authentication Servers. During a single login session on a
given machine, a user can be authenticated in multiple cells
simultaneously, but can have only one token at a time for each of them
(that is, can only authenticate under one identity per cell per session on
a machine). It is acceptable to abbreviate the cell name to the shortest
form that distinguishes it from the other cells listed in the
\&\fI/etc/openafs/CellServDB\fR file on the client machine on which the
command is issued.
.Sp
If this argument is omitted, the command is executed in the local cell, as
defined
.RS 4
.IP "\(bu" 4
First, by the value of the environment variable \s-1AFSCELL.\s0
.IP "\(bu" 4
Second, in the \fI/etc/openafs/ThisCell\fR file on the client machine on
which the command is issued.
.RE
.RS 4
.RE
.IP "\fB\-servers\fR <\fIexplicit list of servers\fR>+" 4
.IX Item "-servers <explicit list of servers>+"
Establishes a connection with the Authentication Server running on each
specified database server machine. The command interpreter then chooses
one of these at random to execute the command. It is best to provide
fully-qualified hostnames, but abbreviated forms are possibly acceptable
depending on the state of the cell's name server at the time the command
is issued. This option is useful for testing specific servers if problems
are encountered.
.Sp
If this argument is omitted, the command interpreter establishes a
connection with each machine listed for the indicated cell in the local
copy of the \fI/etc/openafs/CellServDB\fR file, and then chooses one of them
at random for command execution.
.IP "\fB\-pipe\fR" 4
.IX Item "-pipe"
Suppresses all output to the standard output stream, including prompts and
error messages. The \fBklog\fR command interpreter expects to receive the
password from the standard input stream. Do not use this argument; it is
designed for use by application programs rather than human users.
.IP "\fB\-silent\fR" 4
.IX Item "-silent"
Suppresses some of the trace messages that the klog command produces on
the standard output stream by default. It still reports on major problems
encountered.
.IP "\fB\-lifetime\fR <\fIticket lifetime\fR" 4
.IX Item "-lifetime <ticket lifetime"
Requests a specific lifetime for the token. Provide a number of hours and
optionally minutes and seconds in the format \fIhh\fR[\fB:\fR\fImm\fR[\fB:\fR\fIss\fR]].
The value is used in calculating the token lifetime as described in
\&\*(L"\s-1DESCRIPTION\*(R"\s0.
.IP "\fB\-setpag\fR" 4
.IX Item "-setpag"
Creates a process authentication group (\s-1PAG\s0) prior to requesting
authentication. The token is associated with the newly created \s-1PAG.\s0
.IP "\fB\-tmp\fR" 4
.IX Item "-tmp"
Creates a Kerberos-style ticket file in the \fI/tmp\fR directory of the local
machine. The file is called \fItkt.\fI\s-1AFS_UID\s0\fI\fR where \fI\s-1AFS_UID\s0\fR is the \s-1AFS
UID\s0 of the issuer.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Prints the online help for this command. All other valid options are
ignored.
.SH "OUTPUT"
.IX Header "OUTPUT"
The following message indicates that the limit on consecutive
authentication failures has been exceeded. An administrator can use the
\&\fBkas unlock\fR command to unlock the account, or the issuer can wait until
the lockout time for the account has passed. (The time is set with the
\&\fB\-locktime\fR argument to the \fBkas setfields\fR command and displayed in the
output from the \fBkas examine\fR command).
.PP
.Vb 1
\&   Unable to authenticate to AFS because ID is locked \- see your system admin
.Ve
.PP
If the \fB\-tmp\fR flag is included, the following message confirms that a
Kerberos-style ticket file was created:
.PP
.Vb 1
\&   Wrote ticket file to /tmp
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Most often, this command is issued without arguments. The appropriate
password is for the person currently logged into the local system. The
ticket's lifetime is calculated as described in \*(L"\s-1DESCRIPTION\*(R"\s0 (if no
defaults have been changed, it is 25 hours for a user whose Authentication
Database entry was created in \s-1AFS 3.1\s0 or later).
.PP
.Vb 2
\&   % klog
\&   Password:
.Ve
.PP
The following example authenticates the user as admin in the \s-1ABC\s0
Corporation's test cell:
.PP
.Vb 2
\&   % klog \-principal admin \-cell test.abc.com
\&   Password:
.Ve
.PP
In the following, the issuer requests a ticket lifetime of 104 hours 30
minutes (4 days 8 hours 30 minutes). Presuming that this lifetime is
allowed by the maximum ticket lifetimes and other factors described in
\&\*(L"\s-1DESCRIPTION\*(R"\s0, the token's lifetime is 110:44:28, which is the next
largest possible value.
.PP
.Vb 2
\&   % klog \-lifetime 104:30
\&   Password:
.Ve
.SH "PRIVILEGE REQUIRED"
.IX Header "PRIVILEGE REQUIRED"
None
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIfs_exportafs\fR\|(1),
\&\fIkas_examine\fR\|(8),
\&\fIkas_setfields\fR\|(8),
\&\fIkas_unlock\fR\|(8),
\&\fIkaserver\fR\|(8),
\&\fIpagsh\fR\|(1),
\&\fItokens\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
\&\s-1IBM\s0 Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
.PP
This documentation is covered by the \s-1IBM\s0 Public License Version 1.0.  It was
converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.