Man Linux: Main Page and Category List


       kas - Introduction to the kas command suite


       The commands in the kas command suite are the administrative interface
       to the Authentication Server, which runs on each database server
       machine in a cell, maintains the Authentication Database, and provides
       the authentication tickets that client applications must present to AFS
       servers in order to obtain access to AFS data and other services.

       There are several categories of commands in the kas command suite:

       ·   Commands to create, modify, examine and delete entries in the
           Authentication Database, including passwords: kas create, kas
           delete, kas examine, kas list, kas setfields, kas setkey, kas
           setpassword, and kas unlock.

       ·   Commands to create, delete, and examine tokens and server tickets:
           kas forgetticket, kas listtickets, kas noauthentication, and kas

       ·   A command to enter interactive mode: kas interactive.

       ·   A command to trace Authentication Server operations: kas

       ·   Commands to obtain help: kas apropos and kas help.

       Because of the sensitivity of information in the Authentication
       Database, the Authentication Server authenticates issuers of kas
       commands directly, rather than accepting the standard token generated
       by the Ticket Granting Service. Any kas command that requires
       administrative privilege prompts the issuer for a password. The
       resulting ticket is valid for six hours unless the maximum ticket
       lifetime for the issuer or the Authentication Server’s Ticket Granting
       Service is shorter.

       To avoid having to provide a password repeatedly when issuing a
       sequence of kas commands, enter interactive mode by issuing the kas
       interactive command, typing kas without any operation code, or typing
       kas followed by a user and cell name, separated by an at-sign ("@"; an
       example is "kas"). After prompting once for a
       password, the Authentication Server accepts the resulting token for
       every command issued during the interactive session. See
       kas_interactive(8) for a discussion of when to use each method for
       entering interactive mode and of the effects of entering a session.

       The Authentication Server maintains two databases on the local disk of
       the machine where it runs:

       ·   The Authentication Database (/var/lib/openafs/db/kaserver.DB0)
           stores the information used to provide AFS authentication services
           to users and servers, including the password scrambled as an
           encryption key. The reference page for the kas examine command
           describes the information in a database entry.

       ·   An auxiliary file (/var/lib/openafs/local/kaauxdb by default) that
           tracks how often the user has provided an incorrect password to the
           local Authentication Server. The reference page for the kas
           setfields command describes how the Authentication Server uses this
           file to enforce the limit on consecutive authentication failures.
           To designate an alternate directory for the file, use the kaserver
           command’s -localfiles argument.


       The following arguments and flags are available on many commands in the
       kas suite. (Some of them are unavailable on commands entered in
       interactive mode, because the information they specify is established
       when entering interactive mode and cannot be changed except by leaving
       interactive mode.) The reference page for each command also lists them,
       but they are described here in greater detail.

       -admin_username <user name>
           Specifies the user identity under which to authenticate with the
           Authentication Server for execution of the command. If this
           argument is omitted, the kas command interpreter requests
           authentication for the identity under which the issuer is logged
           onto the local machine.  Do not combine this argument with the
           -noauth flag.

       -cell <cell name>
           Names the cell in which to run the command. It is acceptable to
           abbreviate the cell name to the shortest form that distinguishes it
           from the other entries in the /etc/openafs/CellServDB file on the
           local machine. If the -cell argument is omitted, the command
           interpreter determines the name of the local cell by reading the
           following in order:

           ·   The value of the AFSCELL environment variable.

           ·   The local /etc/openafs/ThisCell file.

           The -cell argument is not available on commands issued in
           interactive mode. The cell defined when the kas command interpreter
           enters interactive mode applies to all commands issued during the
           interactive session.

           Prints a command’s online help message on the standard output
           stream. Do not combine this flag with any of the command’s other
           options; when it is provided, the command interpreter ignores all
           other options, and only prints the help message.

           Establishes an unauthenticated connection to the Authentication
           Server, in which the Authentication Server treats the issuer as the
           unprivileged user "anonymous". It is useful only when authorization
           checking is disabled on the server machine (during the installation
           of a server machine or when the bos setauth command has been used
           during other unusual circumstances). In normal circumstances, the
           Authentication Server allows only privileged users to issue most
           kas commands, and refuses to perform such an action even if the
           -noauth flag is provided. Do not combine this flag with the
           -admin_username and -password_for_admin arguments.

       -password_for_admin <password>
           Specifies the password of the command’s issuer. It is best to omit
           this argument, which echoes the password visibly in the command
           shell, instead enter the password at the prompt. Do not combine
           this argument with the -noauth flag.

       -servers <machine name>+
           Establishes a connection with the Authentication Server running on
           each specified database server machine, instead of on each machine
           listed in the local /etc/openafs/CellServDB file. In either case,
           the kas command interpreter then chooses one of the machines at
           random to contact for execution of each subsequent command. The
           issuer can abbreviate the machine name to the shortest form that
           allows the local name service to identify it uniquely.


       To issue most kas commands, the issuer must have the "ADMIN" flag set
       in his or her Authentication Database entry (use the kas setfields
       command to turn the flag on).


       CellServDB(5), kaserver.DB0(5), kaserverauxdb(5), kas_apropos(8),
       kas_create(8), kas_delete(8), kas_examine(8), kas_forgetticket(8),
       kas_help(8), kas_interactive(8), kas_list(8), kas_listtickets(8),
       kas_noauthentication(8), kas_quit(8), kas_setfields(8),
       kas_setpassword(8), kas_statistics(8), kas_stringtokey(8),
       kas_unlock(8), kaserver(8)


       IBM Corporation 2000. <> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.
       It was converted from HTML to POD by software written by Chas Williams
       and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.