An assortment of commands and tools related to AFS authentication sorted by authentication system.
## [[KaServer]] -- AFS version of Kerberos V4 The klog command (and kpasswd too) try several [[StringToKey]] functions. - klog -- authentication with [[KaServer]] by getting AFS service tickets and sending them to the (kernel) [[CacheManager]]. Can save the TGT in a file compatible with kinit (V4) as a non-default option. - tokens -- displays AFS service tickets (tokens) held by the [[CacheManager]]. - kpasswd -- change password in [[KaServer]]. - kas -- administrative interface to [[KaServer]] - inetd -- passes authentication information to network servers. See [inetd ](http://www.cs.rose-hulman.edu/docs/afs-doc/html/AdminRef/auarf179.htm#HDRINETD). [Avoid](http://lists.openafs.org/pipermail/openafs-devel/2002-January/002351.html). - r\* commands -- passes authentication information between trusting hosts (over a secure network). See [Remote Services](http://www.cs.rose-hulman.edu/docs/afs-doc/html/AdminGd/auagd007.htm#HDRWQ78). [Avoid](http://lists.openafs.org/pipermail/openafs-devel/2002-January/002351.html) and [thread](http://lists.openafs.org/pipermail/openafs-devel/2002-January/002372.html). These are not built by default in [[OpenAFS]] unless --enable-insecure is specified. ## [[KerberosIV]] -- MIT reference for V4 - kinit -- authenticates using standard UDP port 750. Also works with [[KaServer]] but doesn't get AFS service tickets (tokens). - ktadd -- adds a new key/principal to [[KeyDistributionCenter]] (KDC) (or changes the key if it already exists?) ## [[KerberosV]] -- MIT reference for V5 There are more types of [[StringToKey]] functions in V5. Charles Clancy posted a Perl [script](http://lists.openafs.org/pipermail/openafs-info/2002-January/003060.html) that provides a kas interface to kadmin, so that existing scripts (and users) that use kas can easily work in a K5 environment. Derek Atkins provides this handy mapping from [[KerberosVMIT]] to [[KaServer]]:
[[KerberosVMIT]] [[KaServer]]
kinit + aklog/afslog klog
kadmin kas
kpasswd kpasswd
- kinit -- authenticates using standard UDP port 88. Works with DCE, [[HeimdalKTH]] and [[ActiveDirectory]] (maybe?). - kpasswd -- change KDC password. - klist -- displays contents of ticket cache. - ktadmin - ktadd -- add a principal
ktadd -k /etc/krb5/keytab -e des-cbc-crc:v4 .EDU - ktremove -- removes a principal from the KDC - kprop ## [[KerberosDCE]] -- DCE version of V5 - kinit -- authenticates to DCE Security Server and also obtains authorization informaion (groups) from the DCE Privilege Server. - chpass -- change password - dcecp -- admin suite ## [[HeimdalKTH]] -- International version of Kerberos V5 Here's some [mail](http://lists-openafs.central.org/pipermail/openafs-info/2001-April/000591.html) from Derrick Brashear for using [[HeimdalKTH]] for AFS authentication. An updated version of this document can be found [here](http://lost-contact.mit.edu/afs/net/project/afs32/andrew.cmu.edu/usr/shadow/ka2heim.txt): The kas wrapper mentioned above maybe useful for Heimdal environments too. - afslog - ktutil -- for example to create a [[KeyFile]] for AFS servers you can use this sequence
`ktutil -k keytab.afs get afs@MY.REALM`
`ktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile`
It can also convert from `srvtab` format. - hprop -- initializes a database from [[KaServer]] (?) - ipropd -- propagates KDC databases between master and slave servers? ## [[ActiveDirectory]] -- Microsoft version of Kerberos V5 ## Other commands - aklog -- converts V5 TGT to AFS service tickets and gives them to the [[CacheManager]]. Is this part of the standard MIT K5 distribution? - ka-forwarder -- allows klog to work in V5 environments, not needed if you are willing to use kinit/aklog. This is a [[HeimdalKTH]] tool? - asetkey -- converts a V5 keytab file containing the AFS service ticket key and stores it into a [[KeyFile]] which AFS servers understand. - fakeka - r\* commands -- where to get safe kerberized versions? - pts -- suite of commands for accessing the [[PtServer]] to manage AFS groups in all authentication environments. - uss -- user creation tool. It is [documented](http://www.openafs.org/pages/doc/AdminReference/auarf242.htm#HDRUSS_INTRO) in the admin guide. It has some support for alternate authentication systems, but probably works best in [[KaServer]] environments. ---- See [[SettingUpAuthentication]] -- Ted Anderson - 23 Jan 2002 -- Ted Anderson - 06 Feb 2002 -- Ted Anderson - 07 Mar 2002