3 klog - Authenticates with the Authentication Server
7 klog [B<-x>] [B<-principal> I<user name>] [B<-password> I<user's password>]
8 [B<-cell> I<cell name>] [B<-servers> I<explicit list of servers> ...]
9 [B<-pipe>] [B<-silent>] [B<-lifetime> I<ticket lifetime in hh[:mm[:ss]]>]
10 [B<-setpag>] [B<-tmp>] [B<-help>]
12 klog [B<-x>] [B<-pr> I<user name>] [B<-pa> I<user's password>] [B<-c> I<cell name>]
13 [B<-s> I<explicit list of servers> ...] [B<-pi>] [B<-si>]
14 [B<-l> I<ticket lifetime in hh[:mm[:ss]]>] [B<-se>] [B<-t>] [B<-h>]
18 The C<klog> command obtains an AFS token from the Authentication Server.
19 The Cache Manager on the local machine stores the token in a
20 credential structure in kernel memory and uses it when obtaining
21 authenticated access to the AFS filespace. This command does not
22 affect the issuer's identity (UNIX UID) in the local file system.
24 By default, the command interpreter obtains a token for the AFS user
25 name that matches the issuer's identity in the local file system. To
26 specify an alternate user, include the B<-principal> argument. The user
27 named by the B<-principal> argument does not have to appear in the local
28 password file (the B</etc/passwd> file or equivalent).
30 By default, the command interpreter obtains a token for the local
31 cell, as defined by the AFSCELL environment variable set in the
32 command shell or by the B</usr/vice/etc/ThisCell> file on the local
33 machine. To specify an alternate cell, include the B<-cell> argument. The
34 command interpreter contacts an Authentication Server chosen at random
35 from the cell's entry in the local B</usr/afs/etc/CellServDB> file,
36 unless the B<-servers> argument is used to name one or more database
39 A user can have tokens in multiple cells simultaneously, but only one
40 token per cell per connection to the client machine. If the user's
41 credential structure already contains a token for the requested cell,
42 the token resulting from this command replaces it.
44 Sites that employ standard Kerberos authentication instead of the AFS
45 Authentication Server must use the Kerberos version of this command,
46 B<klog.krb>, on all client machines. It automatically places the issuer's
47 Kerberos tickets in the file named by the KRBTKFILE environment
48 variable, which the B<pagsh.krb> command defines automatically as
49 B</tmp/tktp>I<X> where I<X> is the number of the user's PAG.
51 The lifetime of the token resulting from this command is the smallest
58 The lifetime specified by the issuer with the B<-lifetime> argument.
59 If the issuer does not include this argument, the value defaults
60 to 720 hours (30 days).
64 The maximum ticket lifetime recorded for the B<afs> entry in the
65 Authentication Database. The default is 100 hours.
69 The maximum ticket lifetime recorded in the specified user's
70 Authentication Database entry. The default is 25 hours for user
71 entries created by an Authentication Server running AFS B<3.1> or
76 The maximum ticket lifetime recorded in the B<krbtgt.>I<CELLNAME> entry
77 in the Authentication Database; this entry corresponds to the
78 ticket-granting ticket used internally in generating the token.
79 The default is 720 hours (30 days).
83 The output from the C<kas examine> command displays an Authentication
84 Database entry's maximum ticket lifetime as C<Max ticket lifetime>.
85 Administrators can display any entry, and users can display their own
88 If none of the defaults have been changed, the token lifetime is 25
89 hours for user accounts created by an Authentication Server running
90 AFS B<3.1> or higher. The maximum lifetime for any token is 720 hours (30
91 days), and the minimum is 5 minutes.
93 Between the minimum and maximum values, the Authentication Server uses
94 a defined set of values, according to the following rules. Requested
95 lifetimes between 5 minutes and 10 hours 40 minutes are granted at 5
96 minute intervals, rounding up. For example, if the issuer requests a
97 lifetime of 12 minutes, the token's actual lifetime is 15 minutes.
99 For token lifetimes greater than 10 hours 40 minutes, consult the
100 following table, which presents all the possible times in units of
101 I<hours>:I<minutes>:I<seconds>. The number in parentheses is an approximation
102 of the corresponding time in days and hours (as indicated by the C<d> and
103 C<h> letters). For example, C<282:22:17> means 282 hours, 22 minutes, and 17
104 seconds, which translates to approximately 11 days and 18 hours (C<11d
105 18h>). The Authentication Server rounds up a requested lifetime to the
106 next highest possible lifetime.
108 11:24:15 (0d 11h) 46:26:01 (1d 22h) 189:03:38 (7d 21h)
109 12:11:34 (0d 12h) 49:38:40 (2d 01h) 202:08:00 (8d 10h)
110 13:02:09 (0d 13h) 53:04:37 (2d 05h) 216:06:35 (9d 00h)
111 13:56:14 (0d 13h) 56:44:49 (2d 08h) 231:03:09 (9d 15h)
112 14:54:03 (0d 14h) 60:40:15 (2d 12h) 247:01:43 (10d 07h)
113 15:55:52 (0d 15h) 64:51:57 (2d 16h) 264:06:34 (11d 00h)
114 17:01:58 (0d 17h) 69:21:04 (2d 21h) 282:22:17 (11d 18h)
115 18:12:38 (0d 18h) 74:08:46 (3d 02h) 301:53:45 (12d 13h)
116 19:28:11 (0d 19h) 79:16:23 (3d 07h) 322:46:13 (13d 10h)
117 20:48:57 (0d 20h) 84:45:16 (3d 12h) 345:05:18 (14d 09h)
118 22:15:19 (0d 22h) 90:36:53 (3d 18h) 368:56:58 (15d 08h)
119 23:47:38 (0d 23h) 96:52:49 (4d 00h) 394:27:37 (16d 10h)
120 25:26:21 (1d 01h) 103:34:45 (4d 07h) 421:44:07 (17d 13h)
121 27:11:54 (1d 03h) 110:44:28 (4d 14h) 450:53:46 (18d 18h)
122 29:04:44 (1d 05h) 118:23:54 (4d 22h) 482:04:24 (20d 02h)
123 31:05:22 (1d 07h) 126:35:05 (5d 06h) 515:24:22 (21d 11h)
124 33:14:21 (1d 09h) 135:20:15 (5d 15h) 551:02:38 (22d 23h)
125 35:32:15 (1d 11h) 144:41:44 (6d 00h) 589:08:45 (24d 13h)
126 37:59:41 (1d 13h) 154:42:01 (6d 10h) 629:52:56 (26d 05h)
127 40:37:19 (1d 16h) 165:23:50 (6d 21h) 673:26:07 (28d 01h)
128 43:25:50 (1d 19h) 176:50:01 (7d 08h)
136 Appears only for backwards compatibility. Its former function
137 is now the default behavior of this command.
139 =item B<-principal> I<user name>
141 Specifies the user name to authenticate. If this argument is
142 omitted, the Authentication Server attempts to authenticate the
143 user logged into the local file system.
145 =item B<-password> I<user's password>
147 Specifies the issuer's password (or that of the alternate user
148 identified by the B<-principal> argument). Omit this argument to
149 have the command interpreter prompt for the password, in which
150 case it does not echo visibly in the command shell.
152 =item B<-cell> I<cell name>
154 Specifies the cell for which to obtain a token. The command is
155 directed to that cell's Authentication Servers. During a single
156 login session on a given machine, a user can be authenticated
157 in multiple cells simultaneously, but can have only one token
158 at a time for each of them (that is, can only authenticate
159 under one identity per cell per session on a machine). It is
160 acceptable to abbreviate the cell name to the shortest form
161 that distinguishes it from the other cells listed in the
162 B</usr/vice/etc/CellServDB> file on the client machine on which
163 the command is issued.
165 If this argument is omitted, the command is executed in the
166 local cell, as defined
172 First, by the value of the environment variable AFSCELL
176 Second, in the B</usr/vice/etc/ThisCell> file on the client
177 machine on which the command is issued
181 =item B<-servers> I<explicit list of servers> ...
183 Establishes a connection with the Authentication Server running
184 on each specified database server machine. The command
185 interpreter then chooses one of these at random to execute the
186 command. It is best to provide fully-qualified hostnames, but
187 abbreviated forms are possibly acceptable depending on the
188 state of the cell's name server at the time the command is
189 issued. This option is useful for testing specific servers if
190 problems are encountered.
192 If this argument is omitted, the command interpreter
193 establishes a connection with each machine listed for the
194 indicated cell in the local copy of the
195 B</usr/vice/etc/CellServDB> file, and then chooses one of them at
196 random for command execution.
200 Suppresses all output to the standard output stream, including
201 prompts and error messages. The C<klog> command interpreter
202 expects to receive the password from the standard input stream.
203 Do not use this argument; it is designed for use by application
204 programs rather than human users.
208 Suppresses some of the trace messages that the C<klog> command
209 produces on the standard output stream by default. It still
210 reports on major problems encountered.
212 =item B<-lifetime> I<ticket lifetime in hh[:mm[:ss]]>
214 Requests a specific lifetime for the token. Provide a number of
215 hours and optionally minutes and seconds in the format
216 I<hh>[:I<mm>[:I<ss>]]. The value is used in calculating the token
217 lifetime as described in the L</"DESCRIPTION"> section.
221 Creates a process authentication group (PAG) prior to
222 requesting authentication. The token is associated with the
227 Creates a Kerberos-style ticket file in the B</tmp> directory of
228 the local machine. The file is called B<tkt.>I<AFS_UID> where I<AFS_UID>
229 is the AFS UID of the issuer.
233 Prints the online help for this command. All other valid
240 The following message indicates that the limit on consecutive
241 authentication failures has been exceeded. An administrator can use
242 the C<kas unlock> command to unlock the account, or the issuer can wait
243 until the lockout time for the account has passed. (The time is set
244 with the B<-locktime> argument to the C<kas setfields> command and displayed
245 in the output from the C<kas examine> command).
247 Unable to authenticate to AFS because ID is locked - see your system admin
249 If the B<-tmp> flag is included, the following message confirms that a
250 Kerberos-style ticket file was created:
252 Wrote ticket file to /tmp
256 Most often, this command is issued without arguments. The appropriate
257 password is for the person currently logged into the local file
258 system. The ticket's lifetime is calculated as described in the
259 L</"DESCRIPTION"> section (if no defaults have been changed, it is 25 hours
260 for a user whose Authentication Database entry was created in AFS 3.1
266 The following example authenticates the user as B<admin> in the ABC
267 Corporation's test cell:
269 B< klog -principal admin -cell test.abc.com>
272 In the following, the issuer requests a ticket lifetime of 104 hours
273 30 minutes (4 days 8 hours 30 minutes). Presuming that this lifetime
274 is allowed by the maximum ticket lifetimes and other factors described
275 in the L</"DESCRIPTION"> section, the token's lifetime is 110:44:28, which
276 is the next largest possible value.
278 B< klog -lifetime 104:30>
281 =head1 PRIVILEGE REQUIRED
287 By default, this command does not create a new process authentication
288 group (PAG); see the description of the C<pagsh> command to learn about
289 PAGs. If a cell does not use an AFS-modified login utility, users must
290 include B<-setpag> option to this command, or issue the C<pagsh> command
291 before this one, to have their tokens stored in a credential structure
292 that is identified by PAG rather than by local UID.
294 When a credential structure is identified by local UID, the potential
295 security exposure is that the local superuser B<root> can use the UNIX C<su>
296 command to assume any other identity and automatically inherit the
297 tokens associated with that UID. Identifying the credential structure
298 by PAG eliminates this exposure.
300 If the B<-password> argument is used, the specified password cannot begin
301 with a hyphen, because it is interpreted as another option name. Use
302 of the B<-password> argument is not recommended in any case.
304 By default, it is possible to issue this command on a properly
305 configured NFS client machine that is accessing AFS via the NFS/AFS
306 Translator, assuming that the NFS client machine is a supported system
307 type. However, if the translator machine's administrator has enabled
308 UID checking by including the B<-uidcheck> B<on> argument to the C<fs
309 exportafs> command, the command fails with an error message similar to
312 Warning: Remote pioctl to translator_machine has failed (err=8). . .
313 Unable to authenticate to AFS because a pioctl failed.
315 Enabling UID checking means that the credential structure in which
316 tokens are stored on the translator machine must be identified by a
317 UID that matches the local UID of the process that is placing the
318 tokens in the credential structure. After the C<klog> command interpreter
319 obtains the token on the NFS client, it passes it to the remote
320 executor daemon on the translator machine, which makes the system call
321 that stores the token in a credential structure on the translator
322 machine. The remote executor generally runs as the local superuser
323 B<root>, so in most cases its local UID (normally zero) does not match
324 the local UID of the user who issued the C<klog> command on the NFS
327 Issuing the C<klog> command on an NFS client machine creates a security
328 exposure: the command interpreter passes the token across the network
329 to the remote executor daemon in clear text mode.
333 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
335 Converted from html to pod by Alf Wachsmann <alfw@slac.stanford.edu>, 2003,
336 and Elizabeth Cassell <e_a_c@mailsnare.net>, 2004,
337 Stanford Linear Accelerator Center, a department of Stanford University.