1 kas examine AFS Commands kas examine
6 kas examine -- display information from an Authentication
11 kas examine -name <name of user>
12 [-admin_username <admin principal to use for
14 [-password_for_admin <admin password>] [-cell <cell name>]
15 [-servers <explicit list of authentication
20 ACCEPTABLE ABBREVIATIONS/ALIASES
22 kas e -na <name of user> [-a <admin principal to use for
24 [-p <admin password>] [-c <cell name>]
26 [-s <explicit list of authentication servers> ] [-no] [-h]
30 Formats and displays information from the Authentication
31 Database entry for name. See the OUTPUT section for
36 -name specifies the Database entry from which to
39 -admin_username specifies the user name under which the
40 issuer wishes to perform the command. If
41 the issuer does not provide it, the
42 current identity is used. See section 4.3
43 in the Reference Manual for more details.
45 specifies the issuer's password. If
46 provided here, the password is visible on
47 the screen. If the issuer does not
48 provide it, it will be prompted for and
49 not be visible on the screen. See section
50 4.3 in the Reference Manual for more
52 specifies the cell in which to run the
53 command, if not the local cell. See
54 section 4.3 in the Reference Manual for
55 more details. -servers
56 specifies the database server machine(s)
57 with which to establish a connection. See
58 section 4.3 in the Reference Manual for
60 establishes an unauthenticated connection
61 between the Authentication Servers and
62 issuer, whom they assign the unprivileged
63 identity anonymous rather than attempting
64 mutual authentication. See section 4.3 in
68 the Reference Manual for more details.
70 prints the online help for this command.
71 Do not provide any other arguments or
72 flags with this one. See section 4.3 in
73 the Reference Manual for more details.
79 The output reports, in this order:
81 - the name of the entry
83 - one or more status flags, which will only appear
84 if a system administrator has used the
85 kas setfields command to change a flag from its
86 default value. A plus sign (+) will separate the
87 flags if more than one appears. The non-default
88 values which may appear, and their meanings, are:
90 * ADMIN. the user is allowed to issue
91 privileged kas commands (Default: NOADMIN.)
93 * NOTGS. the Ticket Granting Service will
94 refuse to issue tickets to the user (Default:
97 * NOSEAL. the Ticket Granting Service cannot
98 use the contents of this entry's key field as
99 an encryption key (Default: SEAL.)
101 * NOCPW. the user or server cannot change
102 his/her/its own password or key (Default:
105 - the word "key" followed by the key version number
108 The octal key itself appears only if authorization
109 checking is disabled on the database server
110 machine to which the kas examine command is
111 directed with the -servers argument (see the
112 EXAMPLES section). The reasoning behind this
113 requirement is two-fold. First, it implies that
114 only someone authorized to issue the bos setauth
115 command or with "root" access to the database
116 server machine's local disk is able to see actual
117 keys from the Authentication Database. Second, it
118 makes it clear that the system is in a compromised
119 state of security while keys are being displayed
120 on the screen. Both turning off authorization
121 checking and displaying keys on a screen are
122 serious security risks.
124 In the normal cases when authorization checking is
125 enabled on the database server machine, a
126 "checksum" appears instead of the key. This is a
127 decimal number derived by encrypting a constant
128 with the key. In the case of the "afs" key, this
129 number can be compared to the checksum with the
130 corresponding key version number in the output of
131 the bos listkeys command.
133 - the date that the user changed his/her own
134 password, indicated as "last cpw" (which stands
135 for "last change of password")
137 - the date on which the entry expires. If this is a
141 user entry, the user will be unable to
142 authenticate with the Authentication Server after
145 - the maximum length of time that tickets issued for
146 this entry may be valid
148 - the date of the last modification to the entry,
149 indicated as "last mod," and the user name of the
150 person who issued the modifying command. Password
151 changes made by the user himself/herself are
152 recorded as "last cpw" instead.
156 In each of the examples, the password typed at the prompt
157 does not echo visibly.
159 The following shows the privileged user smith examining her
160 own Authentication Database entry. Note the ADMIN flag,
161 which shows that smith is privileged.
165 User data for smith (ADMIN)
166 key (0) cksum is 3414844392, last cpw: Wed Jan 3 16:05:44
167 entry expires on never. Max ticket lifetime 100.00 hours.
168 last mod on Thu Dec 21 08:22:29 1989 by admin
170 In the following the regular user terry examines her own
171 entry and tries to examine pat's.
177 key (0) cksum is 529538018, last cpw: Fri Jan 19 9
178 entry expires on never. Max ticket lifetime 100.00
179 last mod on Thu Dec 21 08:43:29 1989 by admin
181 kas:examine: caller not authorized getting informati
184 In the following an administrator logged in as the
185 privileged user admin uses bos setauth to turn off
186 authorization checking on the database server machine
187 db1.transarc.com so that he can look at the key in the afs
188 entry. He enters interactive mode to open a connection with
189 the Authentication Server on db1.transarc.com only and uses
190 the -noauth flag to prevent that server from attempting to
193 % bos setauth db1.transarc.com off
194 % kas i -servers db1.transarc.com -noauth
195 ka> examine afs -servers db1.transarc.com
197 key (12): \357\253\304\352a\236\253\352, last cpw:
198 entry expires on never. Max ticket lifetime 100.00
199 last mod on Thu Jan 11 14:53:29 1990 by admin
205 A user may examine his or her own entry. To examine others'
206 entries, the issuer must have the ADMIN flag set in his or
207 her Authentication Database entry.
209 To look at actual keys, authorization checking must be
210 disabled on the database server machine with bos setauth,
211 which implies being listed in /usr/afs/etc/UserList; it is
212 not necessary to have the ADMIN flag in addition.