1 kas interactive AFS Commands kas interactive
6 kas interactive -- enter interactive mode for
12 [-admin_username <admin principal to use for
14 [-password_for_admin <admin password>] [-cell <cell name>]
15 [-servers <explicit list of authentication
20 ACCEPTABLE ABBREVIATIONS/ALIASES
22 kas i [-a <admin principal to use for authentication>] [-p
24 [-c <cell name>] [-s <explicit list of authentication
31 Enters interactive mode. By establishing an authenticated
32 connection in this way, the issuer will not have to type his
33 or her password at each command as would be necessary in
34 regular mode. The authenticated connection lasts for one
35 hour unless the maximum ticket lifetime for the issuer or
36 the Authentication Server is shorter.
38 It is also possible to establish an unauthenticated
39 connection under the identity anonymous by using the -noauth
40 flag. During normal operation, there is no point to doing
41 so, because the Authentication Server still does
42 authorization checking and will not allow anonymous, who is
43 unprivileged by definition, to perform privileged commands.
45 A possible situation in which an issuer might wish to enter
46 interactive mode unauthenticated is if he or she knows that
47 attempting to authenticate will cause a problem, but wants
48 to list some unprivileged information. Attempting to
49 authenticate could cause a problem, for instance, if the
50 Authentication Server no longer knows the key used to seal
51 the ticket the user has (perhaps it is no longer in
52 /usr/afs/etc/KeyFile).
54 The other repercussions of entering interactive mode are:
56 - A "ka>" prompt replaces the issuer's regular
59 - It is no longer necessary or legal to type kas at
60 the beginning of a command. Type the operation
61 code as the first part of the command
63 - It is not useful to include the common arguments
64 described in section 4.3 in the Reference Manual :
68 -admin_username, -password_for_admin, -cell,
69 -servers. They are ignored, because the variables
70 corresponding to them are set as the issuer enters
71 interactive mode, and cannot be changed without
72 leaving interactive mode. It is legal to provide
75 There are two additional ways to enter interactive mode:
77 1. Type kas without any operation code. By default,
78 the command interpreter establishes a connection
79 with all of the Authentication Servers in the
80 local cell. They attempt to authenticate the
81 user logged into the machine from which the
82 command is issued, based on the password the
83 issuer provides at the prompt. The issuer may
84 specify an alternate identity, password, cell
85 name and/or list of Authentication Servers by
86 using the first four common arguments described
87 in section 4.3 in the Reference Manual . Type
88 kas followed by a user name and cell name,
89 separated by an "@" sign (example: kas
90 smith@transarc.com). The Authentication Server
91 attempts to authenticate the specified user in
92 the specified cell, and prompts for his or her
93 password in the specified cell. This method is
94 most useful when the issuer wishes to enter
95 interactive mode with a different identity than
96 the one under which he or she is currently logged
101 -admin_username specifies the user name under which the
102 issuer wishes to perform the command. If
103 the issuer does not provide it, the
104 current identity is used. See section 4.3
105 in the Reference Manual for more details.
107 specifies the issuer's password. If
108 provided here, the password is visible on
109 the screen. If the issuer does not
110 provide it, it will be prompted for and
111 not be visible on the screen. See section
112 4.3 in the Reference Manual for more
114 specifies the cell in which to run the
115 command, if not the local cell. See
116 section 4.3 in the Reference Manual for
117 more details. -servers
118 specifies the database server machine(s)
119 with which to establish a connection. See
120 section 4.3 in the Reference Manual for
121 more details. -noauth
122 establishes an unauthenticated connection
123 between the Authentication Servers and
124 issuer, whom they assign the unprivileged
125 identity anonymous rather than attempting
126 mutual authentication. Using this
127 argument on this command is useful only
128 when authorization checking is disabled on
132 the file server machine (during the
133 installation of a file server machine or
134 when bos setauth has been used during
135 other unusual circumstances). Under
136 normal authorization checking
137 circumstances, the Authentication Servers
138 will allow only authorized (privileged)
139 users to issue commands that change the
140 status of a server or configuration file,
141 even if the -noauth flag was used when
142 entering interactive mode. See section
143 4.3 in the Reference Manual for more
145 prints the online help for this command.
146 Do not provide any other arguments or
147 flags with this one. See section 4.3 in
148 the Reference Manual for more details.
152 The following shows a user entering interactive mode as the
153 privileged user admin.
155 % kas i admin Password for admin: ka>
159 None. A password will be prompted for, and something must
160 be typed in response, but the issuer needs to provide the
161 correct password only if he or she wishes to issue
162 privileged commands while in interactive mode. If he or she
163 provides an wrong character string, the Authentication
164 Server assigns the unprivileged identity anonymous.
168 (kas) noauthentication (kas) quit