=head1 NAME kas_examine - Displays information from an Authentication Database entry =head1 SYNOPSIS =for html
B S<<< B<-name> > >>> [B<-showkey>] S<<< [B<-admin_username> >] >>> S<<< [B<-password_for_admin> >] >>> S<<< [B<-cell> >] >>> S<<< [B<-servers> >+] >>> [B<-noauth>] [B<-help>] B S<<< B<-na> > >>> [B<-sh>] S<<< [B<-a> >] >>> S<<< [B<-p> >] >>> S<<< [B<-c> >] >>> S<<< [B<-se> >+] >>> [B<-no>] [B<-h>] =for html
=head1 DESCRIPTION The B command formats and displays information from the Authentication Database entry of the user named by the B<-name> argument. To alter the settings displayed with this command, issue the B command. =head1 CAUTIONS Displaying actual keys on the standard output stream by including the B<-showkey> flag constitutes a security exposure. For most purposes, it is sufficient to display a checksum. =head1 OPTIONS =over 4 =item B<-name> > Names the Authentication Database entry from which to display information. =item B<-showkey> Displays the octal digits that constitute the key. The issuer must have the C flag on his or her Authentication Database entry. =item B<-admin_username> > Specifies the user identity under which to authenticate with the Authentication Server for execution of the command. For more details, see L. =item B<-password_for_admin> > Specifies the password of the command's issuer. If it is omitted (as recommended), the B command interpreter prompts for it and does not echo it visibly. For more details, see L. =item B<-cell> > Names the cell in which to run the command. For more details, see L. =item B<-servers> >+ Names each machine running an Authentication Server with which to establish a connection. For more details, see L. =item B<-noauth> Assigns the unprivileged identity C to the issuer. For more details, see L. =item B<-help> Prints the online help for this command. All other valid options are ignored. =back =head1 OUTPUT The output includes: =over 4 =item * The entry name, following the string C. =item * One or more status flags in parentheses; they appear only if an administrator has used the B command to change them from their default values. A plus sign (C<+>) separates the flags if there is more than one. The nondefault values that can appear, and their meanings, are as follows: =over 4 =item ADMIN Enables the user to issue privileged B commands (default is C). =item NOTGS Prevents the user from obtaining tickets from the Authentication Server's Ticket Granting Service (default is C). =item NOSEAL Prevents the Ticket Granting Service from using the entry's key field as an encryption key (default is C). =item NOCPW Prevents the user from changing his or her password (default is C). =back =item * The key version number, in parentheses, following the word C, then one of the following. =over 4 =item * A checksum equivalent of the key, following the string C, if the B<-showkey> flag is not included. The checksum is a decimal number derived by encrypting a constant with the key. In the case of the C entry, this number must match the checksum with the corresponding key version number in the output of the B command; if not, follow the instructions in the I for creating a new server encryption key. =item * The actual key, following a colon, if the B<-showkey> flag is included. The key consists of eight octal numbers, each represented as a backslash followed by three decimal digits. =back =item * The date the user last changed his or her own password, following the string C (which stands for "last change of password"). =item * The string C indicates that the associated password never expires; the string C is followed by the password's expiration date. After the indicated date, the user cannot authenticate, but has 30 days after it in which to use the B or B command to set a new password. After 30 days, only an administrator (one whose account is marked with the C flag) can change the password by using the B command. To set the password expiration date, use the B command's B<-pwexpires> argument. =item * The number of times the user can fail to provide the correct password before the account locks, followed by the string C, or the string C to indicate that there is no limit. To set the limit, use the B command's B<-attempts> argument. To unlock a locked account, use the B command. The B reference page discusses how the implementation of the lockout feature interacts with this setting. =item * The number of minutes for which the Authentication Server refuses the user's login attempts after the limit on consecutive unsuccessful authentication attempts is exceeded, following the string C. Use the B command's B<-locktime> argument to set the lockout time. This line appears only if a limit on the number of unsuccessful authentication attempts has been set with the B command's B<-attempts> argument. =item * An indication of whether the Authentication Server is currently refusing the user's login attempts. The string C indicates that authentication can succeed, whereas the string C I