+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 3//EN">
-<HTML><HEAD>
-<TITLE>Administration Reference</TITLE>
-<!-- Begin Header Records ========================================== -->
-<!-- /tmp/idwt3190/auarf000.scr converted by idb2h R4.2 (359) ID -->
-<!-- Workbench Version (AIX) on 5 Nov 1999 at 13:58:29 -->
-<META HTTP-EQUIV="updated" CONTENT="Fri, 05 Nov 1999 13:58:29">
-<META HTTP-EQUIV="review" CONTENT="Sun, 05 Nov 2000 13:58:29">
-<META HTTP-EQUIV="expires" CONTENT="Mon, 05 Nov 2001 13:58:29">
-</HEAD><BODY>
-<!-- (C) IBM Corporation 2000. All Rights Reserved -->
-<BODY bgcolor="ffffff">
-<!-- End Header Records ============================================ -->
-<A NAME="Top_Of_Page"></A>
-<H1>Administration Reference</H1>
-<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf184.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf186.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
-<P>
-<H2><A NAME="HDRKAS_EXAMINE" HREF="auarf002.htm#ToC_199">kas examine</A></H2>
-<A NAME="IDX5082"></A>
-<A NAME="IDX5083"></A>
-<A NAME="IDX5084"></A>
-<A NAME="IDX5085"></A>
-<A NAME="IDX5086"></A>
-<A NAME="IDX5087"></A>
-<A NAME="IDX5088"></A>
-<A NAME="IDX5089"></A>
-<A NAME="IDX5090"></A>
-<A NAME="IDX5091"></A>
-<A NAME="IDX5092"></A>
-<A NAME="IDX5093"></A>
-<A NAME="IDX5094"></A>
-<A NAME="IDX5095"></A>
-<A NAME="IDX5096"></A>
-<A NAME="IDX5097"></A>
-<A NAME="IDX5098"></A>
-<A NAME="IDX5099"></A>
-<A NAME="IDX5100"></A>
-<P><STRONG>Purpose</STRONG>
-<P>Displays information from an Authentication Database entry
-<P><STRONG>Synopsis</STRONG>
-<PRE><B>kas examine -name</B> <<VAR>name of user</VAR>> [<B>-showkey</B>]
- [<B>-admin_username</B> <<VAR>admin principal to use for authentication</VAR>>]
- [<B>-password_for_admin</B> <<VAR>admin password</VAR>>] [<B>-cell</B> <<VAR>cell name</VAR>>]
- [<B>-servers</B> <<VAR>explicit list of authentication servers</VAR>><SUP>+</SUP>]
- [<B>-noauth</B>] [<B>-help</B>]
-
-<B>kas e -na</B> <<VAR>name of user</VAR>> [<B>-sh</B>]
- [<B>-a</B> <<VAR>admin principal to use for authentication</VAR>>]
- [<B>-p</B> <<VAR>admin password</VAR>>] [<B>-c</B> <<VAR>cell name</VAR>>]
- [<B>-se</B> <<VAR>explicit list of authentication servers</VAR>><SUP>+</SUP>] [<B>-no</B>] [<B>-h</B>]
-</PRE>
-<P><STRONG>Description</STRONG>
-<P>The <B>kas examine</B> command formats and displays information from
-the Authentication Database entry of the user named by the <B>-name</B>
-argument.
-<P>To alter the settings displayed with this command, issue the <B>kas
-setfields</B> command.
-<P><STRONG>Cautions</STRONG>
-<P>Displaying actual keys on the standard output stream by including the
-<B>-showkey</B> flag constitutes a security exposure. For most
-purposes, it is sufficient to display a checksum.
-<P><STRONG>Options</STRONG>
-<DL>
-<P><DT><B>-name
-</B><DD>Names the Authentication Database entry from which to display
-information.
-<P><DT><B><B>-showkey</B>
-</B><DD>Displays the octal digits that constitute the key. The issuer must
-have the <TT>ADMIN</TT> flag on his or her Authentication Database
-entry.
-<P><DT><B>-admin_username
-</B><DD>Specifies the user identity under which to authenticate with the
-Authentication Server for execution of the command. For more details,
-see the introductory <B>kas</B> reference page.
-<P><DT><B>-password_for_admin
-</B><DD>Specifies the password of the command's issuer. If it is
-omitted (as recommended), the <B>kas</B> command interpreter prompts for
-it and does not echo it visibly. For more details, see the introductory
-<B>kas</B> reference page.
-<P><DT><B>-cell
-</B><DD>Names the cell in which to run the command. For more details, see
-the introductory <B>kas</B> reference page.
-<P><DT><B>-servers
-</B><DD>Names each machine running an Authentication Server with which to
-establish a connection. For more details, see the introductory
-<B>kas</B> reference page.
-<P><DT><B>-noauth
-</B><DD>Assigns the unprivileged identity <B>anonymous</B> to the
-issuer. For more details, see the introductory <B>kas</B> reference
-page.
-<P><DT><B>-help
-</B><DD>Prints the online help for this command. All other valid options
-are ignored.
-</DL>
-<P><STRONG>Output</STRONG>
-<P>The output includes:
-<UL>
-<P><LI>The entry name, following the string <TT>User data for</TT>.
-<P><LI>One or more status flags in parentheses; they appear only if an
-administrator has used the <B>kas setfields</B> command to change them
-from their default values. A plus sign (<TT>+</TT>) separates the
-flags if there is more than one. The nondefault values that can appear,
-and their meanings, are as follows:
-<DL>
-<P><DT><B><TT>ADMIN</TT>
-</B><DD>Enables the user to issue privileged <B>kas</B> commands (default is
-<TT>NOADMIN</TT>)
-<P><DT><B><TT>NOTGS</TT>
-</B><DD>Prevents the user from obtaining tickets from the Authentication
-Server's Ticket Granting Service (default is <TT>TGS</TT>)
-<P><DT><B><TT>NOSEAL</TT>
-</B><DD>Prevents the Ticket Granting Service from using the entry's key field
-as an encryption key (default is <TT>SEAL</TT>)
-<P><DT><B><TT>NOCPW</TT>
-</B><DD>Prevents the user from changing his or her password (default is
-<TT>CPW</TT>)
-</DL>
-<A NAME="IDX5101"></A>
-<A NAME="IDX5102"></A>
-<A NAME="IDX5103"></A>
-<P><LI>The key version number, in parentheses, following the word <TT>key</TT>,
-then one of the following.
-<UL>
-<P><LI>A checksum equivalent of the key, following the string <TT>cksum
-is</TT>, if the <B>-showkey</B> flag is not included. The checksum
-is a decimal number derived by encrypting a constant with the key. In
-the case of the <B><B>afs</B></B> entry, this number must match the
-checksum with the corresponding key version number in the output of the
-<B>bos listkeys</B> command; if not, follow the instructions in the
-<I>AFS Administration Guide</I> for creating a new server encryption
-key.
-<P><LI>The actual key, following a colon, if the <B>-showkey</B> flag is
-included. The key consists of eight octal numbers, each represented as
-a backslash followed by three decimal digits.
-</UL>
-<P><LI>The date the user last changed his or her own password, following the
-string <TT>last cpw</TT> (which stands for "last change of
-password").
-<P><LI>The string <TT>password will never expire</TT> indicates that the
-associated password never expires; the string <TT>password will
-expire</TT> is followed by the password's expiration date. After
-the indicated date, the user cannot authenticate, but has 30 days after it in
-which to use the <B>kpasswd</B> or <B>kas setpassword</B> command to
-set a new password. After 30 days, only an administrator (one whose
-account is marked with the <TT>ADMIN</TT> flag) can change the password by
-using the <B>kas setpassword</B> command. To set the password
-expiration date, use the <B>kas setfields</B> command's
-<B>-pwexpires</B> argument.
-<P><LI>The number of times the user can fail to provide the correct password
-before the account locks, followed by the string <TT>consecutive unsuccessful
-authentications are permitted</TT>, or the string <TT>An unlimited number of
-unsuccessful authentications is permitted</TT> to indicate that there is no
-limit. To set the limit, use the <B>kas setfields</B>
-command's <B>-attempts</B> argument. To unlock a locked
-account, use the <B>kas unlock</B> command. The <B>kas
-setfields</B> reference page discusses how the implementation of the lockout
-feature interacts with this setting.
-<P><LI>The number of minutes for which the Authentication Server refuses the
-user's login attempts after the limit on consecutive unsuccessful
-authentication attempts is exceeded, following the string <TT>The lock time
-for this user is</TT>. Use the <B>kas</B> command's
-<B>-locktime</B> argument to set the lockout time. This line
-appears only if a limit on the number of unsuccessful authentication attempts
-has been set with the the <B>kas setfields</B> command's
-<B>-attempts</B> argument.
-<P><LI>An indication of whether the Authentication Server is currently refusing
-the user's login attempts. The string <TT>User is not
-locked</TT> indicates that authentication can succeed, whereas the string
-<TT>User is locked until</TT> <VAR>time</VAR> indicates that the user cannot
-authenticate until the indicated time. Use the <B>kas unlock</B>
-command to enable a user to attempt authentication. This line appears
-only if a limit on the number of unsuccessful authentication attempts has been
-set with the <B>kas setfields</B> command's <B>-attempts</B>
-argument.
-<P><LI>The date on which the Authentication Server entry expires, or the string
-<TT>entry never expires</TT> to indicate that the entry does not
-expire. A user becomes unable to authenticate when his or her entry
-expires. Use the <B>kas setfields</B> command's
-<B>-expiration</B> argument to set the expiration date.
-<P><LI>The maximum possible lifetime of the tokens that the Authentication Server
-grants the user. This value interacts with several others to determine
-the actual lifetime of the token, as described on the <B>klog</B>
-reference page. Use the <B>kas setfields</B> command's
-<B>-lifetime</B> argument to set this value.
-<P><LI>The date on which the entry was last modified, following the string
-<TT>last mod on</TT> and the user name of the administrator who modified
-it. The date on which a user changed his or her own password is
-recorded on the second line of output as <TT>last cpw</TT> instead.
-<P><LI>An indication of whether the user can reuse one of his or her last twenty
-passwords when issuing the <B>kpasswd</B>, <B>kas setpassword</B>, or
-<B>kas setkey</B> commands. Use the <B>kas setfields</B>
-command's <B>-reuse</B> argument to set this restriction.
-</UL>
-<P><STRONG>Examples</STRONG>
-<P>The following example command shows the user <B>smith</B> displaying
-her own Authentication Database entry. Note the <TT>ADMIN</TT> flag,
-which shows that <B>smith</B> is privileged.
-<PRE> % <B>kas examine smith</B>
- Password for smith:
- User data for smith (ADMIN)
- key (0) cksum is 3414844392, last cpw: Thu Mar 25 16:05:44 1999
- password will expire: Fri Apr 30 20:44:36 1999
- 5 consecutive unsuccessful authentications are permitted.
- The lock time for this user is 25.5 minutes.
- User is not locked.
- entry never expires. Max ticket lifetime 100.00 hours.
- last mod on Tue Jan 5 08:22:29 1999 by admin
- permit password reuse
-
-</PRE>
-<P>In the following example, the user <B>pat</B> examines his
-Authentication Database entry to determine when the account lockout currently
-in effect will end.
-<PRE> % <B>kas examine pat</B>
- Password for pat:
- User data for pat
- key (0) cksum is 73829292912, last cpw: Wed Apr 7 11:23:01 1999
- password will expire: Fri Jun 11 11:23:01 1999
- 5 consecutive unsuccessful authentications are permitted.
- The lock time for this user is 25.5 minutes.
- User is locked until Tue Sep 21 12:25:07 1999
- entry expires on never. Max ticket lifetime 100.00 hours.
- last mod on Thu Feb 4 08:22:29 1999 by admin
- permit password reuse
-
-</PRE>
-<P>In the following example, an administrator logged in as <B>admin</B>
-uses the <B>-showkey</B> flag to display the octal digits that constitute
-the key in the <B>afs</B> entry.
-<PRE> % <B>kas examine -name afs -showkey</B>
- Password for admin: <VAR>admin_password</VAR>
- User data for afs
- key (12): \357\253\304\352\234\236\253\352, last cpw: no date
- entry never expires. Max ticket lifetime 100.00 hours.
- last mod on Thu Mar 25 14:53:29 1999 by admin
- permit password reuse
-
-</PRE>
-<P><STRONG>Privilege Required</STRONG>
-<P>A user can examine his or her own entry. To examine others'
-entries or to include the <B>-showkey</B> flag, the issuer must have the
-<TT>ADMIN</TT> flag set in his or her Authentication Database entry.
-<P><STRONG>Related Information</STRONG>
-<P><A HREF="auarf095.htm#HDRBOS_ADDKEY">bos addkey</A>
-<P><A HREF="auarf107.htm#HDRBOS_LISTKEYS">bos listkeys</A>
-<P><A HREF="auarf115.htm#HDRBOS_SETAUTH">bos setauth</A>
-<P><A HREF="auarf181.htm#HDRKAS_INTRO">kas</A>
-<P><A HREF="auarf193.htm#HDRKAS_SETFIELDS">kas setfields</A>
-<P><A HREF="auarf194.htm#HDRKAS_SETPASSWORD">kas setpassword</A>
-<P><A HREF="auarf197.htm#HDRKAS_UNLOCK">kas unlock</A>
-<P><A HREF="auarf200.htm#HDRKLOG">klog</A>
-<P><A HREF="auarf202.htm#HDRKPASSWD">kpasswd</A>
-<P>
-<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf184.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf186.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
-<!-- Begin Footer Records ========================================== -->
-<P><HR><B>
-<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
-</B>
-<!-- End Footer Records ============================================ -->
-<A NAME="Bot_Of_Page"></A>
-</BODY></HTML>
git://git.openafs.org / openafs.git / blobdiff