3 kas - Introduction to the C<kas> command suite
7 The commands in the C<kas> command suite are the administrative interface
8 to the Authentication Server, which runs on each database server
9 machine in a cell, maintains the Authentication Database, and provides
10 the authentication tickets that client applications must present to
11 AFS servers in order to obtain access to AFS data and other services.
13 There are several categories of commands in the C<kas> command suite:
19 Commands to create, modify, examine and delete entries in the
20 Authentication Database, including passwords: C<kas create>, C<kas
21 delete>, C<kas examine>, C<kas list>, C<kas setfields>, C<kas setkey>, C<kas
22 setpassword>, and C<kas unlock>
26 Commands to create, delete, and examine tokens and server tickets:
27 C<kas forgetticket>, C<kas listtickets>, C<kas noauthentication>, and C<kas
32 A command to enter interactive mode: C<kas interactive>
36 A command to trace Authentication Server operations: C<kas
41 Commands to obtain help: C<kas apropos> and C<kas help>
45 Because of the sensitivity of information in the Authentication
46 Database, the Authentication Server authenticates issuers of C<kas>
47 commands directly, rather than accepting the standard token generated
48 by the Ticket Granting Service. Any C<kas> command that requires
49 administrative privilege prompts the issuer for a password. The
50 resulting ticket is valid for six hours unless the maximum ticket
51 lifetime for the issuer or the Authentication Server's Ticket Granting
54 To avoid having to provide a password repeatedly when issuing a
55 sequence of C<kas> commands, enter I<interactive mode> by issuing the C<kas
56 interactive> command, typing C<kas> without any operation code, or typing
57 C<kas> followed by a user and cell name, separated by an at-sign (@; an
58 example is C<kas smith.admin@abc.com>). After prompting once for a
59 password, the Authentication Server accepts the resulting token for
60 every command issued during the interactive session. See the reference
61 page for the C<kas interactive> command for a discussion of when to use
62 each method for entering interactive mode and of the effects of
65 The Authentication Server maintains two databases on the local disk of
66 the machine where it runs:
72 The Authentication Database (B</usr/afs/db/kaserver.DB0>) stores the
73 information used to provide AFS authentication services to users
74 and servers, including the password scrambled as an encryption
75 key. The reference page for the C<kas examine> command describes the
76 information in a database entry.
80 An auxiliary file (B</usr/afs/local/kaauxdb> by default) that tracks
81 how often the user has provided an incorrect password to the local
82 Authentication Server. The reference page for the C<kas setfields>
83 command describes how the Authentication Server uses this file to
84 enforce the limit on consecutive authentication failures. To
85 designate an alternate directory for the file, use the C<kaserver>
86 command's B<-localfiles> argument.
92 The following arguments and flags are available on many commands in
93 the C<kas> suite. (Some of them are unavailable on commands entered in
94 interactive mode, because the information they specify is established
95 when entering interactive mode and cannot be changed except by leaving
96 interactive mode.) The reference page for each command also lists
97 them, but they are described here in greater detail.
101 =item B<-admin_username>
103 Specifies the user identity under which to authenticate with
104 the Authentication Server for execution of the command. If this
105 argument is omitted, the C<kas> command interpreter requests
106 authentication for the identity under which the issuer is
107 logged onto the local machine. Do not combine this argument
108 with the B<-noauth> flag.
110 =item B<-cell> I<cell name>
112 Names the cell in which to run the command. It is acceptable to
113 abbreviate the cell name to the shortest form that
114 distinguishes it from the other entries in the
115 B</usr/vice/etc/CellServDB> file on the local machine. If the
116 B<-cell> argument is omitted, the command interpreter determines
117 the name of the local cell by reading the following in order:
123 The value of the AFSCELL environment variable
127 The local B</usr/vice/etc/ThisCell> file
131 The B<-cell> argument is not available on commands issued in
132 interactive mode. The cell defined when the C<kas> command
133 interpreter enters interactive mode applies to all commands
134 issued during the interactive session.
138 Prints a command's online help message on the standard output
139 stream. Do not combine this flag with any of the command's
140 other options; when it is provided, the command interpreter
141 ignores all other options, and only prints the help message.
145 Establishes an unauthenticated connection to the Authentication
146 Server, in which the Authentication Server treats the issuer as
147 the unprivileged user B<anonymous>. It is useful only when
148 authorization checking is disabled on the server machine
149 (during the installation of a server machine or when the C<bos
150 setauth> command has been used during other unusual
151 circumstances). In normal circumstances, the Authentication
152 Server allows only privileged users to issue most C<kas> commands,
153 and refuses to perform such an action even if the B<-noauth> flag
154 is provided. Do not combine this flag with the B<-admin_username>
155 and B<-password_for_admin> arguments.
157 =item B<-password_for_admin>
159 Specifies the password of the command's issuer. It is best to
160 omit this argument, which echoes the password visibly in the
161 command shell, instead enter the password at the prompt. Do not
162 combine this argument with the B<-noauth> flag.
166 Establishes a connection with the Authentication Server running
167 on each specified database server machine, instead of on each
168 machine listed in the local B</usr/vice/etc/CellServDB> file. In
169 either case, the C<kas> command interpreter then chooses one of
170 the machines at random to contact for execution of each
171 subsequent command. The issuer can abbreviate the machine name
172 to the shortest form that allows the local name service to
173 identify it uniquely.
177 =head1 PRIVILEGE REQUIRED
179 To issue most C<kas> commands, the issuer must have the C<ADMIN> flag set in
180 his or her Authentication Database entry (use the C<kas setfields>
181 command to turn the flag on).
185 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
187 Converted from html to pod by Alf Wachsmann <alfw@slac.stanford.edu>, 2003,
188 and Elizabeth Cassell <e_a_c@mailsnare.net>, 2004,
189 Stanford Linear Accelerator Center, a department of Stanford University.
193 L<CellServDB_client_version(1)>,
194 L<kaserver.DB0(1)> and L<kaserver.DBSYS1(1)>,
200 L<kas_forgetticket(1)>,
202 L<kas_interactive(1)>,
204 L<kas_listtickets(1)>,
205 L<kas_noauthentication(1)>,
208 L<kas_setpassword(1)>,
209 L<kas_statistics(1)>,
210 L<kas_stringtokey(1)>,