3 kas examine - Displays information from an Authentication Database entry
7 B<kas examine -name> <I<name of user>> [-showkey]
8 [B<-admin_username> <I<admin principal to use for authentication>>]
9 [B<-password_for_admin> <I<admin password>>] [-cell <I<cell name>>]
10 [-servers <I<explicit list of authentication servers>>+]
13 B<kas e -na> <I<name of user>> [-sh]
14 [B<-a> <I<admin principal to use for authentication>>]
15 [B<-p> <I<admin password>>] [-c <I<cell name>>]
16 [B<-se> <I<explicit list of authentication servers>>+] [B<-no>] [-h]
20 The kas examine command formats and displays information from
21 the Authentication Database entry of the user named by the B<-name>
24 To alter the settings displayed with this command, issue the kas
29 Displaying actual keys on the standard output stream by including the
30 B<-showkey> flag constitutes a security exposure. For most
31 purposes, it is sufficient to display a checksum.
39 Names the Authentication Database entry from which to display
45 Displays the octal digits that constitute the key. The issuer must
46 have the C<ADMIN> flag on his or her Authentication Database
51 Specifies the user identity under which to authenticate with the
52 Authentication Server for execution of the command. For more details,
53 see the introductory B<kas> reference page.
55 =item -password_for_admin
57 Specifies the password of the command's issuer. If it is
58 omitted (as recommended), the B<kas> command interpreter prompts for
59 it and does not echo it visibly. For more details, see the introductory
60 B<kas> reference page.
64 Names the cell in which to run the command. For more details, see
65 the introductory B<kas> reference page.
69 Names each machine running an Authentication Server with which to
70 establish a connection. For more details, see the introductory
71 B<kas> reference page.
75 Assigns the unprivileged identity anonymous to the
76 issuer. For more details, see the introductory B<kas> reference
81 Prints the online help for this command. All other valid options
94 The entry name, following the string C<User data for>.
99 One or more status flags in parentheses; they appear only if an
100 administrator has used the B<kas setfields> command to change them
101 from their default values. A plus sign (C<+>) separates the
102 flags if there is more than one. The nondefault values that can appear,
103 and their meanings, are as follows:
111 Enables the user to issue privileged kas commands (default is
117 Prevents the user from obtaining tickets from the Authentication
118 Server's Ticket Granting Service (default is C<TGS>)
123 Prevents the Ticket Granting Service from using the entry's key field
124 as an encryption key (default is C<SEAL>)
129 Prevents the user from changing his or her password (default is
136 The key version number, in parentheses, following the word C<key>,
137 then one of the following.
144 A checksum equivalent of the key, following the string C<cksum
145 is>, if the B<-showkey> flag is not included. The checksum
146 is a decimal number derived by encrypting a constant with the key. In
147 the case of the B<afs>> entry, this number must match the
148 checksum with the corresponding key version number in the output of the
149 B<bos listkeys> command; if not, follow the instructions in the
150 I<IBM AFS Administration Guide> for creating a new server encryption
156 The actual key, following a colon, if the -showkey flag is
157 included. The key consists of eight octal numbers, each represented as
158 a backslash followed by three decimal digits.
165 The date the user last changed his or her own password, following the
166 string C<last cpw> (which stands for "last change of
172 The string C<password will never expire> indicates that the
173 associated password never expires; the string C<password will
174 expire> is followed by the password's expiration date. After
175 the indicated date, the user cannot authenticate, but has 30 days after it in
176 which to use the B<kpasswd> or B<kas setpassword> command to
177 set a new password. After 30 days, only an administrator (one whose
178 account is marked with the C<ADMIN> flag) can change the password by
179 using the B<kas setpassword> command. To set the password
180 expiration date, use the B<kas setfields> command's
181 B<-pwexpires> argument.
186 The number of times the user can fail to provide the correct password
187 before the account locks, followed by the string C<consecutive unsuccessful
188 authentications are permitted>, or the string C<An unlimited number of
189 unsuccessful authentications is permitted> to indicate that there is no
190 limit. To set the limit, use the B<kas setfields>
191 command's B<-attempts> argument. To unlock a locked
192 account, use the B<kas unlock> command. The B<kas
193 setfields> reference page discusses how the implementation of the lockout
194 feature interacts with this setting.
199 The number of minutes for which the Authentication Server refuses the
200 user's login attempts after the limit on consecutive unsuccessful
201 authentication attempts is exceeded, following the string C<The lock time
202 for this user is>. Use the B<kas> command's
203 B<-locktime> argument to set the lockout time. This line
204 appears only if a limit on the number of unsuccessful authentication attempts
205 has been set with the the B<kas setfields> command's
206 B<-attempts> argument.
211 An indication of whether the Authentication Server is currently refusing
212 the user's login attempts. The string C<User is not
213 locked> indicates that authentication can succeed, whereas the string
214 C<User is locked until> I<time> indicates that the user cannot
215 authenticate until the indicated time. Use the B<kas unlock>
216 command to enable a user to attempt authentication. This line appears
217 only if a limit on the number of unsuccessful authentication attempts has been
218 set with the B<kas setfields> command's B<-attempts>
224 The date on which the Authentication Server entry expires, or the string
225 C<entry never expires> to indicate that the entry does not
226 expire. A user becomes unable to authenticate when his or her entry
227 expires. Use the B<kas setfields> command's
228 B<-expiration> argument to set the expiration date.
233 The maximum possible lifetime of the tokens that the Authentication Server
234 grants the user. This value interacts with several others to determine
235 the actual lifetime of the token, as described on the B<klog>
236 reference page. Use the B<kas setfields> command's
237 B<-lifetime> argument to set this value.
242 The date on which the entry was last modified, following the string
243 C<last mod on> and the user name of the administrator who modified
244 it. The date on which a user changed his or her own password is
245 recorded on the second line of output as C<last cpw> instead.
250 An indication of whether the user can reuse one of his or her last twenty
251 passwords when issuing the B<kpasswd>, B<kas setpassword>, or
252 B<kas setkey> commands. Use the B<kas setfields>
253 command's B<-reuse> argument to set this restriction.
260 The following example command shows the user smith displaying
261 her own Authentication Database entry. Note the C<ADMIN> flag,
262 which shows that B<smith> is privileged.
266 User data for smith (ADMIN)
267 key (0) cksum is 3414844392, last cpw: Thu Mar 25 16:05:44 1999
268 password will expire: Fri Apr 30 20:44:36 1999
269 5 consecutive unsuccessful authentications are permitted.
270 The lock time for this user is 25.5 minutes.
272 entry never expires. Max ticket lifetime 100.00 hours.
273 last mod on Tue Jan 5 08:22:29 1999 by admin
274 permit password reuse
276 In the following example, the user pat examines his
277 Authentication Database entry to determine when the account lockout currently
283 key (0) cksum is 73829292912, last cpw: Wed Apr 7 11:23:01 1999
284 password will expire: Fri Jun 11 11:23:01 1999
285 5 consecutive unsuccessful authentications are permitted.
286 The lock time for this user is 25.5 minutes.
287 User is locked until Tue Sep 21 12:25:07 1999
288 entry expires on never. Max ticket lifetime 100.00 hours.
289 last mod on Thu Feb 4 08:22:29 1999 by admin
290 permit password reuse
292 In the following example, an administrator logged in as admin
293 uses the B<-showkey> flag to display the octal digits that constitute
294 the key in the B<afs> entry.
296 % kas examine -name afs -showkey
297 Password for admin: I<admin_password>
299 key (12): \357\253\304\352\234\236\253\352, last cpw: no date
300 entry never expires. Max ticket lifetime 100.00 hours.
301 last mod on Thu Mar 25 14:53:29 1999 by admin
302 permit password reuse
304 =head1 PRIVILEGE REQUIRED
306 A user can examine his or her own entry. To examine others'
307 entries or to include the B<-showkey> flag, the issuer must have the
308 C<ADMIN> flag set in his or her Authentication Database entry.
317 L<kas_setpassword(1)>,
324 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
326 This documentation is covered by the IBM Public License Version 1.0. It was
327 converted from HTML to POD by software written by Chas Williams and Russ
328 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.