1 <?xml version="1.0" encoding="UTF-8"?>
3 <title>Using OpenAFS</title>
5 <para>This chapter explains how to perform four basic AFS tasks: logging in and authenticating with AFS, ending an AFS session,
6 accessing the AFS filespace, and changing your password.</para>
9 <title>Logging in and Authenticating with AFS</title>
11 <para>To access the AFS filespace as an authenticated user, you must both log into an AFS client machine's local (UNIX) file
12 system and authenticate with AFS. When you log in, you establish your local system identity. When you authenticate, you prove
13 your identity to AFS and obtain a token, which your Cache Manager uses to prove your authenticated status to the AFS server
14 processes it contacts on your behalf. Users who are not authenticated (who do not have a token) have limited access to AFS
15 directories and files.</para>
18 <title>Logging In</title>
20 <indexterm><primary>logging in</primary></indexterm>
22 <indexterm><primary>login utility</primary></indexterm>
24 <indexterm><primary>commands</primary><secondary>login</secondary></indexterm>
26 <para>On machines that use an AFS-modified login utility, you log in and authenticate in one step. On machines that do not use
27 an AFS-modified login utility, you log in and authenticate in separate steps. To determine which type of login utility your
28 machine uses, you can check for AFS tokens after logging in, or ask your system administrator, who can also tell you about any
29 differences between your login procedure and the two methods described here.</para>
32 <sect2 id="Header_33">
33 <title>To Log In Using an AFS-modified Login Utility</title>
35 <para>Provide your username at the <computeroutput>login:</computeroutput> prompt that appears when you establish a new
36 connection to a machine. Then provide your password at the <computeroutput>Password:</computeroutput> prompt as shown in the
37 following example. (Your password does not echo visibly on the screen.)</para>
40 login: <replaceable>username</replaceable>
41 Password: <replaceable>password</replaceable>
44 <para>If you are not sure which type of login utility is running on your machine, it is best to issue the <emphasis
45 role="bold">tokens</emphasis> command to check if you are authenticated; for instructions, see <link linkend="HDRWQ30">To
46 Display Your Tokens</link>. If you do not have tokens, issue the <emphasis role="bold">klog</emphasis> command as described in
47 <link linkend="HDRWQ29">To Authenticate with AFS</link>.</para>
51 <title>To Log In Using a Two-Step Login Procedure</title>
53 <para>If your machine does not use an AFS-modified login utility, you must perform a two-step procedure:
57 <para>Log in to your client machine's local file system by providing a user name and password at the <emphasis
58 role="bold">login</emphasis> program's prompts.</para>
62 <para>Issue the <emphasis role="bold">klog</emphasis> command to authenticate with AFS. Include the command's <emphasis
63 role="bold">-setpag</emphasis> argument to associate your token with a special identification number called a
64 <emphasis>PAG</emphasis> (for <emphasis>process authentication group</emphasis>). For a description of PAGs, see <link
65 linkend="HDRWQ25">Protecting Your Tokens with a PAG</link>. <programlisting>
67 % <emphasis role="bold">klog -setpag</emphasis>
68 Password: <replaceable>your_AFS_password</replaceable>
69 </programlisting></para>
75 <para>If your machine uses a two-step login procedure, you can choose to use different passwords for logging in and
76 authenticating. It is simplest to use the same one for both, though. Talk with your system administrator.</para>
81 <title>Authenticating with AFS</title>
83 <para>To work most effectively in the AFS filespace, you must authenticate with AFS. When you do, your Cache Manager is given
84 a token as proof of your authenticated status. It uses your token when requesting services from AFS servers, which accept the
85 token as proof of your authenticated status. If you do not have a token, AFS servers consider you to be the <emphasis
86 role="bold">anonymous</emphasis> user and your access to AFS filespace is limited: you have only the ACL permissions granted
87 to the <emphasis role="bold">system:anyuser</emphasis> group. <indexterm><primary>authentication</primary><secondary>tokens as proof</secondary></indexterm> <indexterm><primary>tokens</primary><secondary>as proof of authentication</secondary></indexterm> <indexterm><primary>Cache Manager</primary><secondary>tokens, use of</secondary></indexterm></para>
89 <para>You can obtain new tokens (reauthenticate) at any time, even after using an AFS-modified login utility, which logs you
90 in and authenticates you in one step. Issue the <emphasis role="bold">klog</emphasis> command as described in <link
91 linkend="HDRWQ29">To Authenticate with AFS</link>.</para>
94 <title>Protecting Your Tokens with a PAG</title>
96 <para>To make your access to AFS as secure as possible, it is best to associate your tokens with a unique identification
97 number called a <emphasis>PAG</emphasis> (for <emphasis>process authentication group</emphasis>). <indexterm><primary>PAG</primary></indexterm>
98 <indexterm><primary>process authentication group (PAG)</primary></indexterm> <indexterm><primary>setpag argument to klog command</primary></indexterm> AFS-modified login utilities automatically create a PAG and associate the new
99 token with it. To create a PAG when you use the two-step login procedure, include the <emphasis role="bold">klog</emphasis>
100 command's <emphasis role="bold">-setpag</emphasis> flag. If you do not use this flag, your tokens are associated with your
101 UNIX UID number instead. This type of association has two potential drawbacks:
105 <para>Anyone who can assume your local UNIX identity can use your tokens. The local superuser <emphasis
106 role="bold">root</emphasis> can always use the UNIX <emphasis role="bold">su</emphasis> command to assume your UNIX UID,
107 even without knowing your password.</para>
111 <para>In some environments, certain programs cannot use your tokens even when it is appropriate for them to do so. For
112 example, printing commands such as <emphasis role="bold">lp</emphasis> or <emphasis role="bold">lpr</emphasis> possibly
113 cannot access the files you want to print, because they cannot use your tokens.</para>
120 <title>Obtaining Tokens For Foreign Cells</title>
122 <indexterm><primary>authentication</primary><secondary>in a foreign cell</secondary></indexterm>
124 <para>A token is valid only in one cell (the cell whose AFS authentication service issued it). The AFS server processes in
125 any other cell consider you to be the <emphasis role="bold">anonymous</emphasis> user unless you have an account in the cell
126 and authenticate with its AFS authentication service.</para>
128 <para>To obtain tokens in a foreign cell, use the <emphasis role="bold">-cell</emphasis> argument to the <emphasis
129 role="bold">klog</emphasis> command. You can have tokens for your home cell and one or more foreign cells at the same
134 <title>The One-Token-Per-Cell Rule</title>
136 <para>You can have only one token per cell for each PAG you have obtained on a client machine. If you already have a token
137 for a particular cell and issue the <emphasis role="bold">klog</emphasis> command, the new token overwrites the existing
138 one. Getting a new token is useful if your current token is almost expired but you want to continue accessing AFS files. For
139 a discussion of token expiration, see <link linkend="HDRWQ28">Token Lifetime</link>.</para>
141 <para>To obtain a second token for the same cell, you must either login on a different machine or establish another separate
142 connection to the machine where you already have a token (by using the <emphasis role="bold">telnet</emphasis> utility, for
143 example). You get a new PAG for each separate machine or connection, and can use the associated tokens only while working on
144 that machine or connection.</para>
147 <sect3 id="Header_39">
148 <title>Obtaining Tokens as Another User</title>
150 <indexterm><primary>authentication</primary><secondary>as another user</secondary></indexterm>
152 <para>You can authenticate as another username if you know the associated password. (It is, of course, unethical to use
153 someone else's tokens without permission.) If you use the <emphasis role="bold">klog</emphasis> command to authenticate as
154 another AFS username, you retain your own local (UNIX) identity, but the AFS server processes recognize you as the other
155 user. The new token replaces any token you already have for the relevant cell (for the reason described in <link
156 linkend="HDRWQ27">The One-Token-Per-Cell Rule</link>).</para>
160 <title>Token Lifetime</title>
162 <indexterm><primary>tokens</primary><secondary>lifetime</secondary></indexterm>
164 <indexterm><primary>lifetime of tokens</primary></indexterm>
166 <para>Tokens have a limited lifetime. To determine when your tokens expire, issue the <emphasis
167 role="bold">tokens</emphasis> command as described in <link linkend="HDRWQ30">To Display Your Tokens</link>. If you are ever
168 unable to access AFS in a way that you normally can, issuing the <emphasis role="bold">tokens</emphasis> command tells you
169 whether an expired token is a possible reason.</para>
171 <para>Your cell's administrators set the default lifetime of your token. The AFS authentication service never grants a token
172 lifetime longer than the default, but you can request a token with a shorter lifetime. See the <emphasis
173 role="bold">klog</emphasis> reference page in the <emphasis>OpenAFS Administration Reference</emphasis> to learn how to use
174 its <emphasis role="bold">-lifetime</emphasis> argument for this purpose.</para>
177 <sect3 id="Header_41">
178 <title>Authenticating for DFS Access</title>
180 <indexterm><primary>commands</primary><secondary>dlog</secondary></indexterm>
182 <indexterm><primary>commands</primary><secondary>dpass</secondary></indexterm>
184 <indexterm><primary>dlog command</primary></indexterm>
186 <indexterm><primary>dpass command</primary></indexterm>
188 <indexterm><primary>authentication</primary><secondary>with DCE for DFS access</secondary></indexterm>
190 <para>If your machine is configured to access a DCE cell's DFS filespace by means of the AFS/DFS Migration Toolkit, you can
191 use the <emphasis role="bold">dlog</emphasis> command to authenticate with DCE. The <emphasis role="bold">dlog</emphasis>
192 command has no effect on your ability to access AFS filespace.</para>
194 <para>If your system administrator has converted your AFS account to a DCE account and you are not sure of your DCE
195 password, use the <emphasis role="bold">dpass</emphasis> command to display it. You must be authenticated as the AFS user
196 whose AFS account was converted to a DCE account, and be able to provide the correct AFS password. Like the <emphasis
197 role="bold">dlog</emphasis> command, the <emphasis role="bold">dpass</emphasis> command has no functionality with respect to
200 <para>For more information on using the <emphasis role="bold">dlog</emphasis> and <emphasis role="bold">dpass</emphasis>
201 commands, see your system administrator.</para>
206 <title>To Authenticate with AFS</title>
208 <indexterm><primary>klog command</primary></indexterm>
210 <indexterm><primary>commands</primary><secondary>klog</secondary></indexterm>
212 <indexterm><primary>tokens</primary><secondary>getting</secondary></indexterm>
214 <para>If your machine is not using an AFS-modified login utility, you must authenticate after login by issuing the <emphasis
215 role="bold">klog</emphasis> command. You can also issue this command at any time to obtain a token with a later expiration
216 date than your current token.</para>
219 % <emphasis role="bold">klog</emphasis> [<emphasis role="bold">-setpag</emphasis>] [<emphasis role="bold">-cell</emphasis> <<replaceable>cell name</replaceable>>]
220 Password: <replaceable>your_AFS_password</replaceable>
227 <term><emphasis role="bold">-setpag</emphasis></term>
230 <para>Associates the resulting tokens with a PAG (see <link linkend="HDRWQ25">Protecting Your Tokens with a PAG</link>).
231 Include this flag the first time you obtain a token for a particular cell during a login session or connection. Do not
232 include it when refreshing the token for a cell during the same session.</para>
237 <term><emphasis role="bold">-cell</emphasis></term>
240 <para>Names the cell for which to obtain the token. You must have an account in the cell.</para>
246 <para>Your password does not echo visibly appear on the screen. When the command shell prompt returns, you are an
247 authenticated AFS user. You can use the <emphasis role="bold">tokens</emphasis> command to verify that you are authenticated,
248 as described in the following section.</para>
252 <title>To Display Your Tokens</title>
254 <indexterm><primary>checking</primary><secondary>tokens</secondary></indexterm>
256 <indexterm><primary>commands</primary><secondary>tokens</secondary></indexterm>
258 <indexterm><primary>tokens</primary><secondary>command</secondary></indexterm>
260 <indexterm><primary>tokens</primary><secondary>displaying</secondary></indexterm>
262 <indexterm><primary>displaying</primary><secondary>tokens</secondary></indexterm>
264 <para>Use the <emphasis role="bold">tokens</emphasis> command to display your tokens.</para>
267 % <emphasis role="bold">tokens</emphasis>
270 <para>The following output indicates that you have no tokens:</para>
273 Tokens held by the Cache Manager:
277 <para>If you have one or more tokens, the output looks something like the following example, in which the tokens for AFS UID
278 1022 in the <emphasis role="bold">abc.com</emphasis> cell expire on August 3 at 2:35 p.m. The tokens for AFS UID 9554 in the
279 <emphasis role="bold">stateu.edu</emphasis> cell expire on August 4 at 1:02 a.m.</para>
282 Tokens held by the Cache Manager:
283 User's (AFS ID 1022) tokens for afs@abc.com [Expires Aug 3 14:35]
284 User's (AFS ID 9554) tokens for afs@stateu.edu [Expires Aug 4 1:02]
289 <sect2 id="Header_44">
290 <title>Example: Authenticating in the Local Cell</title>
292 <indexterm><primary>examples</primary><secondary>authenticating</secondary></indexterm>
294 <para>Suppose that user <emphasis role="bold">terry</emphasis> cannot save a file. He uses the <emphasis
295 role="bold">tokens</emphasis> command and finds that his tokens have expired. He reauthenticates in his local cell under his
296 current identity by issuing the following command:</para>
299 % <emphasis role="bold">klog</emphasis>
300 Password: <replaceable>terry's_password</replaceable>
303 <para>The he issues the <emphasis role="bold">tokens</emphasis> command to make sure he is authenticated.</para>
306 % <emphasis role="bold">tokens</emphasis>
307 Tokens held by the Cache Manager:
308 User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35]
313 <sect2 id="Header_45">
314 <title>Example: Authenticating as a Another User</title>
316 <indexterm><primary>examples</primary><secondary>authenticating as another user</secondary></indexterm>
318 <para>Now <emphasis role="bold">terry</emphasis> authenticates in his local cell as another user, <emphasis
319 role="bold">pat</emphasis>. The new token replaces <emphasis role="bold">terry</emphasis>'s existing token, because the Cache
320 Manager can store only one token per cell per login session on a machine.</para>
323 % <emphasis role="bold">klog pat</emphasis>
324 Password: <replaceable>pat's_password</replaceable>
325 % <emphasis role="bold">tokens</emphasis>
326 Tokens held by the Cache Manager:
327 User's (AFS ID 4278) tokens for afs@abc.com [Expires Jun 23 9:46]
332 <sect2 id="Header_46">
333 <title>Example: Authenticating in a Foreign Cell</title>
335 <indexterm><primary>examples</primary><secondary>authenticating in a foreign cell</secondary></indexterm>
337 <para>Now <emphasis role="bold">terry</emphasis> authenticates in the <emphasis role="bold">stateu.edu</emphasis> cell where
338 his account is called <emphasis role="bold">ts09</emphasis>.</para>
341 % <emphasis role="bold">klog ts09 -cell stateu.edu</emphasis>
342 Password: <replaceable>ts09's_password</replaceable>
343 % <emphasis role="bold">tokens</emphasis>
344 Tokens held by the Cache Manager:
345 User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35]
346 User's (AFS ID 8346) tokens for afs@stateu.edu [Expires Jun 23 1:02]
352 <title>Limits on Failed Authentication Attempts</title>
354 <indexterm><primary>authentication</primary><secondary>limits on consecutive failed attempts</secondary></indexterm>
356 <para>Your system administrator can choose to limit the number of times that you fail to provide the correct password when
357 authenticating with AFS (using either an AFS-modified login utility or the <emphasis role="bold">klog</emphasis> command). If
358 you exceed the limit, the AFS authentication service refuses further authentication attempts for a period of time set by your
359 system administrator. The purpose of this limit is to prevent unauthorized users from breaking into your account by trying a
360 series of passwords.</para>
362 <para>To determine if your user account is subject to this limit, ask your system administrator or issue the <emphasis
363 role="bold">kas examine</emphasis> command as described in <link linkend="HDRWQ32">To Display Your Failed Authentication Limit
364 and Lockout Time</link>.</para>
366 <para>The following message indicates that you have exceeded the limit on failed authentication attempts.</para>
369 Unable to authenticate to AFS because ID is locked - see your system admin
374 <title>To Display Your Failed Authentication Limit and Lockout Time</title>
376 <indexterm><primary>kas commands</primary><secondary>examine</secondary></indexterm>
378 <indexterm><primary>commands</primary><secondary>kas examine</secondary></indexterm>
380 <indexterm><primary>limits on authentication attempts</primary></indexterm>
382 <indexterm><primary>users</primary><secondary>account lockout time</secondary></indexterm>
384 <para>Issue the <emphasis role="bold">kas examine</emphasis> command to determine if there is a limit on the number of
385 unsuccessful authentication attempts for your user account and any associated lockout time. You can examine only your own
386 account. The fourth line of the output reports the maximum number of times you can provide an incorrect password before being
387 locked out of your account. The <computeroutput>lock time</computeroutput> field on the next line reports how long the AFS
388 authentication service refuses authentication attempts after the limit is exceeded.</para>
391 % <emphasis role="bold">kas examine</emphasis> <replaceable>your_username</replaceable>
392 Password for <replaceable>your_username</replaceable>: <replaceable>your_AFS_password</replaceable>
395 <para>The following example displays the output for the user <emphasis role="bold">pat</emphasis>, who is allowed nine failed
396 authentication attempts. The lockout time is 25.5 minutes.</para>
400 key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999
401 password will expire: Fri Nov 26 20:44:36 1999
402 9 consecutive unsuccessful authentications are permitted.
403 The lock time for this user is 25.5 minutes.
405 entry never expires. Max ticket lifetime 100.00 hours.
406 last mod on Wed Aug 18 08:22:29 1999 by admin
407 permit password reuse
413 <title>Exiting an AFS Session</title>
415 <indexterm><primary>tokens</primary><secondary>destroying</secondary></indexterm>
417 <indexterm><primary>unauthenticating</primary></indexterm>
419 <indexterm><primary>exiting an AFS session</primary></indexterm>
421 <indexterm><primary>logging out</primary></indexterm>
423 <indexterm><primary>quitting an AFS session</primary></indexterm>
425 <para>Because logging in and authenticating with AFS are distinct operations, you must both logout and unauthenticate (issue the
426 <emphasis role="bold">unlog</emphasis> command to discard your tokens) when exiting an AFS session. Simply logging out does not
427 necessarily destroy your tokens.</para>
429 <para>You can use the <emphasis role="bold">unlog</emphasis> command any time you want to unauthenticate, not just when logging
430 out. For instance, it is a good practice to unauthenticate before leaving your machine unattended, to prevent other users from
431 using your tokens during your absence. When you return to your machine, issue the <emphasis role="bold">klog</emphasis> command
432 to reauthenticate, as described in <link linkend="HDRWQ29">To Authenticate with AFS</link>.</para>
434 <para>Do not issue the <emphasis role="bold">unlog</emphasis> command when you are running jobs that take a long time to
435 complete, even if you are logging out. Such processes must have a token during the entire time they need authenticated access to
438 <para>If you have tokens from multiple cells and want to discard only some of them, include the <emphasis
439 role="bold">unlog</emphasis> command's <emphasis role="bold">-cell</emphasis> argument.</para>
441 <sect2 id="Header_50">
442 <title>To Discard Tokens</title>
444 <indexterm><primary>commands</primary><secondary>unlog</secondary></indexterm>
446 <indexterm><primary>unlog command</primary></indexterm>
448 <para>Issue the <emphasis role="bold">unlog</emphasis> command to discard your tokens:</para>
451 % <emphasis role="bold">unlog -cell</emphasis> <<replaceable>cell name</replaceable>><superscript>+</superscript>
454 <para>Omit the <emphasis role="bold">-cell</emphasis> argument to discard all of your tokens, or use it to name each cell for
455 which to discard tokens. It is best to provide the full name of each cell (such as <emphasis role="bold">stateu.edu</emphasis>
456 or <emphasis role="bold">abc.com</emphasis>).</para>
458 <para>You can issue the <emphasis role="bold">tokens</emphasis> command to verify that your tokens were destroyed, as in the
459 following example.</para>
462 % <emphasis role="bold">tokens</emphasis>
463 Tokens held by the Cache Manager:
468 <sect2 id="Header_51">
469 <title>Example: Unauthenticating from a Specific Cell</title>
471 <indexterm><primary>examples</primary><secondary>unauthenticating from selected cells</secondary></indexterm>
473 <para>In the following example, a user has tokens in both the <emphasis role="bold">accounting</emphasis> and <emphasis
474 role="bold">marketing</emphasis> cells at her company. She discards the token for the <emphasis
475 role="bold">acctg.abc.com</emphasis> cell but keeps the token for the <emphasis role="bold">mktg.abc.com</emphasis>
479 % <emphasis role="bold">tokens</emphasis>
480 Tokens held by the Cache Manager:
481 User's (AFS ID 35) tokens for afs@acctg.abc.com [Expires Nov 10 22:30]
482 User's (AFS ID 674) tokens for afs@mktg.abc.com [Expires Nov 10 18:44]
484 % <emphasis role="bold">unlog -cell acctg.abc.com</emphasis>
485 % <emphasis role="bold">tokens</emphasis>
486 Tokens held by the Cache Manager:
487 User's (AFS ID 674) tokens for afs@mktg.abc.com [Expires Nov 10 18:44]
492 <sect2 id="Header_52">
493 <title>To Log Out</title>
495 <para>After you have unauthenticated, log out by issuing the command appropriate for your machine type, which is possibly one
496 of the following.</para>
499 % <emphasis role="bold">logout</emphasis>
505 % <emphasis role="bold">exit</emphasis>
511 % <<emphasis role="bold">Ctrl-d</emphasis>>
517 <title>Accessing the AFS Filespace</title>
519 <indexterm><primary>files</primary><secondary>accessing AFS</secondary></indexterm>
521 <indexterm><primary>directories</primary><secondary>accessing AFS</secondary></indexterm>
523 <para>While you are logged in and authenticated, you can access files in AFS just as you do in the UNIX file system. The only
524 difference is that you can access potentially many more files. Just as in the UNIX file system, you can only access those files
525 for which you have permission. AFS uses access control lists (ACLs) to control access, as described in <link
526 linkend="HDRWQ44">Protecting Your Directories and Files</link>.</para>
528 <sect2 id="Header_54">
529 <title>AFS Pathnames</title>
531 <indexterm><primary>pathnames</primary></indexterm>
533 <para>AFS pathnames look very similar to UNIX file system names. The main difference is that every AFS pathname begins with
534 the AFS root directory, which is called <emphasis role="bold">/afs</emphasis> by convention. Having <emphasis
535 role="bold">/afs</emphasis> at the top of every AFS cell's filespace links together their filespaces into a global filespace.
536 <indexterm><primary>AFS</primary><secondary>accessing filespace</secondary></indexterm> <indexterm><primary>access to AFS filespace</primary><secondary>format of pathnames</secondary></indexterm> <indexterm><primary>afs (/afs) directory</primary><secondary>as root of AFS filespace</secondary></indexterm> <indexterm><primary>format of AFS pathnames</primary></indexterm></para>
538 <para><emphasis role="bold">Note for Windows users:</emphasis> Windows uses a backslash ( <emphasis
539 role="bold">\</emphasis> ) rather than a forward slash ( <emphasis role="bold">/</emphasis> ) to separate the
540 elements in a pathname. Otherwise, your access to AFS filespace is much the same as for users working on UNIX machines.</para>
542 <para>The second element in AFS pathnames is generally a cell's name. For example, the ABC Corporation cell is called
543 <emphasis role="bold">abc.com</emphasis> and the pathname of every file in its filespace begins with the string <emphasis
544 role="bold">/afs/abc.com</emphasis>. Some cells also create a directory at the second level with a shortened name (such as
545 <emphasis role="bold">abc</emphasis> for <emphasis role="bold">abc.com</emphasis> or <emphasis role="bold">stateu</emphasis>
546 for <emphasis role="bold">stateu.edu</emphasis>), to reduce the amount of typing necessary. Your system administrator can tell
547 you if your cell's filespace includes shortened names like this. The rest of the pathname depends on how the cell's
548 administrators organized its filespace.</para>
550 <para>To access directories and files in AFS you must both specify the correct pathname and have the required permissions on
551 the ACL that protects the directory and the files in it.</para>
554 <sect2 id="Header_55">
555 <title>Example: Displaying the Contents of Another User's Directory</title>
557 <para>The user <emphasis role="bold">terry</emphasis> wants to look for a file belonging to another user, <emphasis
558 role="bold">pat</emphasis>. He issues the <emphasis role="bold">ls</emphasis> command on the appropriate pathname.</para>
561 % <emphasis role="bold">ls /afs/abc.com/usr/pat/public</emphasis>
569 <title>Accessing Foreign Cells</title>
571 <indexterm><primary>foreign cells</primary><secondary>accessing</secondary></indexterm>
573 <indexterm><primary>system:anyuser group</primary><secondary>controlling access by foreign users</secondary></indexterm>
575 <para>You can access files not only in your own cell, but in any AFS cell that you can reach via the network, regardless of
576 geographical location. There are two additional requirements:
580 <para>Your Cache Manager's list of foreign cells must include the cell you want to access. Only the local superuser
581 <emphasis role="bold">root</emphasis> can edit the list of cells, but anyone can display it. See <link
582 linkend="HDRWQ42">Determining Access to Foreign Cells</link>.</para>
586 <para>The ACL on the directory that houses the file, and on every parent directory in the pathname, must grant you the
587 necessary permissions. The simplest way for the directory's owner to extend permission to foreign users is to put an entry
588 for the <emphasis role="bold">system:anyuser</emphasis> group on the ACL.</para>
590 <para>The alternative is for the foreign cell's administrator to create an account for you, essentially making you a local
591 user in the cell. The directory's owner creates an ACL entry for you as for any other local user. To authenticate in the
592 foreign cell, issue the <emphasis role="bold">klog</emphasis> command with the <emphasis role="bold">-cell</emphasis>
598 <para>For further discussion of directory and file protection, see <link linkend="HDRWQ44">Protecting Your Directories and
604 <title>Changing Your Password</title>
606 <para>In cells that use an AFS-modified login utility, the password is the same for both logging in and authenticating with AFS.
607 In this case, you use a single command, <emphasis role="bold">kpasswd</emphasis>, to change the password.</para>
609 <para>If your machine does not use an AFS-modified login utility, there are separate passwords for logging into the local file
610 system and authenticating with AFS. (The two passwords can be the same or different, at your discretion.) In this case, use the
611 <emphasis role="bold">kpasswd</emphasis> command to change your AFS password and the UNIX <emphasis
612 role="bold">passwd</emphasis> command to change your UNIX password.</para>
614 <para>Your system administrator can improve cell security by configuring several features that guide your choice of password.
615 Keep them in mind when you issue the <emphasis role="bold">kpasswd</emphasis> command:
619 <para>Limiting the amount of time your password is valid. This improves your cell's security by limiting the amount of time
620 an unauthorized user has to try to guess your password. Your system administrator needs to tell you when your password is
621 due to expire so that you can change it in time. The administrator can configure the AFS-modified login utility to report
622 this information automatically each time you log in. You can also use the <emphasis role="bold">kas examine</emphasis>
623 command to display the password expiration date, as instructed in <link linkend="HDRWQ37">To Display Password Expiration
624 Date and Reuse Policy</link>.</para>
626 <para>You can change your password prior to the expiration date, but your system administrator can choose to set a minimum
627 time between password changes. The following message indicates that the minimum time has not yet passed.</para>
630 kpasswd: password was not changed because you changed it too
631 recently; see your system administrator
636 <para>Enforcing password quality standards, such as a minimum length or inclusion of nonalphabetic characters. The
637 administrator needs to tell you about such requirements so that you do not waste time picking unacceptable passwords.</para>
641 <para>Rejecting a password that is too similar to the last 20 passwords you used. You can use the <emphasis role="bold">kas
642 examine</emphasis> command to check whether this policy applies to you, as instructed in <link linkend="HDRWQ37">To Display
643 Password Expiration Date and Reuse Policy</link>. The following message indicates that the password you have chosen is too
644 similar to a previous password. <programlisting>
645 kpasswd: Password was not changed because it seems like a reused password
646 </programlisting></para>
652 <title>To Display Password Expiration Date and Reuse Policy</title>
654 <indexterm><primary>kas commands</primary><secondary>examine</secondary></indexterm>
656 <indexterm><primary>commands</primary><secondary>kas examine</secondary></indexterm>
658 <indexterm><primary>password</primary><secondary>expiration date, displaying</secondary></indexterm>
660 <indexterm><primary>password</primary><secondary>reuse policy, displaying</secondary></indexterm>
662 <indexterm><primary>displaying</primary><secondary>password expiration date</secondary></indexterm>
664 <indexterm><primary>displaying</primary><secondary>password reuse policy</secondary></indexterm>
666 <para>Issue the <emphasis role="bold">kas examine</emphasis> command to display your password expiration date and reuse
667 policy. You can examine only your own account. The third line of the output reports your password's expiration date. The last
668 line reports the password reuse policy that applies to you.</para>
671 % <emphasis role="bold">kas examine</emphasis> <replaceable>your_username</replaceable>
672 Password for <replaceable>your_username</replaceable>: <replaceable>your_AFS_password</replaceable>
675 <para>The following example displays the output for the user <emphasis role="bold">pat</emphasis>.</para>
679 key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999
680 password will expire: Fri Nov 26 20:44:36 1999
681 9 consecutive unsuccessful authentications are permitted.
682 The lock time for this user is 25.5 minutes.
684 entry never expires. Max ticket lifetime 100.00 hours.
685 last mod on Wed Aug 18 08:22:29 1999 by admin
686 don't permit password reuse
690 <sect2 id="Header_59">
691 <title>To Change Your AFS Password</title>
693 <indexterm><primary>password</primary><secondary>changing AFS</secondary></indexterm>
695 <indexterm><primary>changing</primary><secondary>AFS password</secondary></indexterm>
697 <indexterm><primary>commands</primary><secondary>kpasswd</secondary></indexterm>
699 <indexterm><primary>kpasswd command</primary></indexterm>
701 <para>Issue the <emphasis role="bold">kpasswd</emphasis> command, which prompts you to provide your old and new passwords and
702 to confirm the new password. The passwords do not echo visibly on the screen.</para>
705 % <emphasis role="bold">kpasswd</emphasis>
706 Old password: <replaceable>current_password</replaceable>
707 New password (RETURN to abort): <replaceable>new_password</replaceable>
708 Retype new password: <replaceable>new_password</replaceable>
712 <sect2 id="Header_60">
713 <title>To Change Your UNIX Password</title>
715 <para><indexterm><primary>commands</primary><secondary>passwd</secondary></indexterm> <indexterm><primary>passwd</primary><secondary>command</secondary></indexterm> <indexterm><primary>password</primary><secondary>changing UNIX</secondary></indexterm> <indexterm><primary>changing</primary><secondary>UNIX password</secondary></indexterm> Issue the UNIX <emphasis
716 role="bold">passwd</emphasis> command, which prompts you to provide your old and new passwords and to confirm the new
717 password. The passwords do not echo visibly on the screen. On many machines, the <emphasis role="bold">passwd</emphasis>
718 resides in the <emphasis role="bold">/bin</emphasis> directory, and you possibly need to type the complete pathname.</para>
721 % <emphasis role="bold">passwd</emphasis>
722 Changing password for <replaceable>username</replaceable>.
723 Old password: <replaceable>current_password</replaceable>
724 New password: <replaceable>new_password</replaceable>
725 Retype new passwd: <replaceable>new_password</replaceable>