Provided by: openafs-kpasswd_1.4.1-2_i386 bug

NAME

       kas examine - Displays information from an Authentication Database
       entry

SYNOPSIS

       kas examine << -name <name of user >>> [-showkey]
           << [-admin_username <admin principal to use for authentication] >>>
           << [-password_for_admin <admin password] >>> << [-cell <cell name]
       >>>
           << [-servers <explicit list of authentication servers+] >>>
           [-noauth] [-help]

       kas e << -na <name of user >>> [-sh]
           << [-a <admin principal to use for authentication] >>>
           << [-p <admin password] >>> << [-c <cell name] >>>
           << [-se <explicit list of authentication servers+] >>> [-no] [-h]

DESCRIPTION

       The kas examine command formats and displays information from the
       Authentication Database entry of the user named by the -name argument.

       To alter the settings displayed with this command, issue the kas
       setfields command.

CAUTIONS

       Displaying actual keys on the standard output stream by including the
       -showkey flag constitutes a security exposure. For most purposes, it is
       sufficient to display a checksum.

OPTIONS

       -name <name of user>
           Names the Authentication Database entry from which to display
           information.

       -showkey
           Displays the octal digits that constitute the key. The issuer must
           have the ADMIN flag on his or her Authentication Database entry.

       -admin_username <admin principal>
           Specifies the user identity under which to authenticate with the
           Authentication Server for execution of the command. For more
           details, see the kas(8) manpage.

       -password_for_admin <admin password>
           Specifies the password of the command’s issuer. If it is omitted
           (as recommended), the kas command interpreter prompts for it and
           does not echo it visibly. For more details, see the kas(8) manpage.

       -cell <cell name>
           Names the cell in which to run the command. For more details, see
           the kas(8) manpage.

       -servers <authentication servers>+
           Names each machine running an Authentication Server with which to
           establish a connection. For more details, see the kas(8) manpage.

       -noauth
           Assigns the unprivileged identity anonymous to the issuer. For more
           details, see the kas(8) manpage.

       -help
           Prints the online help for this command. All other valid options
           are ignored.

OUTPUT

       The output includes:

       ·   The entry name, following the string User data for.

       ·   One or more status flags in parentheses; they appear only if an
           administrator has used the kas setfields command to change them
           from their default values. A plus sign (+) separates the flags if
           there is more than one. The nondefault values that can appear, and
           their meanings, are as follows:

       ADMIN   Enables the user to issue privileged kas commands (default is
               NOADMIN).

       NOTGS   Prevents the user from obtaining tickets from the
               Authentication Server’s Ticket Granting Service (default is
               TGS).

       NOSEAL  Prevents the Ticket Granting Service from using the entry’s key
               field as an encryption key (default is SEAL).

       NOCPW   Prevents the user from changing his or her password (default is
               CPW).

       ·   The key version number, in parentheses, following the word key,
           then one of the following.

       ·       A checksum equivalent of the key, following the string cksum
               is, if the -showkey flag is not included. The checksum is a
               decimal number derived by encrypting a constant with the key.
               In the case of the afs entry, this number must match the
               checksum with the corresponding key version number in the
               output of the bos listkeys command; if not, follow the
               instructions in the IBM AFS Administration Guide for creating a
               new server encryption key.

       ·       The actual key, following a colon, if the -showkey flag is
               included. The key consists of eight octal numbers, each
               represented as a backslash followed by three decimal digits.

       ·   The date the user last changed his or her own password, following
           the string last cpw (which stands for "last change of password").

       ·   The string password will never expire indicates that the associated
           password never expires; the string password will expire is followed
           by the password’s expiration date. After the indicated date, the
           user cannot authenticate, but has 30 days after it in which to use
           the kpasswd or kas setpassword command to set a new password. After
           30 days, only an administrator (one whose account is marked with
           the ADMIN flag) can change the password by using the kas
           setpassword command. To set the password expiration date, use the
           kas setfields command’s -pwexpires argument.

       ·   The number of times the user can fail to provide the correct
           password before the account locks, followed by the string
           consecutive unsuccessful authentications are permitted, or the
           string An unlimited number of unsuccessful authentications is
           permitted to indicate that there is no limit. To set the limit, use
           the kas setfields command’s -attempts argument. To unlock a locked
           account, use the kas unlock command. The kas setfields reference
           page discusses how the implementation of the lockout feature
           interacts with this setting.

       ·   The number of minutes for which the Authentication Server refuses
           the user’s login attempts after the limit on consecutive
           unsuccessful authentication attempts is exceeded, following the
           string The lock time for this user is. Use the kas command’s
           -locktime argument to set the lockout time. This line appears only
           if a limit on the number of unsuccessful authentication attempts
           has been set with the the kas setfields command’s -attempts
           argument.

       ·   An indication of whether the Authentication Server is currently
           refusing the user’s login attempts. The string User is not locked
           indicates that authentication can succeed, whereas the string User
           is locked until time indicates that the user cannot authenticate
           until the indicated time. Use the kas unlock command to enable a
           user to attempt authentication. This line appears only if a limit
           on the number of unsuccessful authentication attempts has been set
           with the kas setfields command’s -attempts argument.

       ·   The date on which the Authentication Server entry expires, or the
           string entry never expires to indicate that the entry does not
           expire. A user becomes unable to authenticate when his or her entry
           expires. Use the kas setfields command’s -expiration argument to
           set the expiration date.

       ·   The maximum possible lifetime of the tokens that the Authentication
           Server grants the user. This value interacts with several others to
           determine the actual lifetime of the token, as described in the
           klog(1) manpage.  Use the kas setfields command’s -lifetime
           argument to set this value.

       ·   The date on which the entry was last modified, following the string
           last mod on and the user name of the administrator who modified it.
           The date on which a user changed his or her own password is
           recorded on the second line of output as last cpw instead.

       ·   An indication of whether the user can reuse one of his or her last
           twenty passwords when issuing the kpasswd, kas setpassword, or kas
           setkey commands. Use the kas setfields command’s -reuse argument to
           set this restriction.

EXAMPLES

       The following example command shows the user smith displaying her own
       Authentication Database entry. Note the ADMIN flag, which shows that
       smith is privileged.

          % kas examine smith
          Password for smith:
          User data for smith (ADMIN)
           key (0) cksum is 3414844392,  last cpw: Thu Mar 25 16:05:44 1999
           password will expire:  Fri Apr 30 20:44:36 1999
           5 consecutive unsuccessful authentications are permitted.
           The lock time for this user is 25.5 minutes.
           User is not locked.
           entry never expires. Max ticket lifetime 100.00 hours.
           last mod on Tue Jan 5 08:22:29 1999 by admin
           permit password reuse

       In the following example, the user pat examines his Authentication
       Database entry to determine when the account lockout currently in
       effect will end.

          % kas examine pat
          Password for pat:
          User data for pat
           key (0) cksum is 73829292912,  last cpw: Wed Apr 7 11:23:01 1999
           password will expire:  Fri  Jun 11 11:23:01 1999
           5 consecutive unsuccessful authentications are permitted.
           The lock time for this user is 25.5 minutes.
           User is locked until Tue Sep 21 12:25:07 1999
           entry expires on never. Max ticket lifetime 100.00 hours.
           last mod on Thu Feb 4 08:22:29 1999 by admin
           permit password reuse

       In the following example, an administrator logged in as admin uses the
       -showkey flag to display the octal digits that constitute the key in
       the afs entry.

          % kas examine -name afs -showkey
          Password for admin: I<admin_password>
          User data for afs
           key (12): \357\253\304\352\234\236\253\352, last cpw: no date
           entry never expires. Max ticket lifetime 100.00 hours.
           last mod on Thu Mar 25 14:53:29 1999 by admin
           permit password reuse

PRIVILEGE REQUIRED

       A user can examine his or her own entry. To examine others’ entries or
       to include the -showkey flag, the issuer must have the ADMIN flag set
       in his or her Authentication Database entry.

SEE ALSO

       the bos_addkey(8) manpage, the bos_listkeys(8) manpage, the
       bos_setauth(8) manpage, the kas(8) manpage, the kas_setfields(8)
       manpage, the kas_setpassword(8) manpage, the kas_unlock(8) manpage, the
       klog(1) manpage, the kpasswd(1) manpage

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.
       It was converted from HTML to POD by software written by Chas Williams
       and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.