Provided by: openafs-kpasswd_1.6.7-1ubuntu1.1_amd64 bug

NAME

       kas_examine - Displays information from an Authentication Database entry

SYNOPSIS

       kas examine -name <name of user> [-showkey]
           [-admin_username <admin principal to use for authentication>]
           [-password_for_admin <admin password>] [-cell <cell name>]
           [-servers <explicit list of authentication servers>+]
           [-noauth] [-help]

       kas e -na <name of user> [-sh]
           [-a <admin principal to use for authentication>]
           [-p <admin password>] [-c <cell name>]
           [-se <explicit list of authentication servers>+] [-no] [-h]

DESCRIPTION

       The kas examine command formats and displays information from the Authentication Database
       entry of the user named by the -name argument.

       To alter the settings displayed with this command, issue the kas setfields command.

CAUTIONS

       Displaying actual keys on the standard output stream by including the -showkey flag
       constitutes a security exposure. For most purposes, it is sufficient to display a
       checksum.

OPTIONS

       -name <name of user>
           Names the Authentication Database entry from which to display information.

       -showkey
           Displays the octal digits that constitute the key. The issuer must have the "ADMIN"
           flag on his or her Authentication Database entry.

       -admin_username <admin principal>
           Specifies the user identity under which to authenticate with the Authentication Server
           for execution of the command. For more details, see kas(8).

       -password_for_admin <admin password>
           Specifies the password of the command's issuer. If it is omitted (as recommended), the
           kas command interpreter prompts for it and does not echo it visibly. For more details,
           see kas(8).

       -cell <cell name>
           Names the cell in which to run the command. For more details, see kas(8).

       -servers <authentication servers>+
           Names each machine running an Authentication Server with which to establish a
           connection. For more details, see kas(8).

       -noauth
           Assigns the unprivileged identity "anonymous" to the issuer. For more details, see
           kas(8).

       -help
           Prints the online help for this command. All other valid options are ignored.

OUTPUT

       The output includes:

       •   The entry name, following the string "User data for".

       •   One or more status flags in parentheses; they appear only if an administrator has used
           the kas setfields command to change them from their default values. A plus sign ("+")
           separates the flags if there is more than one. The nondefault values that can appear,
           and their meanings, are as follows:

           ADMIN
               Enables the user to issue privileged kas commands (default is "NOADMIN").

           NOTGS
               Prevents the user from obtaining tickets from the Authentication Server's Ticket
               Granting Service (default is "TGS").

           NOSEAL
               Prevents the Ticket Granting Service from using the entry's key field as an
               encryption key (default is "SEAL").

           NOCPW
               Prevents the user from changing his or her password (default is "CPW").

       •   The key version number, in parentheses, following the word "key", then one of the
           following.

           •   A checksum equivalent of the key, following the string "cksum is", if the -showkey
               flag is not included. The checksum is a decimal number derived by encrypting a
               constant with the key. In the case of the "afs" entry, this number must match the
               checksum with the corresponding key version number in the output of the bos
               listkeys command; if not, follow the instructions in the OpenAFS Administration
               Guide for creating a new server encryption key.

           •   The actual key, following a colon, if the -showkey flag is included. The key
               consists of eight octal numbers, each represented as a backslash followed by three
               decimal digits.

       •   The date the user last changed his or her own password, following the string "last
           cpw" (which stands for "last change of password").

       •   The string "password will never expire" indicates that the associated password never
           expires; the string "password will expire" is followed by the password's expiration
           date. After the indicated date, the user cannot authenticate, but has 30 days after it
           in which to use the kpasswd or kas setpassword command to set a new password. After 30
           days, only an administrator (one whose account is marked with the "ADMIN" flag) can
           change the password by using the kas setpassword command. To set the password
           expiration date, use the kas setfields command's -pwexpires argument.

       •   The number of times the user can fail to provide the correct password before the
           account locks, followed by the string "consecutive unsuccessful authentications are
           permitted", or the string "An unlimited number of unsuccessful authentications is
           permitted" to indicate that there is no limit. To set the limit, use the kas setfields
           command's -attempts argument. To unlock a locked account, use the kas unlock command.
           The kas setfields reference page discusses how the implementation of the lockout
           feature interacts with this setting.

       •   The number of minutes for which the Authentication Server refuses the user's login
           attempts after the limit on consecutive unsuccessful authentication attempts is
           exceeded, following the string "The lock time for this user is". Use the kas command's
           -locktime argument to set the lockout time. This line appears only if a limit on the
           number of unsuccessful authentication attempts has been set with the kas setfields
           command's -attempts argument.

       •   An indication of whether the Authentication Server is currently refusing the user's
           login attempts. The string "User is not locked" indicates that authentication can
           succeed, whereas the string "User is locked until" time indicates that the user cannot
           authenticate until the indicated time. Use the kas unlock command to enable a user to
           attempt authentication. This line appears only if a limit on the number of
           unsuccessful authentication attempts has been set with the kas setfields command's
           -attempts argument.

       •   The date on which the Authentication Server entry expires, or the string "entry never
           expires" to indicate that the entry does not expire. A user becomes unable to
           authenticate when his or her entry expires. Use the kas setfields command's
           -expiration argument to set the expiration date.

       •   The maximum possible lifetime of the tokens that the Authentication Server grants the
           user. This value interacts with several others to determine the actual lifetime of the
           token, as described in klog(1).  Use the kas setfields command's -lifetime argument to
           set this value.

       •   The date on which the entry was last modified, following the string "last mod on" and
           the user name of the administrator who modified it. The date on which a user changed
           his or her own password is recorded on the second line of output as "last cpw"
           instead.

       •   An indication of whether the user can reuse one of his or her last twenty passwords
           when issuing the kpasswd, kas setpassword, or kas setkey commands. Use the kas
           setfields command's -reuse argument to set this restriction.

EXAMPLES

       The following example command shows the user smith displaying her own Authentication
       Database entry. Note the "ADMIN" flag, which shows that "smith" is privileged.

          % kas examine smith
          Password for smith:
          User data for smith (ADMIN)
           key (0) cksum is 3414844392,  last cpw: Thu Mar 25 16:05:44 1999
           password will expire:  Fri Apr 30 20:44:36 1999
           5 consecutive unsuccessful authentications are permitted.
           The lock time for this user is 25.5 minutes.
           User is not locked.
           entry never expires. Max ticket lifetime 100.00 hours.
           last mod on Tue Jan 5 08:22:29 1999 by admin
           permit password reuse

       In the following example, the user "pat" examines his Authentication Database entry to
       determine when the account lockout currently in effect will end.

          % kas examine pat
          Password for pat:
          User data for pat
           key (0) cksum is 73829292912,  last cpw: Wed Apr 7 11:23:01 1999
           password will expire:  Fri  Jun 11 11:23:01 1999
           5 consecutive unsuccessful authentications are permitted.
           The lock time for this user is 25.5 minutes.
           User is locked until Tue Sep 21 12:25:07 1999
           entry expires on never. Max ticket lifetime 100.00 hours.
           last mod on Thu Feb 4 08:22:29 1999 by admin
           permit password reuse

       In the following example, an administrator logged in as "admin" uses the -showkey flag to
       display the octal digits that constitute the key in the "afs" entry.

          % kas examine -name afs -showkey
          Password for admin: I<admin_password>
          User data for afs
           key (12): \357\253\304\352\234\236\253\352, last cpw: no date
           entry never expires. Max ticket lifetime 100.00 hours.
           last mod on Thu Mar 25 14:53:29 1999 by admin
           permit password reuse

PRIVILEGE REQUIRED

       A user can examine his or her own entry. To examine others' entries or to include the
       -showkey flag, the issuer must have the "ADMIN" flag set in his or her Authentication
       Database entry.

SEE ALSO

       bos_addkey(8), bos_listkeys(8), bos_setauth(8), kas(8), kas_setfields(8),
       kas_setpassword(8), kas_unlock(8), klog(1), kpasswd(1)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.