xenial (8) kas.8.gz

Provided by: openafs-kpasswd_1.6.15-1ubuntu1.1_amd64 bug

NAME
       kas - Introduction to the kas command suite


DESCRIPTION
       The commands in the kas command suite are the administrative interface to the Authentication Server, an
       obsolete AFS server process that maintains the Authentication Database and provides the authentication
       tickets that client applications must present to AFS servers in order to obtain access to AFS data and
       other services. It is used only for cells still running the Authentication Server until they can migrate
       to a Kerberos version 5 KDC.

       There are several categories of commands in the kas command suite:

       •   Commands to create, modify, examine and delete entries in the Authentication Database, including
           passwords: kas create, kas delete, kas examine, kas list, kas setfields, kas setkey, kas setpassword,
           and kas unlock.

       •   Commands to create, delete, and examine tokens and server tickets: kas forgetticket, kas listtickets,
           kas noauthentication, and kas stringtokey.

       •   A command to enter interactive mode: kas interactive.

       •   A command to trace Authentication Server operations: kas statistics.

       •   Commands to obtain help: kas apropos and kas help.

       Because of the sensitivity of information in the Authentication Database, the Authentication Server
       authenticates issuers of kas commands directly, rather than accepting the standard token generated by the
       Ticket Granting Service. Any kas command that requires administrative privilege prompts the issuer for a
       password. The resulting ticket is valid for six hours unless the maximum ticket lifetime for the issuer
       or the Authentication Server's Ticket Granting Service is shorter.

       To avoid having to provide a password repeatedly when issuing a sequence of kas commands, enter
       interactive mode by issuing the kas interactive command, typing kas without any operation code, or typing
       kas followed by a user and cell name, separated by an at-sign ("@"; an example is "kas
       smith.admin@abc.com"). After prompting once for a password, the Authentication Server accepts the
       resulting token for every command issued during the interactive session. See kas_interactive(8) for a
       discussion of when to use each method for entering interactive mode and of the effects of entering a
       session.

       The Authentication Server maintains two databases on the local disk of the machine where it runs:

       •   The Authentication Database (/var/lib/openafs/db/kaserver.DB0) stores the information used to provide
           AFS authentication services to users and servers, including the password scrambled as an encryption
           key. The reference page for the kas examine command describes the information in a database entry.

       •   An auxiliary file (/var/lib/openafs/local/kaauxdb by default) that tracks how often the user has
           provided an incorrect password to the local Authentication Server. The reference page for the kas
           setfields command describes how the Authentication Server uses this file to enforce the limit on
           consecutive authentication failures. To designate an alternate directory for the file, use the
           kaserver command's -localfiles argument.


CAUTIONS
       The kas command suite is provided only for administration of the obsolete Authentication Server for cells
       that have not yet migrated to a Kerberos version 5 KDC. New deployments should not use the Authentication
       Server, and it and the kas command suite will be removed in a future version of OpenAFS.


OPTIONS
       The following arguments and flags are available on many commands in the kas suite. (Some of them are
       unavailable on commands entered in interactive mode, because the information they specify is established
       when entering interactive mode and cannot be changed except by leaving interactive mode.) The reference
       page for each command also lists them, but they are described here in greater detail.

       -admin_username <user name>
           Specifies the user identity under which to authenticate with the Authentication Server for execution
           of the command. If this argument is omitted, the kas command interpreter requests authentication for
           the identity under which the issuer is logged onto the local machine.  Do not combine this argument
           with the -noauth flag.

       -cell <cell name>
           Names the cell in which to run the command. It is acceptable to abbreviate the cell name to the
           shortest form that distinguishes it from the other entries in the /etc/openafs/CellServDB file on the
           local machine. If the -cell argument is omitted, the command interpreter determines the name of the
           local cell by reading the following in order:

           •   The value of the AFSCELL environment variable.

           •   The local /etc/openafs/ThisCell file.

           The -cell argument is not available on commands issued in interactive mode. The cell defined when the
           kas command interpreter enters interactive mode applies to all commands issued during the interactive
           session.

       -help
           Prints a command's online help message on the standard output stream. Do not combine this flag with
           any of the command's other options; when it is provided, the command interpreter ignores all other
           options, and only prints the help message.

       -noauth
           Establishes an unauthenticated connection to the Authentication Server, in which the Authentication
           Server treats the issuer as the unprivileged user "anonymous". It is useful only when authorization
           checking is disabled on the server machine (during the installation of a server machine or when the
           bos setauth command has been used during other unusual circumstances). In normal circumstances, the
           Authentication Server allows only privileged users to issue most kas commands, and refuses to perform
           such an action even if the -noauth flag is provided. Do not combine this flag with the
           -admin_username and -password_for_admin arguments.

       -password_for_admin <password>
           Specifies the password of the command's issuer. It is best to omit this argument, which echoes the
           password visibly in the command shell, instead enter the password at the prompt. Do not combine this
           argument with the -noauth flag.

       -servers <machine name>+
           Establishes a connection with the Authentication Server running on each specified database server
           machine, instead of on each machine listed in the local /etc/openafs/CellServDB file. In either case,
           the kas command interpreter then chooses one of the machines at random to contact for execution of
           each subsequent command. The issuer can abbreviate the machine name to the shortest form that allows
           the local name service to identify it uniquely.


PRIVILEGE REQUIRED
       To issue most kas commands, the issuer must have the "ADMIN" flag set in his or her Authentication
       Database entry (use the kas setfields command to turn the flag on).


SEE ALSO
       CellServDB(5), kaserver.DB0(5), kaserverauxdb(5), kas_apropos(8), kas_create(8), kas_delete(8),
       kas_examine(8), kas_forgetticket(8), kas_help(8), kas_interactive(8), kas_list(8), kas_listtickets(8),
       kas_noauthentication(8), kas_quit(8), kas_setfields(8), kas_setpassword(8), kas_statistics(8),
       kas_stringtokey(8), kas_unlock(8), kaserver(8)


       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML to POD
       by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.