NAME

       kas - Introduction to the kas command suite

DESCRIPTION

       The commands in the kas command suite are the administrative interface to the
       Authentication Server, an obsolete AFS server process that maintains the Authentication
       Database and provides the authentication tickets that client applications must present to
       AFS servers in order to obtain access to AFS data and other services. It is used only for
       cells still running the Authentication Server until they can migrate to a Kerberos version
       5 KDC.

       There are several categories of commands in the kas command suite:

       •   Commands to create, modify, examine and delete entries in the Authentication Database,
           including passwords: kas create, kas delete, kas examine, kas list, kas setfields, kas
           setkey, kas setpassword, and kas unlock.

       •   Commands to create, delete, and examine tokens and server tickets: kas forgetticket,
           kas listtickets, kas noauthentication, and kas stringtokey.

       •   A command to enter interactive mode: kas interactive.

       •   A command to trace Authentication Server operations: kas statistics.

       •   Commands to obtain help: kas apropos and kas help.

       Because of the sensitivity of information in the Authentication Database, the
       Authentication Server authenticates issuers of kas commands directly, rather than
       accepting the standard token generated by the Ticket Granting Service. Any kas command
       that requires administrative privilege prompts the issuer for a password. The resulting
       ticket is valid for six hours unless the maximum ticket lifetime for the issuer or the
       Authentication Server's Ticket Granting Service is shorter.

       To avoid having to provide a password repeatedly when issuing a sequence of kas commands,
       enter interactive mode by issuing the kas interactive command, typing kas without any
       operation code, or typing kas followed by a user and cell name, separated by an at-sign
       ("@"; an example is "kas smith.admin@abc.com"). After prompting once for a password, the
       Authentication Server accepts the resulting token for every command issued during the
       interactive session. See kas_interactive(8) for a discussion of when to use each method
       for entering interactive mode and of the effects of entering a session.

       The Authentication Server maintains two databases on the local disk of the machine where
       it runs:

       •   The Authentication Database (/var/lib/openafs/db/kaserver.DB0) stores the information
           used to provide AFS authentication services to users and servers, including the
           password scrambled as an encryption key. The reference page for the kas examine
           command describes the information in a database entry.

       •   An auxiliary file (/var/lib/openafs/local/kaauxdb by default) that tracks how often
           the user has provided an incorrect password to the local Authentication Server. The
           reference page for the kas setfields command describes how the Authentication Server
           uses this file to enforce the limit on consecutive authentication failures. To
           designate an alternate directory for the file, use the kaserver command's -localfiles
           argument.

CAUTIONS

       The kas command suite is provided only for administration of the obsolete Authentication
       Server for cells that have not yet migrated to a Kerberos version 5 KDC. New deployments
       should not use the Authentication Server, and it and the kas command suite will be removed
       in a future version of OpenAFS.

OPTIONS

       The following arguments and flags are available on many commands in the kas suite. (Some
       of them are unavailable on commands entered in interactive mode, because the information
       they specify is established when entering interactive mode and cannot be changed except by
       leaving interactive mode.) The reference page for each command also lists them, but they
       are described here in greater detail.

       -admin_username <user name>
           Specifies the user identity under which to authenticate with the Authentication Server
           for execution of the command. If this argument is omitted, the kas command interpreter
           requests authentication for the identity under which the issuer is logged onto the
           local machine.  Do not combine this argument with the -noauth flag.

       -cell <cell name>
           Names the cell in which to run the command. It is acceptable to abbreviate the cell
           name to the shortest form that distinguishes it from the other entries in the
           /etc/openafs/CellServDB file on the local machine. If the -cell argument is omitted,
           the command interpreter determines the name of the local cell by reading the following
           in order:

           •   The value of the AFSCELL environment variable.

           •   The local /etc/openafs/ThisCell file.

           The -cell argument is not available on commands issued in interactive mode. The cell
           defined when the kas command interpreter enters interactive mode applies to all
           commands issued during the interactive session.

       -help
           Prints a command's online help message on the standard output stream. Do not combine
           this flag with any of the command's other options; when it is provided, the command
           interpreter ignores all other options, and only prints the help message.

       -noauth
           Establishes an unauthenticated connection to the Authentication Server, in which the
           Authentication Server treats the issuer as the unprivileged user "anonymous". It is
           useful only when authorization checking is disabled on the server machine (during the
           installation of a server machine or when the bos setauth command has been used during
           other unusual circumstances). In normal circumstances, the Authentication Server
           allows only privileged users to issue most kas commands, and refuses to perform such
           an action even if the -noauth flag is provided. Do not combine this flag with the
           -admin_username and -password_for_admin arguments.

       -password_for_admin <password>
           Specifies the password of the command's issuer. It is best to omit this argument,
           which echoes the password visibly in the command shell, instead enter the password at
           the prompt. Do not combine this argument with the -noauth flag.

       -servers <machine name>+
           Establishes a connection with the Authentication Server running on each specified
           database server machine, instead of on each machine listed in the local
           /etc/openafs/CellServDB file. In either case, the kas command interpreter then chooses
           one of the machines at random to contact for execution of each subsequent command. The
           issuer can abbreviate the machine name to the shortest form that allows the local name
           service to identify it uniquely.

PRIVILEGE REQUIRED

       To issue most kas commands, the issuer must have the "ADMIN" flag set in his or her
       Authentication Database entry (use the kas setfields command to turn the flag on).

SEE ALSO

       CellServDB(5), kaserver.DB0(5), kaserverauxdb(5), kas_apropos(8), kas_create(8),
       kas_delete(8), kas_examine(8), kas_forgetticket(8), kas_help(8), kas_interactive(8),
       kas_list(8), kas_listtickets(8), kas_noauthentication(8), kas_quit(8), kas_setfields(8),
       kas_setpassword(8), kas_statistics(8), kas_stringtokey(8), kas_unlock(8), kaserver(8)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.