jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-19 15:30:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
74df876daf
openafs/doc/html/UserGuide/auusg005.htm
Derrick Brashear d7da1acc31 initial-html-documentation-20010606 
pull in all documentation from IBM
2001-06-06 19:09:07 +00:00

549 lines
29 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>User Guide</TITLE>
<!-- Begin Header Records ========================================== -->
<!-- /tmp/idwt3629/auusg000.scr converted by idb2h R4.2 (359) ID -->
<!-- Workbench Version (AIX) on 2 Oct 2000 at 14:38:44 -->
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 14:38:42">
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 14:38:42">
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 14:38:42">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved -->
<BODY bgcolor="ffffff">
<!-- End Header Records ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>User Guide</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auusg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auusg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auusg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auusg013.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
<HR><H1><A NAME="HDRWQ20" HREF="auusg002.htm#ToC_30">Using AFS</A></H1>
<P>This chapter explains how to perform four basic AFS
tasks: logging in and authenticating with AFS, ending an AFS session,
accessing the AFS filespace, and changing your password.
<HR><H2><A NAME="HDRWQ21" HREF="auusg002.htm#ToC_31">Logging in and Authenticating with AFS</A></H2>
<P>To access the AFS filespace as an authenticated user, you
must both log into an AFS client machine's local (UNIX) file system and
authenticate with AFS. When you log in, you establish your local system
identity. When you authenticate, you prove your identity to AFS and
obtain a token, which your Cache Manager uses to prove your authenticated
status to the AFS server processes it contacts on your behalf. Users
who are not authenticated (who do not have a token) have limited access to AFS
directories and files.
<P><H3><A NAME="HDRWQ22" HREF="auusg002.htm#ToC_32">Logging In</A></H3>
<A NAME="IDX819"></A>
<A NAME="IDX820"></A>
<A NAME="IDX821"></A>
<P>On machines that use an AFS-modified login utility, you log in and
authenticate in one step. On machines that do not use an AFS-modified
login utility, you log in and authenticate in separate steps. To
determine which type of login utility your machine uses, you can check for AFS
tokens after logging in, or ask your system administrator, who can also tell
you about any differences between your login procedure and the two methods
described here.
<P><H3><A NAME="Header_33" HREF="auusg002.htm#ToC_33">To Log In Using an AFS-modified Login Utility</A></H3>
<P>Provide your username at the <TT>login:</TT> prompt that
appears when you establish a new connection to a machine. Then provide
your password at the <TT>Password:</TT> prompt as shown in the
following example. (Your password does not echo visibly on the
screen.)
<PRE> login: <VAR>username</VAR>
Password: <VAR>password</VAR>
</PRE>
<P>If you are not sure which type of login utility is running on your machine,
it is best to issue the <B>tokens</B> command to check if you are
authenticated; for instructions, see <A HREF="#HDRWQ30">To Display Your Tokens</A>. If you do not have tokens, issue the <B>klog</B>
command as described in <A HREF="#HDRWQ29">To Authenticate with AFS</A>.
<P><H3><A NAME="HDRWQ23" HREF="auusg002.htm#ToC_34">To Log In Using a Two-Step Login Procedure</A></H3>
<P>If your machine does not use an AFS-modified login utility,
you must perform a two-step procedure:
<OL TYPE=1>
<P><LI>Log in to your client machine's local file system by providing a user
name and password at the <B>login</B> program's prompts.
<P><LI>Issue the <B>klog</B> command to authenticate with AFS. Include
the command's <B>-setpag</B> argument to associate your token with a
special identification number called a <I>PAG</I> (for <I>process
authentication group</I>). For a description of PAGs, see <A HREF="#HDRWQ25">Protecting Your Tokens with a PAG</A>.
<PRE>
% <B>klog -setpag</B>
Password: <VAR>your_AFS_password</VAR>
</PRE>
</OL>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If your machine uses a two-step login procedure, you can choose to use
different passwords for logging in and authenticating. It is simplest
to use the same one for both, though. Talk with your system
administrator.
</TD></TR></TABLE>
<P><H3><A NAME="HDRWQ24" HREF="auusg002.htm#ToC_35">Authenticating with AFS</A></H3>
<P>To work most effectively in the AFS filespace, you must
authenticate with AFS. When you do, your Cache Manager is given a token
as proof of your authenticated status. It uses your token when
requesting services from AFS servers, which accept the token as proof of your
authenticated status. If you do not have a token, AFS servers consider
you to be the <B>anonymous</B> user and your access to AFS filespace is
limited: you have only the ACL permissions granted to the
<B>system:anyuser</B> group.
<A NAME="IDX822"></A>
<A NAME="IDX823"></A>
<A NAME="IDX824"></A>
<P>You can obtain new tokens (reauthenticate) at any time, even after using an
AFS-modified login utility, which logs you in and authenticates you in one
step. Issue the <B>klog</B> command as described in <A HREF="#HDRWQ29">To Authenticate with AFS</A>.
<P><H4><A NAME="HDRWQ25">Protecting Your Tokens with a PAG</A></H4>
<P>To make your access to AFS as secure as possible, it is best
to associate your tokens with a unique identification number called a
<I>PAG</I> (for <I>process authentication group</I>).
<A NAME="IDX825"></A>
<A NAME="IDX826"></A>
<A NAME="IDX827"></A>
AFS-modified login utilities automatically create a PAG and associate the new
token with it. To create a PAG when you use the two-step login
procedure, include the <B>klog</B> command's <B>-setpag</B>
flag. If you do not use this flag, your tokens are associated with your
UNIX UID number instead. This type of association has two potential
drawbacks:
<UL>
<P><LI>Anyone who can assume your local UNIX identity can use your tokens.
The local superuser <B>root</B> can always use the UNIX <B>su</B>
command to assume your UNIX UID, even without knowing your password.
<P><LI>In some environments, certain programs cannot use your tokens even when it
is appropriate for them to do so. For example, printing commands such
as <B>lp</B> or <B>lpr</B> possibly cannot access the files you want
to print, because they cannot use your tokens.
</UL>
<P><H4><A NAME="HDRWQ26">Obtaining Tokens For Foreign Cells</A></H4>
<A NAME="IDX828"></A>
<P>A token is valid only in one cell (the cell whose AFS authentication
service issued it). The AFS server processes in any other cell consider
you to be the <B>anonymous</B> user unless you have an account in the cell
and authenticate with its AFS authentication service.
<P>To obtain tokens in a foreign cell, use the <B>-cell</B> argument to
the <B>klog</B> command. You can have tokens for your home cell and
one or more foreign cells at the same time.
<P><H4><A NAME="HDRWQ27">The One-Token-Per-Cell Rule</A></H4>
<P>You can have only one token per cell for each PAG you have
obtained on a client machine. If you already have a token for a
particular cell and issue the <B>klog</B> command, the new token
overwrites the existing one. Getting a new token is useful if your
current token is almost expired but you want to continue accessing AFS
files. For a discussion of token expiration, see <A HREF="#HDRWQ28">Token Lifetime</A>.
<P>To obtain a second token for the same cell, you must either login on a
different machine or establish another separate connection to the machine
where you already have a token (by using the <B>telnet</B> utility, for
example). You get a new PAG for each separate machine or connection,
and can use the associated tokens only while working on that machine or
connection.
<P><H4><A NAME="Header_39">Obtaining Tokens as Another User</A></H4>
<A NAME="IDX829"></A>
<P>You can authenticate as another username if you know the associated
password. (It is, of course, unethical to use someone else's
tokens without permission.) If you use the <B>klog</B> command to
authenticate as another AFS username, you retain your own local (UNIX)
identity, but the AFS server processes recognize you as the other user.
The new token replaces any token you already have for the relevant cell (for
the reason described in <A HREF="#HDRWQ27">The One-Token-Per-Cell Rule</A>).
<P><H4><A NAME="HDRWQ28">Token Lifetime</A></H4>
<A NAME="IDX830"></A>
<A NAME="IDX831"></A>
<P>Tokens have a limited lifetime. To determine when your tokens
expire, issue the <B>tokens</B> command as described in <A HREF="#HDRWQ30">To Display Your Tokens</A>. If you are ever unable to access AFS in a way that
you normally can, issuing the <B>tokens</B> command tells you whether an
expired token is a possible reason.
<P>Your cell's administrators set the default lifetime of your
token. The AFS authentication service never grants a token lifetime
longer than the default, but you can request a token with a shorter
lifetime. See the <B>klog</B> reference page in the <I>IBM AFS
Administration Reference</I> to learn how to use its <B>-lifetime</B>
argument for this purpose.
<P><H4><A NAME="Header_41">Authenticating for DFS Access</A></H4>
<A NAME="IDX832"></A>
<A NAME="IDX833"></A>
<A NAME="IDX834"></A>
<A NAME="IDX835"></A>
<A NAME="IDX836"></A>
<P>If your machine is configured to access a DCE cell's DFS filespace by
means of the AFS/DFS Migration Toolkit, you can use the <B>dlog</B>
command to authenticate with DCE. The <B>dlog</B> command has no
effect on your ability to access AFS filespace.
<P>If your system administrator has converted your AFS account to a DCE
account and you are not sure of your DCE password, use the <B>dpass</B>
command to display it. You must be authenticated as the AFS user whose
AFS account was converted to a DCE account, and be able to provide the correct
AFS password. Like the <B>dlog</B> command, the <B>dpass</B>
command has no functionality with respect to AFS.
<P>For more information on using the <B>dlog</B> and <B>dpass</B>
commands, see your system administrator.
<P><H3><A NAME="HDRWQ29" HREF="auusg002.htm#ToC_42">To Authenticate with AFS</A></H3>
<A NAME="IDX837"></A>
<A NAME="IDX838"></A>
<A NAME="IDX839"></A>
<P>If your machine is not using an AFS-modified login utility, you must
authenticate after login by issuing the <B>klog</B> command. You
can also issue this command at any time to obtain a token with a later
expiration date than your current token.
<PRE> % <B>klog</B> [<B>-setpag</B>] [<B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>]
Password: <VAR>your_AFS_password</VAR>
</PRE>
<P>where
<DL>
<P><DT><B>-setpag
</B><DD>Associates the resulting tokens with a PAG (see <A HREF="#HDRWQ25">Protecting Your Tokens with a PAG</A>). Include this flag the first time you obtain a token
for a particular cell during a login session or connection. Do not
include it when refreshing the token for a cell during the same
session.
<P><DT><B>-cell
</B><DD>Names the cell for which to obtain the token. You must have an
account in the cell.
</DL>
<P>Your password does not echo visibly appear on the screen. When the
command shell prompt returns, you are an authenticated AFS user. You
can use the <B>tokens</B> command to verify that you are authenticated, as
described in the following section.
<P><H3><A NAME="HDRWQ30" HREF="auusg002.htm#ToC_43">To Display Your Tokens</A></H3>
<A NAME="IDX840"></A>
<A NAME="IDX841"></A>
<A NAME="IDX842"></A>
<A NAME="IDX843"></A>
<A NAME="IDX844"></A>
<P>Use the <B>tokens</B> command to display your tokens.
<PRE> % <B>tokens</B>
</PRE>
<P>The following output indicates that you have no tokens:
<PRE> Tokens held by the Cache Manager:
--End of list--
</PRE>
<P>If you have one or more tokens, the output looks something like the
following example, in which the tokens for AFS UID 1022 in the <B>
abc.com</B> cell expire on August 3 at 2:35 p.m.
The tokens for AFS UID 9554 in the <B>stateu.edu</B> cell expire on
August 4 at 1:02 a.m.
<PRE> Tokens held by the Cache Manager:
User's (AFS ID 1022) tokens for afs@abc.com [Expires Aug 3 14:35]
User's (AFS ID 9554) tokens for afs@stateu.edu [Expires Aug 4 1:02]
--End of list--
</PRE>
<P><H3><A NAME="Header_44" HREF="auusg002.htm#ToC_44">Example: Authenticating in the Local Cell</A></H3>
<A NAME="IDX845"></A>
<P>Suppose that user <B>terry</B> cannot save a file. He uses the
<B>tokens</B> command and finds that his tokens have expired. He
reauthenticates in his local cell under his current identity by issuing the
following command:
<PRE> % <B>klog</B>
Password: <VAR>terry's_password</VAR>
</PRE>
<P>The he issues the <B>tokens</B> command to make sure he is
authenticated.
<PRE> % <B>tokens</B>
Tokens held by the Cache Manager:
User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35]
--End of list--
</PRE>
<P><H3><A NAME="Header_45" HREF="auusg002.htm#ToC_45">Example: Authenticating as a Another User</A></H3>
<A NAME="IDX846"></A>
<P>Now <B>terry</B> authenticates in his local cell as another user,
<B>pat</B>. The new token replaces <B>terry</B>'s existing
token, because the Cache Manager can store only one token per cell per login
session on a machine.
<PRE> % <B>klog pat</B>
Password: <VAR>pat's_password</VAR>
% <B>tokens</B>
Tokens held by the Cache Manager:
User's (AFS ID 4278) tokens for afs@abc.com [Expires Jun 23 9:46]
--End of list--
</PRE>
<P><H3><A NAME="Header_46" HREF="auusg002.htm#ToC_46">Example: Authenticating in a Foreign Cell</A></H3>
<A NAME="IDX847"></A>
<P>Now <B>terry</B> authenticates in the <B>stateu.edu</B> cell
where his account is called <B>ts09</B>.
<PRE> % <B>klog ts09 -cell stateu.edu</B>
Password: <VAR>ts09's_password</VAR>
% <B>tokens</B>
Tokens held by the Cache Manager:
User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35]
User's (AFS ID 8346) tokens for afs@stateu.edu [Expires Jun 23 1:02]
--End of list--
</PRE>
<P><H3><A NAME="HDRWQ31" HREF="auusg002.htm#ToC_47">Limits on Failed Authentication Attempts</A></H3>
<A NAME="IDX848"></A>
<P>Your system administrator can choose to limit the number of times that you
fail to provide the correct password when authenticating with AFS (using
either an AFS-modified login utility or the <B>klog</B> command).
If you exceed the limit, the AFS authentication service refuses further
authentication attempts for a period of time set by your system
administrator. The purpose of this limit is to prevent unauthorized
users from breaking into your account by trying a series of passwords.
<P>To determine if your user account is subject to this limit, ask your system
administrator or issue the <B>kas examine</B> command as described in <A HREF="#HDRWQ32">To Display Your Failed Authentication Limit and Lockout Time</A>.
<P>The following message indicates that you have exceeded the limit on failed
authentication attempts.
<PRE> Unable to authenticate to AFS because ID is locked - see your system admin
</PRE>
<P><H3><A NAME="HDRWQ32" HREF="auusg002.htm#ToC_48">To Display Your Failed Authentication Limit and Lockout Time</A></H3>
<A NAME="IDX849"></A>
<A NAME="IDX850"></A>
<A NAME="IDX851"></A>
<A NAME="IDX852"></A>
<P>Issue the <B>kas examine</B> command to determine if there is a limit
on the number of unsuccessful authentication attempts for your user account
and any associated lockout time. You can examine only your own
account. The fourth line of the output reports the maximum number of
times you can provide an incorrect password before being locked out of your
account. The <TT>lock time</TT> field on the next line reports how
long the AFS authentication service refuses authentication attempts after the
limit is exceeded.
<PRE> % <B>kas examine</B> <VAR>your_username</VAR>
Password for <VAR>your_username</VAR>: <VAR>your_AFS_password</VAR>
</PRE>
<P>The following example displays the output for the user <B>pat</B>, who
is allowed nine failed authentication attempts. The lockout time is
25.5 minutes.
<PRE> User data for pat
key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999
password will expire: Fri Nov 26 20:44:36 1999
9 consecutive unsuccessful authentications are permitted.
The lock time for this user is 25.5 minutes.
User is not locked.
entry never expires. Max ticket lifetime 100.00 hours.
last mod on Wed Aug 18 08:22:29 1999 by admin
permit password reuse
</PRE>
<HR><H2><A NAME="HDRWQ33" HREF="auusg002.htm#ToC_49">Exiting an AFS Session</A></H2>
<A NAME="IDX853"></A>
<A NAME="IDX854"></A>
<A NAME="IDX855"></A>
<A NAME="IDX856"></A>
<A NAME="IDX857"></A>
<P>Because logging in and authenticating with AFS are distinct operations, you
must both logout and unauthenticate (issue the <B>unlog</B> command to
discard your tokens) when exiting an AFS session. Simply logging out
does not necessarily destroy your tokens.
<P>You can use the <B>unlog</B> command any time you want to
unauthenticate, not just when logging out. For instance, it is a good
practice to unauthenticate before leaving your machine unattended, to prevent
other users from using your tokens during your absence. When you return
to your machine, issue the <B>klog</B> command to reauthenticate, as
described in <A HREF="#HDRWQ29">To Authenticate with AFS</A>.
<P>Do not issue the <B>unlog</B> command when you are running jobs that
take a long time to complete, even if you are logging out. Such
processes must have a token during the entire time they need authenticated
access to AFS.
<P>If you have tokens from multiple cells and want to discard only some of
them, include the <B>unlog</B> command's <B>-cell</B>
argument.
<P><H3><A NAME="Header_50" HREF="auusg002.htm#ToC_50">To Discard Tokens</A></H3>
<A NAME="IDX858"></A>
<A NAME="IDX859"></A>
<P>Issue the <B>unlog</B> command to discard your tokens:
<PRE> % <B>unlog -cell</B> &lt;<VAR>cell&nbsp;name</VAR>><SUP>+</SUP>
</PRE>
<P>Omit the <B>-cell</B> argument to discard all of your tokens, or use it
to name each cell for which to discard tokens. It is best to provide
the full name of each cell (such as <B>stateu.edu</B> or
<B>abc.com</B>).
<P>You can issue the <B>tokens</B> command to verify that your tokens were
destroyed, as in the following example.
<PRE> % <B>tokens</B>
Tokens held by the Cache Manager:
--End of list--
</PRE>
<P><H3><A NAME="Header_51" HREF="auusg002.htm#ToC_51">Example: Unauthenticating from a Specific Cell</A></H3>
<A NAME="IDX860"></A>
<P>In the following example, a user has tokens in both the
<B>accounting</B> and <B>marketing</B> cells at her company.
She discards the token for the <B>acctg.abc.com</B> cell but
keeps the token for the <B>mktg.abc.com</B> cell.
<PRE> % <B>tokens</B>
Tokens held by the Cache Manager:
User's (AFS ID 35) tokens for afs@acctg.abc.com [Expires Nov 10 22:30]
User's (AFS ID 674) tokens for afs@mktg.abc.com [Expires Nov 10 18:44]
--End of list--
% <B>unlog -cell acctg.abc.com</B>
% <B>tokens</B>
Tokens held by the Cache Manager:
User's (AFS ID 674) tokens for afs@mktg.abc.com [Expires Nov 10 18:44]
--End of list--
</PRE>
<P><H3><A NAME="Header_52" HREF="auusg002.htm#ToC_52">To Log Out</A></H3>
<P>After you have unauthenticated, log out by issuing the command
appropriate for your machine type, which is possibly one of the
following.
<PRE> % <B>logout</B>
</PRE>
<P>or
<PRE> % <B>exit</B>
</PRE>
<P>or
<PRE> % &lt;<B>Ctrl-d</B>>
</PRE>
<HR><H2><A NAME="HDRWQ34" HREF="auusg002.htm#ToC_53">Accessing the AFS Filespace</A></H2>
<A NAME="IDX861"></A>
<A NAME="IDX862"></A>
<P>While you are logged in and authenticated, you can access files in AFS just
as you do in the UNIX file system. The only difference is that you can
access potentially many more files. Just as in the UNIX file system,
you can only access those files for which you have permission. AFS uses
access control lists (ACLs) to control access, as described in <A HREF="auusg007.htm#HDRWQ44">Protecting Your Directories and Files</A>.
<P><H3><A NAME="Header_54" HREF="auusg002.htm#ToC_54">AFS Pathnames</A></H3>
<A NAME="IDX863"></A>
<P>AFS pathnames look very similar to UNIX file system names. The main
difference is that every AFS pathname begins with the AFS root directory,
which is called <B>/afs</B> by convention. Having <B>/afs</B>
at the top of every AFS cell's filespace links together their filespaces
into a global filespace.
<A NAME="IDX864"></A>
<A NAME="IDX865"></A>
<A NAME="IDX866"></A>
<A NAME="IDX867"></A>
<P><B>Note for Windows users:</B> Windows uses a backslash
(&nbsp;<B>\</B>&nbsp;) rather than a forward slash
(&nbsp;<B>/</B>&nbsp;) to separate the elements in a
pathname. Otherwise, your access to AFS filespace is much the same as
for users working on UNIX machines.
<P>The second element in AFS pathnames is generally a cell's name.
For example, the ABC Corporation cell is called <B>abc.com</B> and
the pathname of every file in its filespace begins with the string
<B>/afs/abc.com</B>. Some cells also create a directory at
the second level with a shortened name (such as <B>abc</B> for
<B>abc.com</B> or <B>stateu</B> for
<B>stateu.edu</B>), to reduce the amount of typing
necessary. Your system administrator can tell you if your cell's
filespace includes shortened names like this. The rest of the pathname
depends on how the cell's administrators organized its filespace.
<P>To access directories and files in AFS you must both specify the correct
pathname and have the required permissions on the ACL that protects the
directory and the files in it.
<P><H3><A NAME="Header_55" HREF="auusg002.htm#ToC_55">Example: Displaying the Contents of Another User's Directory</A></H3>
<P>The user <B>terry</B> wants to look for a file belonging to another
user, <B>pat</B>. He issues the <B>ls</B> command on the
appropriate pathname.
<PRE> % <B>ls /afs/abc.com/usr/pat/public</B>
doc/ directions/
guide/ jokes/
library/
</PRE>
<P><H3><A NAME="HDRWQ35" HREF="auusg002.htm#ToC_56">Accessing Foreign Cells</A></H3>
<A NAME="IDX868"></A>
<A NAME="IDX869"></A>
<P>You can access files not only in your own cell, but in any AFS cell that
you can reach via the network, regardless of geographical location.
There are two additional requirements:
<UL>
<P><LI>Your Cache Manager's list of foreign cells must include the cell you
want to access. Only the local superuser <B>root</B> can edit the
list of cells, but anyone can display it. See <A HREF="auusg006.htm#HDRWQ42">Determining Access to Foreign Cells</A>.
<P><LI>The ACL on the directory that houses the file, and on every parent
directory in the pathname, must grant you the necessary permissions.
The simplest way for the directory's owner to extend permission to
foreign users is to put an entry for the <B>system:anyuser</B> group
on the ACL.
<P>The alternative is for the foreign cell's administrator to create an
account for you, essentially making you a local user in the cell. The
directory's owner creates an ACL entry for you as for any other local
user. To authenticate in the foreign cell, issue the <B>klog</B>
command with the <B>-cell</B> argument.
</UL>
<P>For further discussion of directory and file protection, see <A HREF="auusg007.htm#HDRWQ44">Protecting Your Directories and Files</A>.
<HR><H2><A NAME="HDRWQ36" HREF="auusg002.htm#ToC_57">Changing Your Password</A></H2>
<P>In cells that use an AFS-modified login utility, the password
is the same for both logging in and authenticating with AFS. In this
case, you use a single command, <B>kpasswd</B>, to change the
password.
<P>If your machine does not use an AFS-modified login utility, there are
separate passwords for logging into the local file system and authenticating
with AFS. (The two passwords can be the same or different, at your
discretion.) In this case, use the <B>kpasswd</B> command to change
your AFS password and the UNIX <B>passwd</B> command to change your UNIX
password.
<P>Your system administrator can improve cell security by configuring several
features that guide your choice of password. Keep them in mind when you
issue the <B>kpasswd</B> command:
<UL>
<P><LI>Limiting the amount of time your password is valid. This improves
your cell's security by limiting the amount of time an unauthorized user
has to try to guess your password. Your system administrator needs to
tell you when your password is due to expire so that you can change it in
time. The administrator can configure the AFS-modified login utility to
report this information automatically each time you log in. You can
also use the <B>kas examine</B> command to display the password expiration
date, as instructed in <A HREF="#HDRWQ37">To Display Password Expiration Date and Reuse Policy</A>.
<P>You can change your password prior to the expiration date, but your system
administrator can choose to set a minimum time between password
changes. The following message indicates that the minimum time has not
yet passed.
<PRE> kpasswd: password was not changed because you changed it too
recently; see your system administrator
</PRE>
<P><LI>Enforcing password quality standards, such as a minimum length or
inclusion of nonalphabetic characters. The administrator needs to tell
you about such requirements so that you do not waste time picking unacceptable
passwords.
<P><LI>Rejecting a password that is too similar to the last 20 passwords you
used. You can use the <B>kas examine</B> command to check whether
this policy applies to you, as instructed in <A HREF="#HDRWQ37">To Display Password Expiration Date and Reuse Policy</A>. The following message indicates that the password
you have chosen is too similar to a previous password.
<PRE> kpasswd: Password was not changed because it seems like a reused password
</PRE>
</UL>
<P><H3><A NAME="HDRWQ37" HREF="auusg002.htm#ToC_58">To Display Password Expiration Date and Reuse Policy</A></H3>
<A NAME="IDX870"></A>
<A NAME="IDX871"></A>
<A NAME="IDX872"></A>
<A NAME="IDX873"></A>
<A NAME="IDX874"></A>
<A NAME="IDX875"></A>
<P>Issue the <B>kas examine</B> command to display your password
expiration date and reuse policy. You can examine only your own
account. The third line of the output reports your password's
expiration date. The last line reports the password reuse policy that
applies to you.
<PRE> % <B>kas examine</B> <VAR>your_username</VAR>
Password for <VAR>your_username</VAR>: <VAR>your_AFS_password</VAR>
</PRE>
<P>The following example displays the output for the user
<B>pat</B>.
<PRE> User data for pat
key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999
password will expire: Fri Nov 26 20:44:36 1999
9 consecutive unsuccessful authentications are permitted.
The lock time for this user is 25.5 minutes.
User is not locked.
entry never expires. Max ticket lifetime 100.00 hours.
last mod on Wed Aug 18 08:22:29 1999 by admin
don't permit password reuse
</PRE>
<P><H3><A NAME="Header_59" HREF="auusg002.htm#ToC_59">To Change Your AFS Password</A></H3>
<A NAME="IDX876"></A>
<A NAME="IDX877"></A>
<A NAME="IDX878"></A>
<A NAME="IDX879"></A>
<P>Issue the <B>kpasswd</B> command, which prompts you to provide your old
and new passwords and to confirm the new password. The passwords do not
echo visibly on the screen.
<PRE> % <B>kpasswd</B>
Old password: <VAR>current_password</VAR>
New password (RETURN to abort): <VAR>new_password</VAR>
Retype new password: <VAR>new_password</VAR>
</PRE>
<P><H3><A NAME="Header_60" HREF="auusg002.htm#ToC_60">To Change Your UNIX Password</A></H3>
<P>
<A NAME="IDX880"></A>
<A NAME="IDX881"></A>
<A NAME="IDX882"></A>
<A NAME="IDX883"></A>
Issue the UNIX <B>passwd</B> command, which prompts you to provide your
old and new passwords and to confirm the new password. The passwords do
not echo visibly on the screen. On many machines, the <B>passwd</B>
resides in the <B>/bin</B> directory, and you possibly need to type the
complete pathname.
<PRE> % <B>passwd</B>
Changing password for <VAR>username</VAR>.
Old password: <VAR>current_password</VAR>
New password: <VAR>new_password</VAR>
Retype new passwd: <VAR>new_password</VAR>
</PRE>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auusg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auusg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auusg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auusg013.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
<!-- Begin Footer Records ========================================== -->
<P><HR><B>
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
</B>
<!-- End Footer Records ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>
Reference in New Issue View Git Blame Copy Permalink