mirror of
https://git.openafs.org/openafs.git
synced 2025-01-19 15:30:14 +00:00
229 lines
12 KiB
XML
229 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry id="kas8">
|
|
<refmeta>
|
|
<refentrytitle>kas</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
<refnamediv>
|
|
<refname>kas</refname>
|
|
<refpurpose>Introduction to the kas command suite</refpurpose>
|
|
</refnamediv>
|
|
<refsect1>
|
|
<title>Description</title>
|
|
<para>The commands in the <emphasis role="bold">kas</emphasis> command suite are the administrative interface
|
|
to the Authentication Server, which runs on each database server machine
|
|
in a cell, maintains the Authentication Database, and provides the
|
|
authentication tickets that client applications must present to AFS
|
|
servers in order to obtain access to AFS data and other services.</para>
|
|
|
|
<para>There are several categories of commands in the <emphasis role="bold">kas</emphasis> command suite:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Commands to create, modify, examine and delete entries in the
|
|
Authentication Database, including passwords: <emphasis role="bold">kas create</emphasis>, <emphasis role="bold">kas
|
|
delete</emphasis>, <emphasis role="bold">kas examine</emphasis>, <emphasis role="bold">kas list</emphasis>, <emphasis role="bold">kas setfields</emphasis>, <emphasis role="bold">kas setkey</emphasis>,
|
|
<emphasis role="bold">kas setpassword</emphasis>, and <emphasis role="bold">kas unlock</emphasis>.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>Commands to create, delete, and examine tokens and server tickets: <emphasis role="bold">kas
|
|
forgetticket</emphasis>, <emphasis role="bold">kas listtickets</emphasis>, <emphasis role="bold">kas noauthentication</emphasis>, and <emphasis role="bold">kas
|
|
stringtokey</emphasis>.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>A command to enter interactive mode: <emphasis role="bold">kas interactive</emphasis>.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>A command to trace Authentication Server operations: <emphasis role="bold">kas statistics</emphasis>.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>Commands to obtain help: <emphasis role="bold">kas apropos</emphasis> and <emphasis role="bold">kas help</emphasis>.</para>
|
|
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>Because of the sensitivity of information in the Authentication Database,
|
|
the Authentication Server authenticates issuers of <emphasis role="bold">kas</emphasis> commands
|
|
directly, rather than accepting the standard token generated by the Ticket
|
|
Granting Service. Any <emphasis role="bold">kas</emphasis> command that requires administrative
|
|
privilege prompts the issuer for a password. The resulting ticket is valid
|
|
for six hours unless the maximum ticket lifetime for the issuer or the
|
|
Authentication Server's Ticket Granting Service is shorter.</para>
|
|
|
|
<para>To avoid having to provide a password repeatedly when issuing a sequence
|
|
of <emphasis role="bold">kas</emphasis> commands, enter <emphasis>interactive mode</emphasis> by issuing the <emphasis role="bold">kas
|
|
interactive</emphasis> command, typing <emphasis role="bold">kas</emphasis> without any operation code, or typing
|
|
<emphasis role="bold">kas</emphasis> followed by a user and cell name, separated by an at-sign (<computeroutput>@</computeroutput>; an
|
|
example is <computeroutput>kas smith.admin@abc.com</computeroutput>). After prompting once for a
|
|
password, the Authentication Server accepts the resulting token for every
|
|
command issued during the interactive session. See <link linkend="kas_interactive8">kas_interactive(8)</link>
|
|
for a discussion of when to use each method for entering interactive mode
|
|
and of the effects of entering a session.</para>
|
|
|
|
<para>The Authentication Server maintains two databases on the local disk of the
|
|
machine where it runs:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The Authentication Database (<replaceable>/usr/afs/db/kaserver.DB0</replaceable>) stores the
|
|
information used to provide AFS authentication services to users and
|
|
servers, including the password scrambled as an encryption key. The
|
|
reference page for the <emphasis role="bold">kas examine</emphasis> command describes the information in
|
|
a database entry.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>An auxiliary file (<replaceable>/usr/afs/local/kaauxdb</replaceable> by default) that tracks how
|
|
often the user has provided an incorrect password to the local
|
|
Authentication Server. The reference page for the <emphasis role="bold">kas setfields</emphasis> command
|
|
describes how the Authentication Server uses this file to enforce the
|
|
limit on consecutive authentication failures. To designate an alternate
|
|
directory for the file, use the <emphasis role="bold">kaserver</emphasis> command's <emphasis role="bold">-localfiles</emphasis>
|
|
argument.</para>
|
|
|
|
</listitem>
|
|
</itemizedlist>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>The following arguments and flags are available on many commands in the
|
|
<emphasis role="bold">kas</emphasis> suite. (Some of them are unavailable on commands entered in
|
|
interactive mode, because the information they specify is established when
|
|
entering interactive mode and cannot be changed except by leaving
|
|
interactive mode.) The reference page for each command also lists them,
|
|
but they are described here in greater detail.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-admin_username</emphasis> <<emphasis>user name</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies the user identity under which to authenticate with the
|
|
Authentication Server for execution of the command. If this argument is
|
|
omitted, the <emphasis role="bold">kas</emphasis> command interpreter requests authentication for the
|
|
identity under which the issuer is logged onto the local machine. Do not
|
|
combine this argument with the <emphasis role="bold">-noauth</emphasis> flag.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-cell</emphasis> <<emphasis>cell name</emphasis>></term>
|
|
<listitem>
|
|
<para>Names the cell in which to run the command. It is acceptable to abbreviate
|
|
the cell name to the shortest form that distinguishes it from the other
|
|
entries in the <replaceable>/usr/vice/etc/CellServDB</replaceable> file on the local machine. If
|
|
the <emphasis role="bold">-cell</emphasis> argument is omitted, the command interpreter determines the
|
|
name of the local cell by reading the following in order:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The value of the AFSCELL environment variable.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>The local <replaceable>/usr/vice/etc/ThisCell</replaceable> file.</para>
|
|
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The <emphasis role="bold">-cell</emphasis> argument is not available on commands issued in interactive
|
|
mode. The cell defined when the <emphasis role="bold">kas</emphasis> command interpreter enters
|
|
interactive mode applies to all commands issued during the interactive
|
|
session.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-help</emphasis></term>
|
|
<listitem>
|
|
<para>Prints a command's online help message on the standard output stream. Do
|
|
not combine this flag with any of the command's other options; when it is
|
|
provided, the command interpreter ignores all other options, and only
|
|
prints the help message.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-noauth</emphasis></term>
|
|
<listitem>
|
|
<para>Establishes an unauthenticated connection to the Authentication Server, in
|
|
which the Authentication Server treats the issuer as the unprivileged user
|
|
<computeroutput>anonymous</computeroutput>. It is useful only when authorization checking is disabled on
|
|
the server machine (during the installation of a server machine or when
|
|
the <emphasis role="bold">bos setauth</emphasis> command has been used during other unusual
|
|
circumstances). In normal circumstances, the Authentication Server allows
|
|
only privileged users to issue most <emphasis role="bold">kas</emphasis> commands, and refuses to
|
|
perform such an action even if the <emphasis role="bold">-noauth</emphasis> flag is provided. Do not
|
|
combine this flag with the <emphasis role="bold">-admin_username</emphasis> and <emphasis role="bold">-password_for_admin</emphasis>
|
|
arguments.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-password_for_admin</emphasis> <<emphasis>password</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies the password of the command's issuer. It is best to omit this
|
|
argument, which echoes the password visibly in the command shell, instead
|
|
enter the password at the prompt. Do not combine this argument with the
|
|
<emphasis role="bold">-noauth</emphasis> flag.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-servers</emphasis> <<emphasis>machine name</emphasis>>+</term>
|
|
<listitem>
|
|
<para>Establishes a connection with the Authentication Server running on each
|
|
specified database server machine, instead of on each machine listed in
|
|
the local <replaceable>/usr/vice/etc/CellServDB</replaceable> file. In either case, the <emphasis role="bold">kas</emphasis>
|
|
command interpreter then chooses one of the machines at random to contact
|
|
for execution of each subsequent command. The issuer can abbreviate the
|
|
machine name to the shortest form that allows the local name service to
|
|
identify it uniquely.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Privilege Required</title>
|
|
<para>To issue most kas commands, the issuer must have the <computeroutput>ADMIN</computeroutput> flag set in
|
|
his or her Authentication Database entry (use the <emphasis role="bold">kas setfields</emphasis> command
|
|
to turn the flag on).</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><link linkend="CellServDB5">CellServDB(5)</link>,
|
|
<link linkend="kaserver_DB05">kaserver.DB0(5)</link>,
|
|
<link linkend="kaserverauxdb5">kaserverauxdb(5)</link>,
|
|
<link linkend="kas_apropos8">kas_apropos(8)</link>,
|
|
<link linkend="kas_create8">kas_create(8)</link>,
|
|
<link linkend="kas_delete8">kas_delete(8)</link>,
|
|
<link linkend="kas_examine8">kas_examine(8)</link>,
|
|
<link linkend="kas_forgetticket8">kas_forgetticket(8)</link>,
|
|
<link linkend="kas_help8">kas_help(8)</link>,
|
|
<link linkend="kas_interactive8">kas_interactive(8)</link>,
|
|
<link linkend="kas_list8">kas_list(8)</link>,
|
|
<link linkend="kas_listtickets8">kas_listtickets(8)</link>,
|
|
<link linkend="kas_noauthentication8">kas_noauthentication(8)</link>,
|
|
<link linkend="kas_quit8">kas_quit(8)</link>,
|
|
<link linkend="kas_setfields8">kas_setfields(8)</link>,
|
|
<link linkend="kas_setpassword8">kas_setpassword(8)</link>,
|
|
<link linkend="kas_statistics8">kas_statistics(8)</link>,
|
|
<link linkend="kas_stringtokey8">kas_stringtokey(8)</link>,
|
|
<link linkend="kas_unlock8">kas_unlock(8)</link>,
|
|
<link linkend="kaserver8">kaserver(8)</link></para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Copyright</title>
|
|
<para>IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.</para>
|
|
|
|
<para>This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.</para>
|
|
|
|
</refsect1>
|
|
</refentry>
|