mirror of
https://git.openafs.org/openafs.git
synced 2025-01-19 15:30:14 +00:00
475 lines
27 KiB
XML
475 lines
27 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry id="kas_setfields8">
|
|
<refmeta>
|
|
<refentrytitle>kas setfields</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
<refnamediv>
|
|
<refname>kas setfields</refname>
|
|
<refpurpose>Sets fields in an Authentication Database entry</refpurpose>
|
|
</refnamediv>
|
|
<refsect1>
|
|
<title>Synopsis</title>
|
|
<para><emphasis role="bold">kas setfields</emphasis> <emphasis role="bold">-name</emphasis> <<emphasis>name of user</emphasis>>
|
|
[<emphasis role="bold">-flags</emphasis> <<emphasis>hex flag value or flag name expression</emphasis>>]
|
|
[<emphasis role="bold">-expiration</emphasis> <<emphasis>date of account expiration</emphasis>>]
|
|
[<emphasis role="bold">-lifetime</emphasis> <<emphasis>maximum ticket lifetime</emphasis>>]
|
|
[<emphasis role="bold">-pwexpires</emphasis> <<emphasis>number days password is valid ([0..254])</emphasis>>]
|
|
[<emphasis role="bold">-reuse</emphasis> <<emphasis>permit password reuse (yes/no)</emphasis>>]
|
|
[<emphasis role="bold">-attempts</emphasis> <<emphasis>maximum successive failed login tries ([0..254])</emphasis>>]
|
|
[<emphasis role="bold">-locktime</emphasis> <<emphasis>failure penalty [hh:mm or minutes]</emphasis>>]
|
|
[<emphasis role="bold">-admin_username</emphasis> <<emphasis>admin principal to use for authentication</emphasis>>]
|
|
[<emphasis role="bold">-password_for_admin</emphasis> <<emphasis>admin password</emphasis>>] [<emphasis role="bold">-cell</emphasis> <<emphasis>cell name</emphasis>>]
|
|
[<emphasis role="bold">-servers</emphasis> <<emphasis>explicit list of authentication servers</emphasis>>+]
|
|
[<emphasis role="bold">-noauth</emphasis>] [<emphasis role="bold">-help</emphasis>]</para>
|
|
|
|
<para><emphasis role="bold">kas setf</emphasis> <emphasis role="bold">-na</emphasis> <<emphasis>name of user</emphasis>>
|
|
[<emphasis role="bold">-f</emphasis> <<emphasis>hex flag value or flag name expression</emphasis>>]
|
|
[<emphasis role="bold">-e</emphasis> <<emphasis>date of account expiration</emphasis>>]
|
|
[<emphasis role="bold">-li</emphasis> <<emphasis>maximum ticket lifetime</emphasis>>]
|
|
[<emphasis role="bold">-pw</emphasis> <<emphasis>number days password is valid ([0..254])</emphasis>>]
|
|
[<emphasis role="bold">-r</emphasis> <<emphasis>permit password reuse (yes/no)</emphasis>>]
|
|
[<emphasis role="bold">-at</emphasis> <<emphasis>maximum successive failed login tries ([0..254])</emphasis>>]
|
|
[<emphasis role="bold">-lo</emphasis> <<emphasis>failure penalty [hh:mm or minutes]</emphasis>>]
|
|
[<emphasis role="bold">-ad</emphasis> <<emphasis>admin principal to use for authentication</emphasis>>]
|
|
[<emphasis role="bold">-pa</emphasis> <<emphasis>admin password</emphasis>>] [<emphasis role="bold">-c</emphasis> <<emphasis>cell name</emphasis>>]
|
|
[<emphasis role="bold">-s</emphasis> <<emphasis>explicit list of authentication servers</emphasis>>+] [<emphasis role="bold">-no</emphasis>] [<emphasis role="bold">-h</emphasis>]</para>
|
|
|
|
<para><emphasis role="bold">kas sf</emphasis> <emphasis role="bold">-na</emphasis> <<emphasis>name of user</emphasis>>
|
|
[<emphasis role="bold">-f</emphasis> <<emphasis>hex flag value or flag name expression</emphasis>>]
|
|
[<emphasis role="bold">-e</emphasis> <<emphasis>date of account expiration</emphasis>>]
|
|
[<emphasis role="bold">-li</emphasis> <<emphasis>maximum ticket lifetime</emphasis>>]
|
|
[<emphasis role="bold">-pw</emphasis> <<emphasis>number days password is valid ([0..254])</emphasis>>]
|
|
[<emphasis role="bold">-r</emphasis> <<emphasis>permit password reuse (yes/no)</emphasis>>]
|
|
[<emphasis role="bold">-at</emphasis> <<emphasis>maximum successive failed login tries ([0..254])</emphasis>>]
|
|
[<emphasis role="bold">-lo</emphasis> <<emphasis>failure penalty [hh:mm or minutes]</emphasis>>]
|
|
[<emphasis role="bold">-ad</emphasis> <<emphasis>admin principal to use for authentication</emphasis>>]
|
|
[<emphasis role="bold">-pa</emphasis> <<emphasis>admin password</emphasis>>] [<emphasis role="bold">-c</emphasis> <<emphasis>cell name</emphasis>>]
|
|
[<emphasis role="bold">-s</emphasis> <<emphasis>explicit list of authentication servers</emphasis>>+] [<emphasis role="bold">-no</emphasis>] [<emphasis role="bold">-h</emphasis>]</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Description</title>
|
|
<para>The <emphasis role="bold">kas setfields</emphasis> command changes the Authentication Database entry for
|
|
the user named by the <emphasis role="bold">-name</emphasis> argument in the manner specified by the
|
|
various optional arguments, which can occur singly or in combination:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>To set the flags that determine whether the user has administrative
|
|
privileges to the Authentication Server, can obtain a ticket, can change
|
|
his or her password, and so on, include the <emphasis role="bold">-flags</emphasis> argument.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>To set when the Authentication Database entry expires, include the
|
|
<emphasis role="bold">-expiration</emphasis> argument.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>To set the maximum ticket lifetime associated with the entry, include the
|
|
<emphasis role="bold">-lifetime</emphasis> argument. <link linkend="klog1">klog(1)</link> explains how this value interacts with
|
|
others to determine the actual lifetime of a token.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>To set when the user's password expires, include the <emphasis role="bold">-pwexpires</emphasis>
|
|
argument.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>To set whether the user can reuse any of the previous twenty passwords
|
|
when creating a new one, include the <emphasis role="bold">-reuse</emphasis> argument.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>To set the maximum number of times the user can provide an incorrect
|
|
password before the Authentication Server refuses to accept any more
|
|
attempts (locks the issuer out), include the <emphasis role="bold">-attempts</emphasis> argument. After
|
|
the sixth failed authentication attempt, the Authentication Server logs a
|
|
message in the UNIX system log file (the <replaceable>syslog</replaceable> file or equivalent, for
|
|
which the standard location varies depending on the operating system).</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>To set how long the Authentication Server refuses to process
|
|
authentication attempts for a locked-out user, set the <emphasis role="bold">-locktime</emphasis>
|
|
argument.</para>
|
|
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The <emphasis role="bold">kas examine</emphasis> command displays the settings made with this command.</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Cautions</title>
|
|
<para>The password lifetime set with the <emphasis role="bold">-pwexpires</emphasis> argument begins at the
|
|
time the user's password was last changed, rather than when this command
|
|
is issued. It can therefore be retroactive. If, for example, a user
|
|
changed her password 100 days ago and the password lifetime is set to 100
|
|
days or less, the password effectively expires immediately. To avoid
|
|
retroactive expiration, instruct the user to change the password just
|
|
before setting a password lifetime.</para>
|
|
|
|
<para>Administrators whose authentication accounts have the <computeroutput>ADMIN</computeroutput> flag enjoy
|
|
complete access to the sensitive information in the Authentication
|
|
Database. To prevent access by unauthorized users, use the <emphasis role="bold">-attempts</emphasis>
|
|
argument to impose a fairly strict limit on the number of times that a
|
|
user obtaining administrative tokens can provide an incorrect
|
|
password. Note, however, that there must be more than one account in the
|
|
cell with the <computeroutput>ADMIN</computeroutput> flag. The <emphasis role="bold">kas unlock</emphasis> command requires the
|
|
<computeroutput>ADMIN</computeroutput> privilege, so it is important that the locked-out administrator
|
|
(or a colleague) can access another <computeroutput>ADMIN</computeroutput>-privileged account to unlock
|
|
the current account.</para>
|
|
|
|
<para>In certain circumstances, the mechanism used to enforce the number of
|
|
failed authentication attempts can cause a lockout even though the number
|
|
of failed attempts is less than the limit set by the <emphasis role="bold">-attempts</emphasis>
|
|
argument. Client-side authentication programs such as <emphasis role="bold">klog</emphasis> and an
|
|
AFS-modified login utility normally choose an Authentication Server at
|
|
random for each authentication attempt, and in case of a failure are
|
|
likely to choose a different Authentication Server for the next
|
|
attempt. The Authentication Servers running on the various database server
|
|
machines do not communicate with each other about how many times a user
|
|
has failed to provide the correct password to them. Instead, each
|
|
Authentication Server maintains its own separate copy of the auxiliary
|
|
database file <replaceable>kaserverauxdb</replaceable> (located in the <replaceable>/usr/afs/local</replaceable> directory
|
|
by default), which records the number of consecutive authentication
|
|
failures for each user account and the time of the most recent
|
|
failure. This implementation means that on average each Authentication
|
|
Server knows about only a fraction of the total number of failed
|
|
attempts. The only way to avoid allowing more than the number of attempts
|
|
set by the <emphasis role="bold">-attempts</emphasis> argument is to have each Authentication Server
|
|
allow only some fraction of the total. More specifically, if the limit on
|
|
failed attempts is <emphasis>f</emphasis>, and the number of Authentication Servers is <emphasis>S</emphasis>,
|
|
then each Authentication Server can only permit a number of attempts equal
|
|
to <emphasis>f</emphasis> divided by <emphasis>S</emphasis> (the Ubik synchronization site for the
|
|
Authentication Server tracks any remainder, <emphasis>f</emphasis> mod <emphasis>S</emphasis>).</para>
|
|
|
|
<para>Normally, this implementation does not reduce the number of allowed
|
|
attempts to less than the configured limit (<emphasis>f</emphasis>). If one Authentication
|
|
Server refuses an attempt, the client contacts another instance of the
|
|
server, continuing until either it successfully authenticates or has
|
|
contacted all of the servers. However, if one or more of the
|
|
Authentication Server processes is unavailable, the limit is effectively
|
|
reduced by a percentage equal to the quantity <emphasis>U</emphasis> divided by <emphasis>S</emphasis>, where
|
|
<emphasis>U</emphasis> is the number of unavailable servers and <emphasis>S</emphasis> is the number normally
|
|
available.</para>
|
|
|
|
<para>To avoid the undesirable consequences of setting a limit on failed
|
|
authentication attempts, note the following recommendations:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Do not set the <emphasis role="bold">-attempts</emphasis> argument (the limit on failed authentication
|
|
attempts) too low. A limit of nine failed attempts is recommended for
|
|
regular user accounts, to allow three failed attempts per Authentication
|
|
Server in a cell with three database server machines.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>Set fairly short lockout times when including the <emphasis role="bold">-locktime</emphasis>
|
|
argument. Although guessing passwords is a common method of attack, it is
|
|
not a very sophisticated one. Setting a lockout time can help discourage
|
|
attackers, but excessively long times are likely to be more of a burden to
|
|
authorized users than to potential attackers. A lockout time of 25 minutes
|
|
is recommended for regular user accounts.</para>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>Do not assign an infinite lockout time on an account (by setting the
|
|
<emphasis role="bold">-locktime</emphasis> argument to <computeroutput>0</computeroutput> [zero]) unless there is a highly compelling
|
|
reason. Such accounts almost inevitably become locked at some point,
|
|
because each Authentication Server never resets the account's failure
|
|
counter in its copy of the <replaceable>kaauxdb</replaceable> file (in contrast, when the lockout
|
|
time is not infinite, the counter resets after the specified amount of
|
|
time has passed since the last failed attempt to that Authentication
|
|
Server). Furthermore, the only way to unlock an account with an infinite
|
|
lockout time is for an administrator to issue the <emphasis role="bold">kas unlock</emphasis>
|
|
command. It is especially dangerous to set an infinite lockout time on an
|
|
administrative account; if all administrative accounts become locked, the
|
|
only way to unlock them is to shut down all instances of the
|
|
Authentication Server and remove the <replaceable>kaauxdb</replaceable> file on each.</para>
|
|
|
|
</listitem>
|
|
</itemizedlist>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-name</emphasis> <<emphasis>name of user</emphasis>></term>
|
|
<listitem>
|
|
<para>Names the Authentication Database account for which to change settings.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-flags</emphasis> <<emphasis>hex flag or flag name expression</emphasis>></term>
|
|
<listitem>
|
|
<para>Sets one or more of four toggling flags, adding them to any flags
|
|
currently set. Either specify one or more of the following strings, or
|
|
specify a hexidecimal number that combines the indicated values. To return
|
|
all four flags to their defaults, provide a value of <computeroutput>0</computeroutput> (zero). To set
|
|
more than one flag at once using the strings, connect them with plus signs
|
|
(example: <computeroutput>NOTGS+ADMIN+CPW</computeroutput>). To remove all the current flag settings
|
|
before setting new ones, precede the list with an equal sign (example:
|
|
<computeroutput>=NOTGS+ADMIN+CPW</computeroutput>).</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>ADMIN</term>
|
|
<listitem>
|
|
<para>The user is allowed to issue privileged kas commands (hexadecimal
|
|
equivalent is <computeroutput>0x004</computeroutput>, default is <computeroutput>NOADMIN</computeroutput>).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>NOTGS</term>
|
|
<listitem>
|
|
<para>The Authentication Server's Ticket Granting Service (TGS) refuses to issue
|
|
tickets to the user (hexadecimal equivalent is <computeroutput>0x008</computeroutput>, default is
|
|
<computeroutput>TGS</computeroutput>).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>NOSEAL</term>
|
|
<listitem>
|
|
<para>The Ticket Granting Service cannot use the contents of this entry's key
|
|
field as an encryption key (hexadecimal equivalent is <computeroutput>0x020</computeroutput>, default is
|
|
<computeroutput>SEAL</computeroutput>).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>NOCPW</term>
|
|
<listitem>
|
|
<para>The user cannot change his or her own password or key (hexadecimal
|
|
equivalent is <computeroutput>0x040</computeroutput>, default is <computeroutput>CPW</computeroutput>).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-expiration</emphasis> <<emphasis>date of account expiration</emphasis>></term>
|
|
<listitem>
|
|
<para>Determines when the entry itself expires. When a user entry expires, the
|
|
user becomes unable to log in; when a server entry such as <computeroutput>afs</computeroutput> expires,
|
|
all server processes that use the associated key become inaccessible.
|
|
Provide one of the three acceptable values:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>never</term>
|
|
<listitem>
|
|
<para>The account never expires (the default).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis>mm/dd/yyyy</emphasis></term>
|
|
<listitem>
|
|
<para>Sets the expiration date to 12:00 a.m. on the indicated date
|
|
(month/day/year). Examples: <computeroutput>01/23/1999</computeroutput>, <computeroutput>10/07/2000</computeroutput>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>"<emphasis>mm/dd/yyyy hh:MM</emphasis>"</term>
|
|
<listitem>
|
|
<para>Sets the expiration date to the indicated time (hours:minutes) on the
|
|
indicated date (month/day/year). Specify the time in 24-hour format (for
|
|
example, <computeroutput>20:30</computeroutput> is 8:30 p.m.) Date format is the same as for a date
|
|
alone. Surround the entire instance with quotes because it contains a
|
|
space. Examples: <computeroutput>"01/23/1999 22:30"</computeroutput>, <computeroutput>"10/07/2000 3:45"</computeroutput>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<para>Acceptable values for the year range from <computeroutput>1970</computeroutput> (1 January 1970 is time
|
|
0 in the standard UNIX date representation) through <computeroutput>2037</computeroutput> (2037 is the
|
|
maximum because the UNIX representation cannot accommodate dates later
|
|
than a value in February 2038).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-lifetime</emphasis> <<emphasis>maximum ticket lifetime</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies the maximum lifetime that the Authentication Server's Ticket
|
|
Granting Service (TGS) can assign to a ticket. If the account belongs to a
|
|
user, this value is the maximum lifetime of a token issued to the user. If
|
|
the account corresponds to a server such as <computeroutput>afs</computeroutput>, this value is the
|
|
maximum lifetime of a ticket that the TGS issues to clients for
|
|
presentation to the server during mutual authentication.</para>
|
|
|
|
<para>Specify an integer that represents a number of seconds (3600 equals one
|
|
hour), or include a colon in the number to indicate a number of hours and
|
|
minutes (<computeroutput>10:00</computeroutput> equals 10 hours). If this argument is omitted, the
|
|
default setting is 100:00 hours (360000 seconds).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-pwexpires</emphasis> <<emphasis>number of days password is valid</emphasis>></term>
|
|
<listitem>
|
|
<para>Sets the number of days after the user's password was last changed that it
|
|
remains valid. Provide an integer from the range <computeroutput>1</computeroutput> through <computeroutput>254</computeroutput> to
|
|
specify the number of days until expiration, or the value <computeroutput>0</computeroutput> to indicate
|
|
that the password never expires (the default).</para>
|
|
|
|
<para>When the password expires, the user is unable to authenticate, but has 30
|
|
days after the expiration date in which to use the <emphasis role="bold">kpasswd</emphasis> command to
|
|
change the password (after that, only an administrator can change it by
|
|
using the <emphasis role="bold">kas setpassword</emphasis> command). Note that the clock starts at the
|
|
time the password was last changed, not when the <emphasis role="bold">kas setfields</emphasis> command
|
|
is issued. To avoid retroactive expiration, have the user change the
|
|
password just before issuing a command that includes this argument.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-reuse</emphasis> (yes | no)</term>
|
|
<listitem>
|
|
<para>Specifies whether or not the user can reuse any of his or her last 20
|
|
passwords. The acceptable values are <computeroutput>yes</computeroutput> to allow reuse of old
|
|
passwords (the default) and <computeroutput>no</computeroutput> to prohibit reuse of a password that is
|
|
similar to one of the previous 20 passwords.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-attempts</emphasis> <<emphasis>maximum successive failed login tries</emphasis>></term>
|
|
<listitem>
|
|
<para>Sets the number of consecutive times the user can provide an incorrect
|
|
password during authentication (using the <emphasis role="bold">klog</emphasis> command or a login
|
|
utility that grants AFS tokens). When the user exceeds the limit, the
|
|
Authentication Server rejects further attempts (locks the user out) for
|
|
the amount of time specified by the <emphasis role="bold">-locktime</emphasis> argument. Provide an
|
|
integer from the range <computeroutput>1</computeroutput> through <computeroutput>254</computeroutput> to specify the number of
|
|
failures allowed, or <computeroutput>0</computeroutput> to indicate that there is no limit on
|
|
authentication attempts (the default value).</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-locktime</emphasis> <<emphasis>failure penalty</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies how long the Authentication Server refuses authentication
|
|
attempts from a user who has exceeded the failure limit set by the
|
|
<emphasis role="bold">-attempts</emphasis> argument.</para>
|
|
|
|
<para>Specify a number of hours and minutes (<emphasis>hh:mm</emphasis>) or minutes only (<emphasis>mm</emphasis>),
|
|
from the range <computeroutput>01</computeroutput> (one minute) through <computeroutput>36:00</computeroutput> (36 hours). The <emphasis role="bold">kas</emphasis>
|
|
command interpreter automatically reduces any larger value to <computeroutput>36:00</computeroutput> and
|
|
also rounds up any non-zero value to the next higher multiple of 8.5
|
|
minutes. A value of <computeroutput>0</computeroutput> (zero) sets an infinite lockout time; an
|
|
administrator must issue the <emphasis role="bold">kas unlock</emphasis> command to unlock the account.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-admin_username</emphasis> <<emphasis>admin principal</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies the user identity under which to authenticate with the
|
|
Authentication Server for execution of the command. For more details, see
|
|
<link linkend="kas8">kas(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-password_for_admin</emphasis> <<emphasis>admin password</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies the password of the command's issuer. If it is omitted (as
|
|
recommended), the <emphasis role="bold">kas</emphasis> command interpreter prompts for it and does not
|
|
echo it visibly. For more details, see <link linkend="kas8">kas(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-cell</emphasis> <<emphasis>cell name</emphasis>></term>
|
|
<listitem>
|
|
<para>Names the cell in which to run the command. For more details, see
|
|
<link linkend="kas8">kas(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-servers</emphasis> <<emphasis>authentication servers</emphasis>>+</term>
|
|
<listitem>
|
|
<para>Names each machine running an Authentication Server with which to
|
|
establish a connection. For more details, see <link linkend="kas8">kas(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-noauth</emphasis></term>
|
|
<listitem>
|
|
<para>Assigns the unprivileged identity <computeroutput>anonymous</computeroutput> to the issuer. For more
|
|
details, see <link linkend="kas8">kas(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-help</emphasis></term>
|
|
<listitem>
|
|
<para>Prints the online help for this command. All other valid options are
|
|
ignored.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
<para>In the following example, an administrator using the <computeroutput>admin</computeroutput> account
|
|
grants administrative privilege to the user <computeroutput>smith</computeroutput>, and sets the
|
|
Authentication Database entry to expire at midnight on 31 December 2000.</para>
|
|
|
|
<programlisting>
|
|
% kas setfields -name smith -flags ADMIN -expiration 12/31/2000
|
|
Password for admin:
|
|
|
|
</programlisting>
|
|
<para>In the following example, an administrator using the <computeroutput>admin</computeroutput> account sets
|
|
the user <computeroutput>pat</computeroutput>'s password to expire in 60 days from when it last changed,
|
|
and prohibits reuse of passwords.</para>
|
|
|
|
<programlisting>
|
|
% kas setfields -name pat -pwexpires 60 -reuse no
|
|
Password for admin:
|
|
|
|
</programlisting>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Privilege Required</title>
|
|
<para>The issuer must have the <computeroutput>ADMIN</computeroutput> flag set on his or her Authentication
|
|
Database entry.</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><link linkend="kaserverauxdb5">kaserverauxdb(5)</link>,
|
|
<link linkend="kas8">kas(8)</link>,
|
|
<link linkend="kas_examine8">kas_examine(8)</link>,
|
|
<link linkend="kas_setpassword8">kas_setpassword(8)</link>,
|
|
<link linkend="kas_unlock8">kas_unlock(8)</link>,
|
|
<link linkend="klog1">klog(1)</link>,
|
|
<link linkend="kpasswd1">kpasswd(1)</link></para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Copyright</title>
|
|
<para>IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.</para>
|
|
|
|
<para>This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.</para>
|
|
|
|
</refsect1>
|
|
</refentry>
|