kas - Introduction to the kas command suite
The commands in the kas
command suite are the administrative interface to
the Authentication Server, an obsolete AFS server process that maintains the
Authentication Database and provides the authentication tickets that client
applications must present to AFS servers in order to obtain access to AFS data
and other services. It is used only for cells still running the Authentication
Server until they can migrate to a Kerberos version 5 KDC.
There are several categories of commands in the kas
- Commands to create, modify, examine and delete entries in
the Authentication Database, including passwords: kas create,
kas delete, kas examine, kas list, kas
setfields, kas setkey, kas setpassword, and kas
- Commands to create, delete, and examine tokens and server
tickets: kas forgetticket, kas listtickets, kas
noauthentication, and kas stringtokey.
- A command to enter interactive mode: kas
- A command to trace Authentication Server operations: kas
- Commands to obtain help: kas apropos and kas
- A command to display the OpenAFS command suite version:
Because of the sensitivity of information in the Authentication Database, the
Authentication Server authenticates issuers of kas
rather than accepting the standard token generated by the Ticket Granting
Service. Any kas
command that requires administrative privilege prompts
the issuer for a password. The resulting ticket is valid for six hours unless
the maximum ticket lifetime for the issuer or the Authentication Server's
Ticket Granting Service is shorter.
To avoid having to provide a password repeatedly when issuing a sequence of
commands, enter interactive mode
by issuing the kas
command, typing kas
without any operation code, or
followed by a user and cell name, separated by an at-sign
("@"; an example is "kas firstname.lastname@example.org"). After
prompting once for a password, the Authentication Server accepts the resulting
token for every command issued during the interactive session. See
(8) for a discussion of when to use each method for
entering interactive mode and of the effects of entering a session.
The Authentication Server maintains two databases on the local disk of the
machine where it runs:
- The Authentication Database
(/var/lib/openafs/db/kaserver.DB0) stores the information used to
provide AFS authentication services to users and servers, including the
password scrambled as an encryption key. The reference page for the kas
examine command describes the information in a database entry.
- An auxiliary file (/var/lib/openafs/local/kaauxdb by
default) that tracks how often the user has provided an incorrect password
to the local Authentication Server. The reference page for the kas
setfields command describes how the Authentication Server uses this
file to enforce the limit on consecutive authentication failures. To
designate an alternate directory for the file, use the kaserver
command's -localfiles argument.
command suite is provided only for administration of the obsolete
Authentication Server for cells that have not yet migrated to a Kerberos
version 5 KDC. New deployments should not use the Authentication Server, and
it and the kas
command suite will be removed in a future version of
The following arguments and flags are available on many commands in the
suite. (Some of them are unavailable on commands entered in
interactive mode, because the information they specify is established when
entering interactive mode and cannot be changed except by leaving interactive
mode.) The reference page for each command also lists them, but they are
described here in greater detail.
- -admin_username <user name>
- Specifies the user identity under which to authenticate
with the Authentication Server for execution of the command. If this
argument is omitted, the kas command interpreter requests
authentication for the identity under which the issuer is logged onto the
local machine. Do not combine this argument with the -noauth
- -cell <cell name>
- Names the cell in which to run the command. It is
acceptable to abbreviate the cell name to the shortest form that
distinguishes it from the other entries in the
/etc/openafs/CellServDB file on the local machine. If the
-cell argument is omitted, the command interpreter determines the
name of the local cell by reading the following in order:
- The value of the AFSCELL environment variable.
- The local /etc/openafs/ThisCell file.
argument is not available on commands issued in interactive
mode. The cell defined when the kas
command interpreter enters
interactive mode applies to all commands issued during the interactive
- Prints a command's online help message on the standard
output stream. Do not combine this flag with any of the command's other
options; when it is provided, the command interpreter ignores all other
options, and only prints the help message.
- Establishes an unauthenticated connection to the
Authentication Server, in which the Authentication Server treats the
issuer as the unprivileged user "anonymous". It is useful only
when authorization checking is disabled on the server machine (during the
installation of a server machine or when the bos setauth command
has been used during other unusual circumstances). In normal
circumstances, the Authentication Server allows only privileged users to
issue most kas commands, and refuses to perform such an action even
if the -noauth flag is provided. Do not combine this flag with the
-admin_username and -password_for_admin arguments.
- -password_for_admin <password>
- Specifies the password of the command's issuer. It is best
to omit this argument, which echoes the password visibly in the command
shell, instead enter the password at the prompt. Do not combine this
argument with the -noauth flag.
- -servers <machine name>+
- Establishes a connection with the Authentication Server
running on each specified database server machine, instead of on each
machine listed in the local /etc/openafs/CellServDB file. In either
case, the kas command interpreter then chooses one of the machines
at random to contact for execution of each subsequent command. The issuer
can abbreviate the machine name to the shortest form that allows the local
name service to identify it uniquely.
To issue most kas commands, the issuer must have the "ADMIN" flag set
in his or her Authentication Database entry (use the kas setfields
command to turn the flag on).
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.