This chapter explains how to perform four basic AFS tasks: logging in and authenticating with AFS, ending an AFS session, accessing the AFS filespace, and changing your password.
To access the AFS filespace as an authenticated user, you must both log into an AFS client machine's local (UNIX) file system and authenticate with AFS. When you log in, you establish your local system identity. When you authenticate, you prove your identity to AFS and obtain a token, which your Cache Manager uses to prove your authenticated status to the AFS server processes it contacts on your behalf. Users who are not authenticated (who do not have a token) have limited access to AFS directories and files.
On machines that use an AFS-modified login utility, you log in and authenticate in one step. On machines that do not use an AFS-modified login utility, you log in and authenticate in separate steps. To determine which type of login utility your machine uses, you can check for AFS tokens after logging in, or ask your system administrator, who can also tell you about any differences between your login procedure and the two methods described here.
Provide your username at the login: prompt that appears when you establish a new connection to a machine. Then provide your password at the Password: prompt as shown in the following example. (Your password does not echo visibly on the screen.)
login: username Password: password
If you are not sure which type of login utility is running on your machine, it is best to issue the tokens command to check if you are authenticated; for instructions, see To Display Your Tokens. If you do not have tokens, issue the klog command as described in To Authenticate with AFS.
If your machine does not use an AFS-modified login utility, you must perform a two-step procedure:
- Log in to your client machine's local file system by providing a user name and password at the login program's prompts.
- Issue the klog command to authenticate with AFS. Include
the command's -setpag argument to associate your token with
a special identification number called a PAG (for process
authentication group). For a description of PAGs, see Protecting Your Tokens with a PAG.
% klog -setpag Password: your_AFS_password
|Note:||If your machine uses a two-step login procedure, you can choose to use different passwords for logging in and authenticating. It is simplest to use the same one for both, though. Talk with your system administrator.|
To work most effectively in the AFS filespace, you must authenticate with AFS. When you do, your Cache Manager is given a token as proof of your authenticated status. It uses your token when requesting services from AFS servers, which accept the token as proof of your authenticated status. If you do not have a token, AFS servers consider you to be the anonymous user and your access to AFS filespace is limited: you have only the ACL permissions granted to the system:anyuser group.
You can obtain new tokens (reauthenticate) at any time, even after using an AFS-modified login utility, which logs you in and authenticates you in one step. Issue the klog command as described in To Authenticate with AFS.
To make your access to AFS as secure as possible, it is best to associate your tokens with a unique identification number called a PAG (for process authentication group). AFS-modified login utilities automatically create a PAG and associate the new token with it. To create a PAG when you use the two-step login procedure, include the klog command's -setpag flag. If you do not use this flag, your tokens are associated with your UNIX UID number instead. This type of association has two potential drawbacks:
- Anyone who can assume your local UNIX identity can use your tokens. The local superuser root can always use the UNIX su command to assume your UNIX UID, even without knowing your password.
- In some environments, certain programs cannot use your tokens even when it is appropriate for them to do so. For example, printing commands such as lp or lpr possibly cannot access the files you want to print, because they cannot use your tokens.
A token is valid only in one cell (the cell whose AFS authentication service issued it). The AFS server processes in any other cell consider you to be the anonymous user unless you have an account in the cell and authenticate with its AFS authentication service.
To obtain tokens in a foreign cell, use the -cell argument to the klog command. You can have tokens for your home cell and one or more foreign cells at the same time.
You can have only one token per cell for each PAG you have obtained on a client machine. If you already have a token for a particular cell and issue the klog command, the new token overwrites the existing one. Getting a new token is useful if your current token is almost expired but you want to continue accessing AFS files. For a discussion of token expiration, see Token Lifetime.
To obtain a second token for the same cell, you must either login on a different machine or establish another separate connection to the machine where you already have a token (by using the telnet utility, for example). You get a new PAG for each separate machine or connection, and can use the associated tokens only while working on that machine or connection.
You can authenticate as another username if you know the associated password. (It is, of course, unethical to use someone else's tokens without permission.) If you use the klog command to authenticate as another AFS username, you retain your own local (UNIX) identity, but the AFS server processes recognize you as the other user. The new token replaces any token you already have for the relevant cell (for the reason described in The One-Token-Per-Cell Rule).
Tokens have a limited lifetime. To determine when your tokens expire, issue the tokens command as described in To Display Your Tokens. If you are ever unable to access AFS in a way that you normally can, issuing the tokens command tells you whether an expired token is a possible reason.
Your cell's administrators set the default lifetime of your token. The AFS authentication service never grants a token lifetime longer than the default, but you can request a token with a shorter lifetime. See the klog reference page in the AFS Administration Reference to learn how to use its -lifetime argument for this purpose.
If your machine is configured to access a DCE cell's DFS filespace by means of the AFS/DFS Migration Toolkit, you can use the dlog command to authenticate with DCE. The dlog command has no effect on your ability to access AFS filespace.
If your system administrator has converted your AFS account to a DCE account and you are not sure of your DCE password, use the dpass command to display it. You must be authenticated as the AFS user whose AFS account was converted to a DCE account, and be able to provide the correct AFS password. Like the dlog command, the dpass command has no functionality with respect to AFS.
For more information on using the dlog and dpass commands, see your system administrator.
If your machine is not using an AFS-modified login utility, you must authenticate after login by issuing the klog command. You can also issue this command at any time to obtain a token with a later expiration date than your current token.
% klog [-setpag] [-cell <cell name>] Password: your_AFS_password
- Associates the resulting tokens with a PAG (see Protecting Your Tokens with a PAG). Include this flag the first time you obtain a token for a particular cell during a login session or connection. Do not include it when refreshing the token for a cell during the same session.
- Names the cell for which to obtain the token. You must have an account in the cell.
Your password does not echo visibly appear on the screen. When the command shell prompt returns, you are an authenticated AFS user. You can use the tokens command to verify that you are authenticated, as described in the following section.
Use the tokens command to display your tokens.
The following output indicates that you have no tokens:
Tokens held by the Cache Manager: --End of list--
If you have one or more tokens, the output looks something like the following example, in which the tokens for AFS UID 1022 in the abc.com cell expire on August 3 at 2:35 p.m. The tokens for AFS UID 9554 in the stateu.edu cell expire on August 4 at 1:02 a.m.
Tokens held by the Cache Manager: User's (AFS ID 1022) tokens for email@example.com [Expires Aug 3 14:35] User's (AFS ID 9554) tokens for firstname.lastname@example.org [Expires Aug 4 1:02] --End of list--
Suppose that user terry cannot save a file. He uses the tokens command and finds that his tokens have expired. He reauthenticates in his local cell under his current identity by issuing the following command:
% klog Password: terry's_password
The he issues the tokens command to make sure he is authenticated.
% tokens Tokens held by the Cache Manager: User's (AFS ID 4562) tokens for email@example.com [Expires Jun 22 14:35] --End of list--
Now terry authenticates in his local cell as another user, pat. The new token replaces terry's existing token, because the Cache Manager can store only one token per cell per login session on a machine.
% klog pat Password: pat's_password % tokens Tokens held by the Cache Manager: User's (AFS ID 4278) tokens for firstname.lastname@example.org [Expires Jun 23 9:46] --End of list--
Now terry authenticates in the stateu.edu cell where his account is called ts09.
% klog ts09 -cell stateu.edu Password: ts09's_password % tokens Tokens held by the Cache Manager: User's (AFS ID 4562) tokens for email@example.com [Expires Jun 22 14:35] User's (AFS ID 8346) tokens for firstname.lastname@example.org [Expires Jun 23 1:02] --End of list--
Your system administrator can choose to limit the number of times that you fail to provide the correct password when authenticating with AFS (using either an AFS-modified login utility or the klog command). If you exceed the limit, the AFS authentication service refuses further authentication attempts for a period of time set by your system administrator. The purpose of this limit is to prevent unauthorized users from breaking into your account by trying a series of passwords.
To determine if your user account is subject to this limit, ask your system administrator or issue the kas examine command as described in To Display Your Failed Authentication Limit and Lockout Time.
The following message indicates that you have exceeded the limit on failed authentication attempts.
Unable to authenticate to AFS because ID is locked - see your system admin
Issue the kas examine command to determine if there is a limit on the number of unsuccessful authentication attempts for your user account and any associated lockout time. You can examine only your own account. The fourth line of the output reports the maximum number of times you can provide an incorrect password before being locked out of your account. The lock time field on the next line reports how long the AFS authentication service refuses authentication attempts after the limit is exceeded.
% kas examine your_username Password for your_username: your_AFS_password
The following example displays the output for the user pat, who is allowed nine failed authentication attempts. The lockout time is 25.5 minutes.
User data for pat key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999 password will expire: Fri Nov 26 20:44:36 1999 9 consecutive unsuccessful authentications are permitted. The lock time for this user is 25.5 minutes. User is not locked. entry never expires. Max ticket lifetime 100.00 hours. last mod on Wed Aug 18 08:22:29 1999 by admin permit password reuse
Because logging in and authenticating with AFS are distinct operations, you must both logout and unauthenticate (issue the unlog command to discard your tokens) when exiting an AFS session. Simply logging out does not necessarily destroy your tokens.
You can use the unlog command any time you want to unauthenticate, not just when logging out. For instance, it is a good practice to unauthenticate before leaving your machine unattended, to prevent other users from using your tokens during your absence. When you return to your machine, issue the klog command to reauthenticate, as described in To Authenticate with AFS.
Do not issue the unlog command when you are running jobs that take a long time to complete, even if you are logging out. Such processes must have a token during the entire time they need authenticated access to AFS.
If you have tokens from multiple cells and want to discard only some of them, include the unlog command's -cell argument.
Issue the unlog command to discard your tokens:
% unlog -cell <cell name>+
Omit the -cell argument to discard all of your tokens, or use it to name each cell for which to discard tokens. It is best to provide the full name of each cell (such as stateu.edu or abc.com).
You can issue the tokens command to verify that your tokens were destroyed, as in the following example.
% tokens Tokens held by the Cache Manager: --End of list--
In the following example, a user has tokens in both the accounting and marketing cells at her company. She discards the token for the acctg.abc.com cell but keeps the token for the mktg.abc.com cell.
% tokens Tokens held by the Cache Manager: User's (AFS ID 35) tokens for email@example.com [Expires Nov 10 22:30] User's (AFS ID 674) tokens for firstname.lastname@example.org [Expires Nov 10 18:44] --End of list-- % unlog -cell acctg.abc.com % tokens Tokens held by the Cache Manager: User's (AFS ID 674) tokens for email@example.com [Expires Nov 10 18:44] --End of list--
After you have unauthenticated, log out by issuing the command appropriate for your machine type, which is possibly one of the following.
While you are logged in and authenticated, you can access files in AFS just as you do in the UNIX file system. The only difference is that you can access potentially many more files. Just as in the UNIX file system, you can only access those files for which you have permission. AFS uses access control lists (ACLs) to control access, as described in Protecting Your Directories and Files.
AFS pathnames look very similar to UNIX file system names. The main difference is that every AFS pathname begins with the AFS root directory, which is called /afs by convention. Having /afs at the top of every AFS cell's filespace links together their filespaces into a global filespace.
Note for Windows users: Windows uses a backslash ( \ ) rather than a forward slash ( / ) to separate the elements in a pathname. Otherwise, your access to AFS filespace is much the same as for users working on UNIX machines.
The second element in AFS pathnames is generally a cell's name. For example, the ABC Corporation cell is called abc.com and the pathname of every file in its filespace begins with the string /afs/abc.com. Some cells also create a directory at the second level with a shortened name (such as abc for abc.com or stateu for stateu.edu), to reduce the amount of typing necessary. Your system administrator can tell you if your cell's filespace includes shortened names like this. The rest of the pathname depends on how the cell's administrators organized its filespace.
To access directories and files in AFS you must both specify the correct pathname and have the required permissions on the ACL that protects the directory and the files in it.
The user terry wants to look for a file belonging to another user, pat. He issues the ls command on the appropriate pathname.
% ls /afs/abc.com/usr/pat/public doc/ directions/ guide/ jokes/ library/
You can access files not only in your own cell, but in any AFS cell that you can reach via the network, regardless of geographical location. There are two additional requirements:
- Your Cache Manager's list of foreign cells must include the cell you want to access. Only the local superuser root can edit the list of cells, but anyone can display it. See Determining Access to Foreign Cells.
- The ACL on the directory that houses the file, and on every
parent directory in the pathname, must grant you the necessary
permissions. The simplest way for the directory's owner to extend
permission to foreign users is to put an entry for the
system:anyuser group on the ACL.
The alternative is for the foreign cell's administrator to create an account for you, essentially making you a local user in the cell. The directory's owner creates an ACL entry for you as for any other local user. To authenticate in the foreign cell, issue the klog command with the -cell argument.
For further discussion of directory and file protection, see Protecting Your Directories and Files.
In cells that use an AFS-modified login utility, the password is the same for both logging in and authenticating with AFS. In this case, you use a single command, kpasswd, to change the password.
If your machine does not use an AFS-modified login utility, there are separate passwords for logging into the local file system and authenticating with AFS. (The two passwords can be the same or different, at your discretion.) In this case, use the kpasswd command to change your AFS password and the UNIX passwd command to change your UNIX password.
Your system administrator can improve cell security by configuring several features that guide your choice of password. Keep them in mind when you issue the kpasswd command:
- Limiting the amount of time your password is valid. This
improves your cell's security by limiting the amount of time an
unauthorized user has to try to guess your password. Your system
administrator needs to tell you when your password is due to expire
so that you can change it in time. The administrator can configure
the AFS-modified login utility to report this information
automatically each time you log in. You can also use the kas
examine command to display the password expiration date, as
instructed in To Display Password Expiration
Date and Reuse Policy.
You can change your password prior to the expiration date, but your system administrator can choose to set a minimum time between password changes. The following message indicates that the minimum time has not yet passed.
kpasswd: password was not changed because you changed it too recently; see your system administrator
- Enforcing password quality standards, such as a minimum length or inclusion of nonalphabetic characters. The administrator needs to tell you about such requirements so that you do not waste time picking unacceptable passwords.
- Rejecting a password that is too similar to the last 20
passwords you used. You can use the kas examine command to
check whether this policy applies to you, as instructed in To Display Password Expiration Date and Reuse
Policy. The following message indicates that the password you
have chosen is too similar to a previous password.
kpasswd: Password was not changed because it seems like a reused password
Issue the kas examine command to display your password expiration date and reuse policy. You can examine only your own account. The third line of the output reports your password's expiration date. The last line reports the password reuse policy that applies to you.
% kas examine your_username Password for your_username: your_AFS_password
The following example displays the output for the user pat.
User data for pat key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999 password will expire: Fri Nov 26 20:44:36 1999 9 consecutive unsuccessful authentications are permitted. The lock time for this user is 25.5 minutes. User is not locked. entry never expires. Max ticket lifetime 100.00 hours. last mod on Wed Aug 18 08:22:29 1999 by admin don't permit password reuse
Issue the kpasswd command, which prompts you to provide your old and new passwords and to confirm the new password. The passwords do not echo visibly on the screen.
% kpasswd Old password: current_password New password (RETURN to abort): new_password Retype new password: new_password
Issue the UNIX passwd command, which prompts you to provide your old and new passwords and to confirm the new password. The passwords do not echo visibly on the screen. On many machines, the passwd resides in the /bin directory, and you possibly need to type the complete pathname.
% passwd Changing password for username. Old password: current_password New password: new_password Retype new passwd: new_password
© IBM Corporation 2000. All Rights Reserved