Command Reference Manual

kas examine

Purpose

Displays information from an Authentication Database entry

Synopsis

kas examine -name <name of user> [-showkey] 
            [-admin_username <admin principal to use for authentication>]  
            [-password_for_admin <admin password>]  [-cell <cell name>] 
            [-servers <explicit list of authentication servers>⁺]  
            [-noauth]  [-help] 
    
kas e -na <name of user>  [-sh] 
      [-a <admin principal to use for authentication>] 
      [-p <admin password>]  [-c <cell name>] 
      [-se <explicit list of authentication servers>⁺]  [-no]  [-h]

Description

The kas examine command formats and displays information from the Authentication Database entry of the user named by the -name argument.

To alter the settings displayed with this command, issue the kas setfields command.

Options

-name: Names the Authentication Database entry from which to display information.
-showkey: Displays the octal digits that constitute the key.
-admin_username: Specifies the user identity under which to authenticate with the Authentication Server for execution of the command. For more details, see the introductory kas reference page.
-password_for_admin: Specifies the password of the command's issuer. If it is omitted (as recommended), the kas command interpreter prompts for it and does not echo it visibly. For more details, see the introductory kas reference page.
-cell: Names the cell in which to run the command. For more details, see the introductory kas reference page.
-servers: Names each machine running an Authentication Server with which to establish a connection. For more details, see the introductory kas reference page.
-noauth: Assigns the unprivileged identity anonymous to the issuer. For more details, see the introductory kas reference page.
-help: Prints the online help for this command. All other valid options are ignored.

Output

The output includes:

The entry name, following the string User data for.
One or more status flags in parentheses; they appear only if an administrator has used the kas setfields command to change them from their default values. A plus sign (+) separates the flags if there is more than one. The nondefault values that can appear, and their meanings, are as follows:

ADMIN
Enables the user to issue privileged kas commands (default is NOADMIN)
NOTGS
Prevents the user from obtaining tickets from the Authentication Server's Ticket Granting Service (default is TGS)
NOSEAL
Prevents the Ticket Granting Service from using the entry's key field as an encryption key (default is SEAL)
NOCPW
Prevents the user from changing his or her password (default is CPW)
The key version number, in parentheses, following the word key, then one of the following.
- A checksum equivalent of the key, following the string cksum is, if the -showkey flag is not included. The checksum is a decimal number derived by encrypting a constant with the key. In the case of the afs entry, this number must match the checksum with the corresponding key version number in the output of the bos listkeys command; if not, follow the instructions in the AFS System Administrator's Guide for creating a new server encryption key.
- The actual key, following a colon, if the -showkey flag is included. The key consists of eight octal numbers, each represented as a backslash followed by three decimal digits.
The date the user last changed his or her own password, following the string last cpw (which stands for "last change of password").
The password's expiration date, following the string password will expire, or the string password will never expire to indicate that the password never expires. After the indicated date, a non-administrative user cannot authenticate with the Authentication Server; an administrator (one whose account is marked with the ADMIN flag) can authenticate for up to thirty days after expiration. To set the password expiration date, use the kas setpassword command's -pwexpires argument.
The number of times the user can fail to provide the correct password before the account locks, followed by the string consecutive unsuccessful authentications are permitted, or the string An unlimited number of unsuccessful authentications is permitted to indicate that there is no limit. To set the limit, use the kas setfields command's -attempts argument. To unlock a locked account, use the kas unlock command. The kas setfields reference page discusses how the implementation of the lockout feature interacts with this setting.
The number of minutes for which the Authentication Server refuses the user's login attempts after the limit on consecutive unsuccessful authentication attempts is exceeded, following the string The lock time for this user is. Use the kas command's -locktime argument to set the lockout time. This line appears only if a limit on the number of unsuccessful authentication attempts has been set with the the kas setfields command's -attempts argument.
An indication of whether the Authentication Server is currently refusing the user's login attempts. The string User is not locked indicates that authentication can succeed, whereas the string User is locked until time indicates that the user cannot authenticate until the indicated time. Use the kas unlock command to enable a user to attempt authentication. This line appears only if a limit on the number of unsuccessful authentication attempts has been set with the kas setfields command's -attempts argument.
The date on which the Authentication Server entry expires, or the string entry never expires to indicate that the entry does not expire. A user becomes unable to authenticate when his or her entry expires. Use the kas setfields command's -expiration argument to set the expiration date.
The maximum possible lifetime of the tokens that the Authentication Server grants the user. This value interacts with several others to determine the actual lifetime of the token, as described on the klog reference page. Use the kas setfields command's -lifetime argument to set this value.
The date on which the entry was last modified, following the string last mod on and the user name of the administrator who modified it. The date on which a user changed his or her own password is recorded on the second line of output as last cpw instead.
An indication of whether the user can reuse one of his or her last twenty passwords when issuing the kpasswd, kas setpassword, or kas setkey commands. Use the kas setfields command's -reuse argument to set this restriction.

Cautions

Displaying actual keys on the standard output stream by including the -showkey flag constitutes a security exposure. For most purposes, it is sufficient to display a checksum.

Examples

The following example command shows the user smith examining her own Authentication Database entry. Note the ADMIN flag, which shows that smith is privileged.

% kas examine smith
Password for smith:
User data for smith (ADMIN)
 key (0) cksum is 3414844392,  last cpw: Thu Mar 25 16:05:44 1999
 password will expire:  Fri Apr 30 20:44:36 1999
 5 consecutive unsuccessful authentications are permitted.
 The lock time for this user is 25.5 minutes.
 User is not locked.
 entry never expires. Max ticket lifetime 100.00 hours.
 last mod on Tue Jan 5 08:22:29 1999 by admin
 permit password reuse

In the following example, the user pat examines his Authentication Database entry to determine when the account lockout currently in effect will end.

% kas examine pat
Password for pat:
User data for pat
 key (0) cksum is 73829292912,  last cpw: Wed Apr 7 11:23:01 1999
 password will expire:  Fri  Jun 11 11:23:01 1999
 5 consecutive unsuccessful authentications are permitted.
 The lock time for this user is 25.5 minutes.
 User is locked until Tue Sep 21 12:25:07 1999
 entry expires on never. Max ticket lifetime 100.00 hours.
 last mod on Thu Feb 4 08:22:29 1999 by admin
 permit password reuse

In the following example, an administrator logged in as admin uses the -showkey flag to display the octal digits that constitute the key in the afs entry.

% kas examine -name afs -showkey
Password for admin: admin_password
User data for afs
 key (12): \357\253\304\352\234\236\253\352, last cpw: no date 
 entry never expires. Max ticket lifetime 100.00 hours.
 last mod on Thu Mar 25 14:53:29 1999 by admin
 permit password reuse

Privilege Required

A user can examine his or her own entry. To examine others' entries, the issuer must have the ADMIN flag set in his or her Authentication Database entry.

To look at actual keys, the issuer must first use the bos setauth command to disable authorization checking, which requires being listed in the /usr/afs/etc/UserList file; it is not necessary to have the ADMIN flag in addition.

Related Information