[hcoop/debian/openafs.git] / doc / man-pages / pod1 / klog.krb5.pod

=head1 NAME

klog.krb5 - Authenticates to Kerberos and obtains a token

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<klog.krb5> [B<-x>] S<<< [B<-principal> <I<user name>>] >>>
    [-password <I<user's password>>] S<<< [B<-cell> <I<cell name>>] >>>
    S<<< [B<-k> <I<realm>>] >>> [B<-pipe>] [B<-silent>]
    S<<< [B<-lifetime> <I<ticket lifetime in hh[:mm[:ss]]>>] >>>
    [B<-setpag>] [B<-tmp>] [B<-noprdb>] [B<-unwrap>] [B<-help>]

B<klog.krb5> [B<-x>] S<<< [B<-pr> <I<user name>>] >>>
    S<<< [B<-pa> <I<user's password>>] >>>
    S<<< [B<-c> <I<cell name>>] >>>
    B<<< [B<-k> <I<realm>>] >>> [B<-pi>] [B<-si>]
    S<<< [B<-l> <I<ticket lifetime in hh[:mm[:ss]]>>] >>>
    [B<-se>] [B<-t>] [B<-n>] [B<-u>] [B<-h>]

=for html
</div>

=head1 DESCRIPTION

The B<klog.krb5> command obtains a Kerberos v5 ticket from a Kerberos
KDC and, from the ticket, an AFS token and then stores it in the Cache
Manager.  The Cache Manager keeps the token in kernel memory and uses it
when obtaining authenticated access to the AFS filespace.  This command
does not affect the issuer's identity (UNIX UID) on the local file system.

By default, the command interpreter obtains a token for the AFS user name
that matches the issuer's local user name.  To specify an alternate user,
include the B<-principal> argument.  The user named by the B<-principal>
argument does not have to appear in the local password file (the
F</etc/passwd> file or equivalent).

By default, the command interpreter obtains a token for the local cell, as
defined by the AFSCELL environment variable set in the command shell or by
the F</usr/vice/etc/ThisCell> file on the local machine.  To specify an
alternate cell, include the B<-cell> argument.  A user can have tokens in
multiple cells simultaneously, but only one token per cell per connection
to the client machine.  If the user's credential structure already
contains a token for the requested cell, the token resulting from this
command replaces it.

By default, the command interpreter obtains a Kerberos ticket for the
local realm.  To specify a different Kerberos realm, include the B<-k>
argument.  The Kerberos realm name need not match the AFS cell name.
B<klog.krb5> will request a ticket for the principal C<afs/I<cell>> where
I<cell> is the cell name for which the user is requesting tokens, falling
back on the principal C<afs> if that principal does not work.

The lifetime of the token resulting from this command is the smallest of
the following:

=over 4

=item *

The lifetime specified by the issuer with the B<-lifetime> argument if
that argument was given.

=item *

The maximum ticket lifetime recorded for the C<afs/I<cell>> principal in
thet Kerberos database.

=item *

The maximum ticket lifetime recorded in the specified user's Kerberos
database entry.

=back

=head1 CAUTIONS

By default, this command does not create a new process authentication
group (PAG); see the description of the B<pagsh> command to learn about
PAGs.  If a cell does not use an AFS-modified login utility, users must
include B<-setpag> option to this command, or issue the B<pagsh> command
before this one, to have their tokens stored in a credential structure
that is identified by PAG rather than by local UID.  Users should be aware
that B<-setpag> will not work on some systems, most notably recent Linux
systems, and using B<pagsh> is preferrable and more reliable.

When a credential structure is identified by local UID, the potential
security exposure is that the local superuser C<root> can use the UNIX
B<su> command to assume any other identity and automatically inherit the
tokens associated with that UID.  Identifying the credential structure by
PAG makes it more difficult (but not impossible) for the local superuser
to obtain tokens of other users.

If the B<-password> argument is used, the specified password cannot begin
with a hyphen, because it is interpreted as another option name.  Use of
the B<-password> argument is not recommended in any case.

By default, it is possible to issue this command on a properly configured
NFS client machine that is accessing AFS via the NFS/AFS Translator,
assuming that the NFS client machine is a supported system type. However,
if the translator machine's administrator has enabled UID checking by
including the B<-uidcheck on> argument to the B<fs exportafs> command, the
command fails with an error message similar to the following:

   Warning: Remote pioctl to <translator_machine> has failed (err=8). . .
   Unable to authenticate to AFS because a pioctl failed.

Enabling UID checking means that the credential structure in which tokens
are stored on the translator machine must be identified by a UID that
matches the local UID of the process that is placing the tokens in the
credential structure.  After the B<klog.krb5> command interpreter obtains
the token on the NFS client, it passes it to the remote executor daemon on
the translator machine, which makes the system call that stores the token
in a credential structure on the translator machine.  The remote executor
generally runs as the local superuser C<root>, so in most cases its local
UID (normally zero) does not match the local UID of the user who issued
the B<klog.krb5> command on the NFS client machine.

Issuing the B<klog.krb5> command on an NFS client machine creates a
security exposure: the command interpreter passes the token across the
network to the remote executor daemon in clear text mode.

=head1 OPTIONS

=over 4

=item B<-x>

Appears only for backwards compatibility.  Its former function is now the
default behavior of this command.

=item B<-principal> <I<user name>>

Specifies the user name to authenticate.  If this argument is omitted, the
default value is the local user name.

=item B<-password> <I<user's password>>

Specifies the issuer's password (or that of the alternate user identified
by the B<-principal> argument).  Omit this argument to have the command
interpreter prompt for the password, in which case it does not echo
visibly in the command shell.

=item B<-cell> <I<cell name>>

Specifies the cell for which to obtain a token.  During a single login
session on a given machine, a user can be authenticated in multiple cells
simultaneously, but can have only one token at a time for each of them
(that is, can only authenticate under one identity per cell per session on
a machine).  It is acceptable to abbreviate the cell name to the shortest
form that distinguishes it from the other cells listed in the
F</usr/vice/etc/CellServDB> file on the client machine on which the
command is issued.

If this argument is omitted, the command is executed in the local cell, as
defined

=over 4

=item *

First, by the value of the environment variable AFSCELL.

=item *

Second, in the F</usr/vice/etc/ThisCell> file on the client machine on
which the command is issued.

=back

=item B<-k> <I<realm>>

Obtain tickets and tokens from the <I<realm>> Kerberos realm.  If this
option is not given, B<klog.krb5> defaults to using the default local
realm.  The Kerberos realm name need not match the AFS cell name.

=item B<-pipe>

Suppresses all output to the standard output stream, including prompts and
error messages. The B<klog.krb5> command interpreter expects to receive
the password from the standard input stream. Do not use this argument; it
is designed for use by application programs rather than human users.

=item B<-silent>

Suppresses some of the trace messages that the B<klog.krb5> command
produces on the standard output stream by default.  It still reports on
major problems encountered.

=item B<-lifetime> <I<ticket lifetime>

Requests a specific lifetime for the token.  Provide a number of hours and
optionally minutes and seconds in the format I<hh>[B<:>I<mm>[B<:>I<ss>]].

=item B<-setpag>

Creates a process authentication group (PAG) prior to requesting
authentication. The token is associated with the newly created PAG.

=item B<-tmp>

Creates a Kerberos-style ticket file rather than only obtaining tokens.
The ticket file will be stored in the default Kerberos ticket cache
location, which is usually in the F</tmp> directory of the local machine
(but depends on the Kerberos implementation used).

=item B<-noprdb>

By default, B<klog.krb5> looks up the user's AFS ID in the Protection
Server and associates the token with that AFS ID.  This is helpful when
looking at the output of commands like B<tokens> but is not required.  If
this option is given, this behavior is suppressed and B<klog.krb5> will
store the token under a generic name.  You may wish this if, for example,
you have problems contacting the Protection Server for an AFS cell for
some reason.

=item B<-unwrap>

Normally, B<klog.krb5> uses the Kerberos service ticket for the AFS
principal as the AFS token.  If this option is given, B<klog.krb5> creates
a different, simplified AFS token form based on the service ticket (the
so-called "rxkad 2b" token).  Normally, this is not necessary.  However,
if you are using older OpenAFS software that cannot handle large ticket
sizes in conjunction with Active Directory as the Kerberos server, using
B<-unwrap> can shrink the AFS token size so that older software can handle
it more easily.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 OUTPUT

If the B<-tmp> flag is included, the following message confirms that a
Kerberos ticket cache was created:

   Wrote ticket file to /tmp/krb5cc_1000_rENJoZ

The path to the cache will vary, of course.

=head1 EXAMPLES

Most often, this command is issued without arguments. The appropriate
password is for the person currently logged into the local system.  The
ticket's lifetime is calculated as described in L</DESCRIPTION>.

   % klog.krb5
   Password for user@EXAMPLE.ORG:

The following example authenticates the user as admin in the Example
Corporation's test cell:

   % klog.krb5 -principal admin -cell test.example.com
   Password for admin@EXAMPLE.COM:

In the following, the issuer requests a ticket lifetime of 104 hours 30
minutes (4 days 8 hours 30 minutes).

   % klog.krb5 -lifetime 104:30
   Password for user@EXAMPLE.ORG:

=head1 PRIVILEGE REQUIRED

None

=head1 SEE ALSO

L<aklog(1)>,
L<fs_exportafs(1)>,
L<pagsh(1)>,
L<tokens(1)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It
was converted from HTML to POD by software written by Chas Williams and
Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
Commit	Line	Data
805e021f CE	1	=head1 NAME
	2
	3	klog.krb5 - Authenticates to Kerberos and obtains a token
	4
	5	=head1 SYNOPSIS
	6
	7	=for html
	8	<div class="synopsis">
	9
	10	B<klog.krb5> [B<-x>] S<<< [B<-principal> <I<user name>>] >>>
	11	[-password <I<user's password>>] S<<< [B<-cell> <I<cell name>>] >>>
	12	S<<< [B<-k> <I<realm>>] >>> [B<-pipe>] [B<-silent>]
	13	S<<< [B<-lifetime> <I<ticket lifetime in hh[:mm[:ss]]>>] >>>
	14	[B<-setpag>] [B<-tmp>] [B<-noprdb>] [B<-unwrap>] [B<-help>]
	15
	16	B<klog.krb5> [B<-x>] S<<< [B<-pr> <I<user name>>] >>>
	17	S<<< [B<-pa> <I<user's password>>] >>>
	18	S<<< [B<-c> <I<cell name>>] >>>
	19	B<<< [B<-k> <I<realm>>] >>> [B<-pi>] [B<-si>]
	20	S<<< [B<-l> <I<ticket lifetime in hh[:mm[:ss]]>>] >>>
	21	[B<-se>] [B<-t>] [B<-n>] [B<-u>] [B<-h>]
	22
	23	=for html
	24	</div>
	25
	26	=head1 DESCRIPTION
	27
	28	The B<klog.krb5> command obtains a Kerberos v5 ticket from a Kerberos
	29	KDC and, from the ticket, an AFS token and then stores it in the Cache
	30	Manager. The Cache Manager keeps the token in kernel memory and uses it
	31	when obtaining authenticated access to the AFS filespace. This command
	32	does not affect the issuer's identity (UNIX UID) on the local file system.
	33
	34	By default, the command interpreter obtains a token for the AFS user name
	35	that matches the issuer's local user name. To specify an alternate user,
	36	include the B<-principal> argument. The user named by the B<-principal>
	37	argument does not have to appear in the local password file (the
	38	F</etc/passwd> file or equivalent).
	39
	40	By default, the command interpreter obtains a token for the local cell, as
	41	defined by the AFSCELL environment variable set in the command shell or by
	42	the F</usr/vice/etc/ThisCell> file on the local machine. To specify an
	43	alternate cell, include the B<-cell> argument. A user can have tokens in
	44	multiple cells simultaneously, but only one token per cell per connection
	45	to the client machine. If the user's credential structure already
	46	contains a token for the requested cell, the token resulting from this
	47	command replaces it.
	48
	49	By default, the command interpreter obtains a Kerberos ticket for the
	50	local realm. To specify a different Kerberos realm, include the B<-k>
	51	argument. The Kerberos realm name need not match the AFS cell name.
	52	B<klog.krb5> will request a ticket for the principal C<afs/I<cell>> where
	53	I<cell> is the cell name for which the user is requesting tokens, falling
	54	back on the principal C<afs> if that principal does not work.
	55
	56	The lifetime of the token resulting from this command is the smallest of
	57	the following:
	58
	59	=over 4
	60
	61	=item *
	62
	63	The lifetime specified by the issuer with the B<-lifetime> argument if
	64	that argument was given.
65
66	=item *
67
68	The maximum ticket lifetime recorded for the C<afs/I<cell>> principal in
69	thet Kerberos database.
70
71	=item *
72
73	The maximum ticket lifetime recorded in the specified user's Kerberos
74	database entry.
75
76	=back
77
78	=head1 CAUTIONS
79
80	By default, this command does not create a new process authentication
81	group (PAG); see the description of the B<pagsh> command to learn about
82	PAGs. If a cell does not use an AFS-modified login utility, users must
83	include B<-setpag> option to this command, or issue the B<pagsh> command
84	before this one, to have their tokens stored in a credential structure
85	that is identified by PAG rather than by local UID. Users should be aware
86	that B<-setpag> will not work on some systems, most notably recent Linux
87	systems, and using B<pagsh> is preferrable and more reliable.
88
89	When a credential structure is identified by local UID, the potential
90	security exposure is that the local superuser C<root> can use the UNIX
91	B<su> command to assume any other identity and automatically inherit the
92	tokens associated with that UID. Identifying the credential structure by
93	PAG makes it more difficult (but not impossible) for the local superuser
94	to obtain tokens of other users.
95
96	If the B<-password> argument is used, the specified password cannot begin
97	with a hyphen, because it is interpreted as another option name. Use of
98	the B<-password> argument is not recommended in any case.
99
100	By default, it is possible to issue this command on a properly configured
101	NFS client machine that is accessing AFS via the NFS/AFS Translator,
102	assuming that the NFS client machine is a supported system type. However,
103	if the translator machine's administrator has enabled UID checking by
104	including the B<-uidcheck on> argument to the B<fs exportafs> command, the
105	command fails with an error message similar to the following:
106
107	Warning: Remote pioctl to <translator_machine> has failed (err=8). . .
108	Unable to authenticate to AFS because a pioctl failed.
109
110	Enabling UID checking means that the credential structure in which tokens
111	are stored on the translator machine must be identified by a UID that
112	matches the local UID of the process that is placing the tokens in the
113	credential structure. After the B<klog.krb5> command interpreter obtains
114	the token on the NFS client, it passes it to the remote executor daemon on
115	the translator machine, which makes the system call that stores the token
116	in a credential structure on the translator machine. The remote executor
117	generally runs as the local superuser C<root>, so in most cases its local
118	UID (normally zero) does not match the local UID of the user who issued
119	the B<klog.krb5> command on the NFS client machine.
120
121	Issuing the B<klog.krb5> command on an NFS client machine creates a
122	security exposure: the command interpreter passes the token across the
123	network to the remote executor daemon in clear text mode.
124
125	=head1 OPTIONS
126
127	=over 4
128
129	=item B<-x>
130
131	Appears only for backwards compatibility. Its former function is now the
132	default behavior of this command.
133
134	=item B<-principal> <I<user name>>
135
136	Specifies the user name to authenticate. If this argument is omitted, the
137	default value is the local user name.
138
139	=item B<-password> <I<user's password>>
140
141	Specifies the issuer's password (or that of the alternate user identified
142	by the B<-principal> argument). Omit this argument to have the command
143	interpreter prompt for the password, in which case it does not echo
144	visibly in the command shell.
145
146	=item B<-cell> <I<cell name>>
147
148	Specifies the cell for which to obtain a token. During a single login
149	session on a given machine, a user can be authenticated in multiple cells
150	simultaneously, but can have only one token at a time for each of them
151	(that is, can only authenticate under one identity per cell per session on
152	a machine). It is acceptable to abbreviate the cell name to the shortest
153	form that distinguishes it from the other cells listed in the
154	F</usr/vice/etc/CellServDB> file on the client machine on which the
155	command is issued.
156
157	If this argument is omitted, the command is executed in the local cell, as
158	defined
159
160	=over 4
161
162	=item *
163
164	First, by the value of the environment variable AFSCELL.
165
166	=item *
167
168	Second, in the F</usr/vice/etc/ThisCell> file on the client machine on
169	which the command is issued.
170
171	=back
172
173	=item B<-k> <I<realm>>
174
175	Obtain tickets and tokens from the <I<realm>> Kerberos realm. If this
176	option is not given, B<klog.krb5> defaults to using the default local
177	realm. The Kerberos realm name need not match the AFS cell name.
178
179	=item B<-pipe>
180
181	Suppresses all output to the standard output stream, including prompts and
182	error messages. The B<klog.krb5> command interpreter expects to receive
183	the password from the standard input stream. Do not use this argument; it
184	is designed for use by application programs rather than human users.
185
186	=item B<-silent>
187
188	Suppresses some of the trace messages that the B<klog.krb5> command
189	produces on the standard output stream by default. It still reports on
190	major problems encountered.
191
192	=item B<-lifetime> <I<ticket lifetime>
193
194	Requests a specific lifetime for the token. Provide a number of hours and
195	optionally minutes and seconds in the format I<hh>[B<:>I<mm>[B<:>I<ss>]].
196
197	=item B<-setpag>
198
199	Creates a process authentication group (PAG) prior to requesting
200	authentication. The token is associated with the newly created PAG.
201
202	=item B<-tmp>
203
204	Creates a Kerberos-style ticket file rather than only obtaining tokens.
205	The ticket file will be stored in the default Kerberos ticket cache
206	location, which is usually in the F</tmp> directory of the local machine
207	(but depends on the Kerberos implementation used).
208
209	=item B<-noprdb>
210
211	By default, B<klog.krb5> looks up the user's AFS ID in the Protection
212	Server and associates the token with that AFS ID. This is helpful when
213	looking at the output of commands like B<tokens> but is not required. If
214	this option is given, this behavior is suppressed and B<klog.krb5> will
215	store the token under a generic name. You may wish this if, for example,
216	you have problems contacting the Protection Server for an AFS cell for
217	some reason.
218
219	=item B<-unwrap>
220
221	Normally, B<klog.krb5> uses the Kerberos service ticket for the AFS
222	principal as the AFS token. If this option is given, B<klog.krb5> creates
223	a different, simplified AFS token form based on the service ticket (the
224	so-called "rxkad 2b" token). Normally, this is not necessary. However,
225	if you are using older OpenAFS software that cannot handle large ticket
226	sizes in conjunction with Active Directory as the Kerberos server, using
227	B<-unwrap> can shrink the AFS token size so that older software can handle
228	it more easily.
229
230	=item B<-help>
231
232	Prints the online help for this command. All other valid options are
233	ignored.
234
235	=back
236
237	=head1 OUTPUT
238
239	If the B<-tmp> flag is included, the following message confirms that a
240	Kerberos ticket cache was created:
241
242	Wrote ticket file to /tmp/krb5cc_1000_rENJoZ
243
244	The path to the cache will vary, of course.
245
246	=head1 EXAMPLES
247
248	Most often, this command is issued without arguments. The appropriate
249	password is for the person currently logged into the local system. The
250	ticket's lifetime is calculated as described in L</DESCRIPTION>.
251
252	% klog.krb5
253	Password for user@EXAMPLE.ORG:
254
255	The following example authenticates the user as admin in the Example
256	Corporation's test cell:
257
258	% klog.krb5 -principal admin -cell test.example.com
259	Password for admin@EXAMPLE.COM:
260
261	In the following, the issuer requests a ticket lifetime of 104 hours 30
262	minutes (4 days 8 hours 30 minutes).
263
264	% klog.krb5 -lifetime 104:30
265	Password for user@EXAMPLE.ORG:
266
267	=head1 PRIVILEGE REQUIRED
268
269	None
270
271	=head1 SEE ALSO
272
273	L<aklog(1)>,
274	L<fs_exportafs(1)>,
275	L<pagsh(1)>,
276	L<tokens(1)>
277
278	=head1 COPYRIGHT
279
280	IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
281
282	This documentation is covered by the IBM Public License Version 1.0. It
283	was converted from HTML to POD by software written by Chas Williams and
284	Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.