An assortment of commands and tools related to AFS authentication sorted by authentication system.
?KaServer -- AFS version of Kerberos V4
The klog command (and kpasswd too) try several ?StringToKey functions.
- klog -- authentication with ?KaServer by getting AFS service tickets and sending them to the (kernel) ?CacheManager. Can save the TGT in a file compatible with kinit (V4) as a non-default option.
- tokens -- displays AFS service tickets (tokens) held by the ?CacheManager.
- kpasswd -- change password in ?KaServer.
- kas -- administrative interface to ?KaServer
- inetd -- passes authentication information to network servers. See inetd . Avoid.
- r* commands -- passes authentication information between trusting hosts (over a secure network). See Remote Services. Avoid and thread. These are not built by default in ?OpenAFS unless --enable-insecure is specified.
?KerberosIV -- MIT reference for V4
- kinit -- authenticates using standard UDP port 750. Also works with ?KaServer but doesn't get AFS service tickets (tokens).
- ktadd -- adds a new key/principal to ?KeyDistributionCenter (KDC) (or changes the key if it already exists?)
?KerberosV -- MIT reference for V5
There are more types of ?StringToKey functions in V5.
Charles Clancy posted a Perl script that provides a kas interface to kadmin, so that existing scripts (and users) that use kas can easily work in a K5 environment.
Derek Atkins provides this handy mapping from ?KerberosVMIT to ?KaServer:
| ?KerberosVMIT | ?KaServer |
|---|---|
| kinit + aklog/afslog | klog |
| kadmin | kas |
| kpasswd | kpasswd |
- kinit -- authenticates using standard UDP port 88. Works with DCE, ?HeimdalKTH and ActiveDirectory (maybe?).
- kpasswd -- change KDC password.
- klist -- displays contents of ticket cache.
- ktadmin
- ktadd -- add a principal
ktadd -k /etc/krb5/keytab -e des-cbc-crc:v4 afs@CS.UMD.EDU - ktremove -- removes a principal from the KDC
- kprop
?KerberosDCE -- DCE version of V5
- kinit -- authenticates to DCE Security Server and also obtains authorization informaion (groups) from the DCE Privilege Server.
- chpass -- change password
- dcecp -- admin suite
?HeimdalKTH -- International version of Kerberos V5
Here's some mail from Derrick Brashear for using ?HeimdalKTH for AFS authentication. An updated version of this document can be found here:
The kas wrapper mentioned above maybe useful for Heimdal environments too.
- afslog
- ktutil -- for example to create a ?KeyFile for AFS servers you can use this sequence
ktutil -k keytab.afs get afs@MY.REALMktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile
It can also convert fromsrvtabformat. - hprop -- initializes a database from ?KaServer
- ipropd -- propagates KDC databases between master and slave servers?
ActiveDirectory -- Microsoft version of Kerberos V5
Other commands
- aklog -- converts V5 TGT to AFS service tickets and gives them to the ?CacheManager. Is this part of the standard MIT K5 distribution?
- ka-forwarder -- allows klog to work in V5 environments, not needed if you are willing to use kinit/aklog. This is a ?HeimdalKTH tool?
- asetkey -- converts a V5 keytab file containing the AFS service ticket key and stores it into a ?KeyFile which AFS servers understand.
- fakeka
- r* commands -- where to get safe kerberized versions?
- pts -- suite of commands for accessing the ?PtServer to manage AFS groups in all authentication environments.
- uss -- user creation tool. It is documented in the admin guide. It has some support for alternate authentication systems, but probably works best in ?KaServer environments.
See ?SettingUpAuthentication
-- Ted Anderson - 23 Jan 2002 -- Ted Anderson - 06 Feb 2002 -- Ted Anderson - 07 Mar 2002