Authentication within AFS

How to get the proof of who you are.

Unix

In AFS you have a so-called “token” which proofs to the fileserver who you are which then grants access to restricted areas within AFS.

To obtain a token, you first need to get a kerberos ticket via “kinit” and then use “aklog” to get an AFS-token.

The kerberos ticket then may also be useful for other services (web, ssh) at RZG.

Useful commands for dealing Kerberos -tickets are:

  • kinit : get a kerberos ticket (man kinit)

  • klist : shows present tickets in the credential-cache (man klist)

  • kdestroy : destroys an existing credential-cache (and all tickets in there) (man kdestroy)

For converting a kerberos ticket into an AFS token use the command :

  • aklog : convert a Kerberos Ticket into an AFS-Token (man aklog)

The preferred way of doing things is :

kinit # to get a Kerberos5 ticket
aklog # to create an AFS token out of it

NOTE:

Both Kerberos and AFS have “Authentication Containers”, through which credentials are made available. This is necessary for multi-users machines, but also if you work alone on your machine it helps you to work with different identities at the same time. In Kerberos it is called “Credential Cache”, AFS it is a “PAG” (process authentication group).

For AFS, you might find following commands useful :

  • unlog : destroys AFS-Token (man unlog)

  • pagsh : open a shell in a new PAG. (man pagsh)

Windows

For Windows, you should click on the lock-symbol in your system-tray and then type your password there:

The lock shows a red x if you have no AFS-token (you are not authorised agains AFS at all) :

../../../../_images/schloss-ohne-token.png

clicking on the lock leads you to a dialog wher eyou should enter your password.

After a successful authentication, it should look like this :

../../../../_images/copy_of_Schlossmittoken.png