[Next] [Previous] [Up] [Top] [Contents] [Index]
Chapter 7: The AFS File System
On machines running AFS, as on most systems, providing a username and password is sufficient to identify a user as legitimate, and allow the login to succeed. However to access AFS files, you must provide a password recognized by AFS, called a Kerberos password. This authenticates you to AFS. Once you are authenticated, AFS issues what is known as a Kerberos token to your login process. It is having the token that allows you access to the AFS file system. As long as you remain logged on, the Kerberos token "lives" for a period of time set by the AFS administrator of the system; for example in the Fermilab cell it is set to six days.
The token is passed to all subprocesses of the login process (see section 5.1 for an explanation of subprocesses). All normal UNIX interactive operations are therefore automatically authenticated, and access is granted to files in the AFS tree, provided you have the appropriate permissions (AFS permissions are covered in section 6.6.2). The Fermilab standard batch interface fbatch provides for token renewal at job execution time, since you can't control when your batch jobs actually run.
Situations occasionally arise in which you are not automatically authenticated (e.g., some remote login methods) or you lose your token (e.g., you remain logged in for more than six days). When this happens and you need to obtain a new token, issue the command string:
% pagsh % klog
pagsh starts a special AFS shell under your login process. klog prompts you for your AFS password and obtains a Kerberos token associated with this shell, thus granting authentication and access to files.
[Missing image]A few notes:
pagsh first is much more secure than just running klog. It ensures that the token is associated with your pagsh process, and thus with all processes you spawn. klog by itself gets a token associated with your UID, which is not always unique. This could potentially allow another user to share the token, which is undesirable.
pagsh;klog. pagsh starts a new sh shell, and klog needs to be run at the new shell prompt on the next line.
pagsh changes your shell to sh, so you will need to run your preferred shell afterwards (e.g., enter tcsh, bash, or ksh on the command line). You may also then want to source your .login and .cshrc or your .profile and .shrc scripts to ensure that your FUE environment is back to normal (see section 4.4 regarding sourcing a script, and section 9.4 for information on the login files).
[Missing image]There are Kerberos authentication problems with running programs that spawn jobs external to your login process group. at and cron fall into this category (they are described in section 5.5.3). You can run the job, but it will not run with authentication, and most likely will not be able to write into /afs space. A work-around is available for executing an authenticated cron job (send mail to helpdesk@fnal requesting the full details of this procedure).
[Missing image]Be aware that being logged on as root grants you no special permissions in /afs file space; there is no such thing as being "authenticated as root".
You will have a Kerberos password (sometimes called an AFS password), for any account on a system that uses the AFS file system, for example FNALU. The Kerberos password, which you enter at login time, allows two operations to proceed:
You can change your Kerberos password using the command:
% kpasswd
The system will prompt you for the necessary information.
We recommend that you limit your password to eight characters. This enforces consistent behavior in a multi-vendor AFS environment. On some platforms the login program may truncate a long password after eight characters, allowing login to proceed but denying access to the file system.
This command changes your Kerberos password for all systems that run AFS on-site.
Depending on how the AFS file system was installed, you may or may not have a standard UNIX password in addition to your Kerberos password. In other words, you may have a standard UNIX password even if you never need to use it! On FNALU, AFS was installed so that you have only a Kerberos password; no standard UNIX password is defined.
You can find out if you have a standard UNIX password (or an NIS password, see section 2.7) by attempting to change it via the standard UNIX command passwd. If the command does not succeed (assuming you provide the correct old password if requested), then you do not have a standard UNIX password. Note that the passwd command returns a different error message on each different UNIX flavor.
If you have both, at login you should provide the Kerberos password so that you obtain your Kerberos token. If instead you provide your standard UNIX password, the system will log you in, but you will not obtain a token and thus will not be able to access AFS files. If the passwords are the same, the Kerberos password automatically takes precedence.
Generally, the Kerberos password is the only password you need. There are exceptions; for example, remote login via a method that doesn't understand Kerberos passwords (e.g., MAC-X to some UNIX platforms). In this case, after logging in using a standard UNIX password, you would need to run the command string pagsh and klog as described in section 7.3.1:
To see what tokens you currently hold, you can issue the command:
% tokens
The output should look similar to this:
Tokens held by the Cache Manager: User's (AFS ID 6302) tokens for afs@fnal.gov [Expires Oct 21 10:22] User aheavey's tokens for krbtgt.FNAL.GOV@fnal.gov [Expires Oct 21 10:22] --End of list--
If the output showns no tokens (or only the krbtgt token, the second one shown above[30]), then you only have access to (usually a very limited number of) files designated as accessible to the special user system:anyuser (a pre-defined AFS protection group; see section 7.7). As its name implies, this designation includes anyone who can access the system (e.g., a user with a standard UNIX password but no Kerberos password).
If you remain logged on beyond the set token expiration period, you will find that you no longer have access to AFS files. The system will likely return the message Permission denied when you attempt a file operation. To get back the token associated with your login process, issue the commands[31]:
% pagsh % klog
[Missing image]If you are unexpectedly unable to edit your files, try this first! Expired tokens are often the reason for this problem. See the notes in section 7.3.1 regarding these commands.
[Missing image]Logging out does not destroy your token; it remains "live" for up to 26 hours afterwards. This is a security risk. Prior to logging out, we advise that you issue the command:
% unlog
to destroy the token. If you create a .logout file (see section 9.4), you should include this command in it.
One practical issue raised by the Kerberos environment involves the use of the Berkeley networking programs such as rlogin, rsh, and rcp. telnet automatically authenticates the user and avoids the issues discussed here. All these utilities are described in Chapter 13.
Normally systems are equivalenced to enable the use of the rlogin, rsh, and rcp protocols. The equivalencing of the machines implies that once you are logged into one system, you may log into the equivalenced machines without providing further proof of identity, such as a password. This doesn't fit in with the Kerberos authentication system.
On FNALU, token-passing is available for rsh and rcp.[32] If you have authenticated into the /afs/fnal.gov cell, you can use rcp and rsh more or less normally between AFS machines; the token will be passed along with the request, and the network communications will be authenticated automatically.[33]
rlogin is more complicated. When equivalencing between two machines is enabled, the rlogin protocol does not ask for a password. rlogin works, but the remote user is not authenticated at login time, and cannot access most files.
[Missing image]We recommend that you use telnet rather than rlogin in order to avoid this problem.
If you need to use rlogin for some reason, immediately after login issue the commands:
% pagsh % klog
as described in section 7.3.1, to obtain authentication.
krbtgt token was created on FNALU for an application that was never implemented, and it does not affect AFS access. It will probably be removed in the near future.
pagsh before klog.
/etc/hosts.equiv or .rhosts to equivalence systems.