Improving Password and Authentication Security

AFS provides several optional features than can help to protect your cell's filespace against unauthorized access. The following list summarizes them, and instructions follow.

To limit the number of consecutive failed authentication attempts

  1. Issue the kas setfields command with the -attempts and -locktime arguments.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas setfields <name of user>  \
                       -admin <admin principal to use for authentication>  \
                       -attempts <maximum successive failed login tries ([0..254])>  \
                       -locktime <failure penalty [hh:mm or minutes]>
       Administrator's (admin_user) password: <admin_password>
    

    where

    name of user

    Names the Authentication Database entry to edit.

    -admin

    Names an administrative account that has the ADMIN flag on its Authentication Database entry, such as the admin account. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.

    -attempts

    Specifies the maximum consecutive number of times that a user can fail to provide the correct password during authentication (via the klog command or an AFS-modified login utility) before the Authentication Server refuses further attempts for the amount of time specified by the -locktime argument. The range of valid values is 0 (zero) through 254. If you omit this argument or specify 0, the Authentication Server allows an unlimited number of failures.

    -locktime

    Specifies how long the Authentication Server refuses authentication attempts after the user exceeds the failure limit specified by the -attempts argument.

    Specify a time in either hours and minutes (hh:mm) or minutes only (mm), from the range 01 (one minute) through 36:00 (36 hours). The kas command interpreter automatically reduces any larger value to 36:00 and also rounds up each nonzero value to the next-higher multiple of 8.5 minutes.

    It is best not to provide a value of 0 (zero), especially on administrative accounts, because it sets an infinite lockout time. An administrator must always issue the kas unlock command to unlock such an account.

To unlock a locked user account

  1. Issue the kas command to enter interactive mode.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas -admin <admin principal to use for authentication>  
       Administrator's (admin_user) password: <admin_password>
       ka>
    

    where -admin names an administrative account that has the ADMIN flag on its Authentication Database entry, such as admin. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.

  2. Issue the (kas) examine command to verify that the user's account is in fact locked, as indicated by the message shown:

       ka> examine <name of user>
       User is locked until time
    

  3. Issue the (kas) unlock command to unlock the account.

       ka> unlock <authentication ID> 
    

    where

    u

    Is the shortest acceptable abbreviation of unlock.

    authentication ID

    Names the Authentication Database entry to unlock.

To set password lifetime

  1. Issue the kas setfields command with the -pwexpires argument.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas setfields <name of user>  \
                       -pwexpires <number days password is valid  [0..254])>  \
                       -admin <admin principal to use for authentication> 
       Administrator's (admin_user) password: <admin_password>
    

    where

    name of user

    Specifies the Authentication Database entry on which to impose a password expiration.

    -pwexpires

    Sets the number of days after the user's password was last changed that it remains valid. Provide an integer from the range 1 through 254 to specify the number of days until expiration.

    When the password becomes invalid (expires), the user is unable to authenticate, but has 30 more days in which to issue the kpasswd or kas setpassword command to change the password (after that, only an administrator can change it). Note that the clock starts at the time the password was last changed, not when the kas setfields command is issued. To avoid retroactive expiration, have the user change the password just before issuing the command.

    -admin

    Names an administrative account that has the ADMIN flag on its Authentication Database entry, such as admin. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.

To prohibit reuse of passwords

  1. Issue the kas setfields command with the -reuse argument.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas setfields <name of user> -reuse < permit password reuse (yes/no)>  \
                       -admin <admin principal to use for authentication> 
       Administrator's (admin_user) password: <admin_password>
    

    where

    name of user

    Names the Authentication Database entry for which to set the password reuse policy.

    -reuse

    Specifies whether the Authentication Server allows reuse of passwords similar to any of the user's last 20 passwords. Specify the value no to prohibit reuse, or the value yes to reinstate the default of allowing password reuse.

    -admin

    Names an administrative account that has the ADMIN flag on its Authentication Database entry, such as admin. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.