CERN Accelerating science

This website is no longer maintained. Its content may be obsolete. Please visit http://home.cern/ for current CERN information.



next up previous
Next: Cracka Password Up: Desktop Computing Previous: Scheduling AFS Cron

Solution to AFS Token Expiration

Francisco Lozano CN/DCI

AFS users are faced with the problem of expiring tokens when they leave jobs running for longer than one day. To solve this two new tools are now available for all supported UNIX platforms.

reauth is a utility that renews the AFS tokens at fixed intervals in time. It is a way for long-running programs to renew their AFS authentication without direct user intervention. The reauth program never terminates and can only be killed manually or by rebooting the workstation. Exiting the session is not enough to kill reauth . For this reason, the recommended command is 'aexec' (see below). The command reauth has the following syntax:

reauth <time> <principal> [<password>]

where:

<time>      is the time in seconds between 
            reauthentications
<principal> is the name of the user
<password>  is the user's password. If a password 
            is not specified on the command line, 
            it is read from the terminal

aexec is a utility that uses reauth to keep on refreshing the AFS token of a job and thus allows it to run for longer than the AFS token lifetime (normally 25 hours). It has the syntax:

aexec <time> [-p <file>] [-bg] <command> [[params]...]

where:

<time>        is the time in seconds between 
              reauthentications
-p <file>     allows the user to specify the 
              password in a local file
              (applicable only in special cases)
-bg           execute the target <command> in the 
              background
<command> [[params]...]    program to be run with 
                           never-ending AFS token

Warning: Running reauth can entail security problems. If reauth is run with the password in the command line, a simple ps command could expose the password to another user. Thus, passwords should only be entered when prompted.

These tools should not be used for the sole purpose of avoiding to have to type commands to get the AFS token. Users are encouraged to use klog whenever possible.

Both utilities reside in /usr/local/bin .

For more details see the man pages for these commands.



Michel Goossens
CN Division
Tel. 3363
Tue Nov 28 18:14:41 MET 1995