SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

AFS authentication


AFS does secure authentication through tokens that are usually obtained by interactively typing a password, either when logging in or by running a program such as kinit. The token you receive is used to verify your identity to the AFS servers when accessing files. Tokens have limited lifetimes (typically 25 hours) and need to be periodically renewed. Users and processes which are not authenticated to AFS typically only have the access rights system:anyuser. A user can only have one token per cell at any given time.

Managing AFS authentication

How to list your AFS tokens

The tokens command will list your AFS tokens and produce output like the following:
   Tokens held by the Cache Manager:
   User's (AFS ID 2102) tokens for [Expires Jun 13 22:04]
      --End of list--
To see the name of the user that corresponds to the given AFS id, use the command:
   pts examine <AFS ID>
For example:
   pts examine 2102

How to get AFS tokens on Unix hosts

You will automatically get AFS tokens for the AFS cell on a Facilitized Unix host when you login to the host by typing your password (as opposed to autologging in via telnet or SSH). You can use the command:
   kinit <username>
to get tokens or renew tokens. For example:
   kinit bovik
and then type your SCS Kerberos password at the prompt.

To get tokens for the AFS cell, use the aklog command, for Faciltized/Dragon Unix hosts:


If you have valid Kerberos credentials aklog will obtain AFS tokens for those credentials.

For Mac OS X hosts:

aklog -k CS.CMU.EDU

If you have valid Kerberos credentials aklog will obtain AFS tokens for those credentials.

How to change your AFS password

Your AFS password for the AFS cell is exactly the same as your SCS Kerberos password. You can use Instance Manager or the command passwd -k to change this password. If you want to change your AFS password in another AFS cell, use the command:

   vpasswd <username-in-other-cell> -c <cellname>

Related documentation

The AFS cache manager & authentication
Some details on how the AFS cache manager handles authentication.
Accounts & passwords
Information about accounts, passwords, and using Kerberos to authenticate in SCS.