Skip to content Skip to site navigation

Tokens

To increase security and reduce risk, Stanford is sunsetting its WebAFS service that is used to upload and download files to AFS.

To optimize AFS and make sure it is serving its intended functions, UIT has also taken these actions:

  • UIT no longer automatically provisions new faculty and staff members with AFS user volumes. New faculty or staff who need a personal user volume must submit a Help request.
    • This change does not impact existing AFS directories or the process for adding permissions for new individuals to those existing directories. Your existing space and everything in it remains intact.
    • This change does not impact the auto-provisioning of new AFS user volumes for students and postdocs.

​Class volumes do not expire and are kept indefinitely. This is an official academic policy, and any change to this policy must be considered by the Faculty Senate.

The basics

When you login to your Stanford Unix account you obtain a "token" that tells the computer you are who you claim to be. This token has a lifetime of 25 hours. If your token expires you lose access to your private directories.

To check if you have a token, type:

  • tokens

To obtain a new token, type:

  • aklog

To create your Kerberos ticket, type:

  • kinit

You will be prompted for your password. Entering it correctly gets you a Kerberos ticket.

Advanced info about tokens

When you login to a Unix computer, you establish your identity to that computer using your local username and local password for that particular computer. (All Stanford Unix machines use your SUNet ID and password as your local username and password.) When you enter your username, you are claiming to the computer that you are the person entitled to use that computer identity. When you enter your password correctly, you validate your claim. The computer accepts that you are who you claim to be and it lets you login.

Now, when you login, you think of your identity in words — your computer identity is your username. Although the computer always displays your identity information in words (your username), the computer really thinks about you in terms of the number it has associated with your username — this number is called your user id (uid).

Your user id is local to each individual computer and allows that particular computer to give you access to your files — as long as those files are within disk space that particular computer controls (e.g. files in /tmp). This local user id is not sufficient to identify you to a distributed network file system like AFS, so you also have an AFS user id. On FarmShare machines, your local user id is always the same as your AFS user id, but if you use a computer run by someone else, this may not be true, whether or not your usernames are identical.

The combination of your AFS user id and its associated password (which is your SUNet ID password) identify you to the AFS file system. Once you've authenticated, AFS creates a service ticket for you, which is cached on local disk on the machine you've logged into. This service ticket is called a token, and it confirms your identity to AFS, so it doesn't have to ask you to identify yourself each time you try to do anything on the file system. This token lasts for 25 hours, but will be destroyed when you log out, whether it has expired or not.

Long-running jobs

If you need to run a compute job that will take longer than 25 hours, you'll need to keep your token longer than normal. If your token expires, your job may not be able to read its input data set or write its output file, or it may look like a runaway job and be killed by the anti-runaway script we run on all the FarmShare cluster machines. To keep your job running, you'll need to use a program called keeptoken, which has the following syntax:

  • keeptoken
  • [paste the command that keeptoken suggests]

You'll only need to specify the username if your local and AFS usernames are not the same (this will not be the case for FarmShare machines). See man keeptoken for more information.

Staying logged-In for a long time and resuming sessions

If you remain logged-in to a computer for over 25 hours you may find that the computer won't let you write to your own files, won't let you download email, etc. This is because your token has expired, or you may have lost network connection or been timed out. Run

  • kinit;aklog

and enter your password to re-authenticate yourself to AFS.

Alternatively, you can note what system you login to and then use the following sequence of commands:

  • pagsh
  • kinit;aklog [put in your SUNetID password again when prompted]
  • screen
  • keeptoken
  • [paste the command that keeptoken suggests]
     

You can then "detach" from the screen session and "reattach" at any time.

To detach, press:

  • CTRL-a, d

Then you can just exit or reattach.

To reattach, make sure you login to the same system and then use this command:

  • screen -rdA
     

For more information on how to use screen, run:

  • man screen

Using this method, you can run a job that will have AFS access for up to a week. As the week comes to a close, you can just run kinit;aklog again in the screen session to extend AFS access for another seven days.

Logging in via klogin or rsh

The standard klogin and rsh programs authenticate you to the local machine only, not to AFS. This means that you won't be able to access any restricted files in AFS. To remedy this, run

  • kinit;aklog

and enter your password to authenticate yourself to AFS.

The alternative is to use klogin ("kerberized rlogin"). If you are connecting to a FarmShare  machine, this will work — provided that you are logging in from a machine that provides kerberized outbound connections. You'll need to run "kinit" first on the machine you want to klogin from to establish your Kerberos identity.

Last modified January 8, 2016