Skip to content Skip to site navigation

Tokens

To increase security and reduce risk, Stanford is sunsetting its WebAFS service that is used to upload and download files to AFS.

To optimize AFS and make sure it is serving its intended functions, UIT has also taken these actions:

  • UIT no longer automatically provisions new faculty and staff members with AFS user volumes. New faculty or staff who need a personal user volume must submit a Help request.
    • This change does not impact existing AFS directories or the process for adding permissions for new individuals to those existing directories. Your existing space and everything in it remains intact.
    • This change does not impact the auto-provisioning of new AFS user volumes for students and postdocs.

​Class volumes do not expire and are kept indefinitely. This is an official academic policy, and any change to this policy must be considered by the Faculty Senate.

When you log in to a Unix computer, you establish your identity to that computer using your local username and local password for that particular computer (all of the FarmShare machines use your SUNet ID and its password for your local username and password). When you enter your username, you are claiming to the computer that you are the person entitled to use that computer identity; and when you enter your password correctly, you are validating your claim. The computer accepts that you are who you claim to be and it lets you login.

Now, when you log in, you think of your identity in words — your computer identity is your username. Although the computer always displays your identity information in words (your username), the computer really thinks about you in terms of the number it has associated with your username — this number is called your user id (uid).

Your user id is local to each individual computer and allows that particular computer to give you access to your files — as long as those files are within disk space that particular computer controls (e.g. files in /tmp). This local user id is not sufficient to identify you to a distributed network file system like AFS, so you also have an AFS user id. On FarmShare machines, your local user id is always the same as your AFS user id, but if you use a computer run by someone else, this may not be true, whether or not your usernames are identical.

The combination of your AFS user id and its associated password (which is your SUNet ID password) identify you to the AFS file system. Once you've authenticated, AFS creates a service ticket for you, which is cached on local disk on the machine you've logged into. This service ticket is called a token, and it confirms your identity to AFS, so it doesn't have to ask you to identify yourself each time you try to do anything on the file system. This token lasts for 25 hours, but will be destroyed when you log out, whether it has expired or not.

Staying logged-In for a long time and resuming sessions

If you remain logged-in to a computer for over 25 hours you may find that the computer won't let you write to your own files, won't let you download email, etc. This is because your token has expired, or you may have lost network connection or been timed out. Run

  • kinit;aklog

and enter your password to re-authenticate yourself to AFS.

Alternatively, you can note what system you log in to and then use the following sequence of commands:

  • pagsh
  • kinit;aklog [put in your SUNetID password again when prompted]
  • screen
  • keeptoken
  • [paste the command that keeptoken suggests]
     

You can then "detach" from the screen session and "reattach" at any time.

To detach, press:

  • CTRL-a, d

Then you can just exit or reattach.

To reattach, make sure you login to the same system and then use this command:

  • screen -rdA
     

For more information on how to use screen, run:

  • man screen

Using this method, you can run a job that will have AFS access for up to a week. As the week comes to a close, you can just run kinit;aklog again in the screen session to extend AFS access for another seven days.

Logging in via rlogin or rsh

The standard rlogin and rsh programs authenticate you to the local machine only, not to AFS. This means that you won't be able to access any restricted files in AFS. To remedy this, run

  • kinit;aklog

and enter your password to authenticate yourself to AFS.

The alternative is to use klogin ("kerberized rlogin"). If you are connecting to a FarmShare machine, this will work -- provided that you are logging in from a machine which provides kerberized outbound connections. You'll need to run "kinit;aklog" first on the machine you want to klogin from to establish your Kerberos identity.

Last modified January 8, 2016