Authenticates a user to DCE for access to DFS via the DFS/NFS Secure Gateway
Synopsis
dfs_login [-h hostname] [-S sysname][-l hh[:mm]] [dce_principal] [dce_password]
Options
-h hostname
Specifies the hostname of a Gateway Server machine (a machine that is running the dfsgwd process) on which the DCE credentials of the specified
user are to be stored. By default, the command uses the hostname of the Gateway Server machine that exports the root of the DCE namespace, /..., to the NFS client. Use this option to name
a different Gateway Server machine.
-S sysname
Specifies the system name of the NFS client for the principal performing the login. The default system name can be overridden through the use of
the DFS_SYSNAME variable or the -S option. The -S option takes precedence. The sysname argument is a unique name derived from uname() that describes the
machine architecture and OS type, such as hp700_ux905 or hp800_ux90.
-l hh[:mm]
Specifies the lifetime to be assigned to the DCE ticket-granting ticket (TGT) obtained by the command. Enter the lifetime as a number of hours and,
optionally, minutes. For example, enter 4 for 4 hours, or enter 2:30 for 2 hours and 30 minutes. A value specified with this option is subject to the policies in effect in the
registry database of the DCE cell. By default, the TGT is assigned the default lifetime assigned to tickets in the DCE cell.
Arguments
dce_principal
Provides the DCE principal name of the user who is to be authenticated to DCE. By default, the command uses the name of the user who issues the command.
dce_password
Provides the DCE password of the user indicated with the dce_principal argument. If you do not specify a password, the command prompts for a password if
one of the following is true: You name a user other than yourself; you name yourself and you do not already have a valid TGT in the current login context; or you do not name a user and you do not
already have a valid TGT in the current login context. The command does not prompt for a password if you do not name a different user and you already have a valid TGT. The command's interactive
prompt provides for secure entry of the password.
Description
The dfs_login command authenticates a user to DCE from an NFS client. The command establishes DCE credentials for the user named with the
dce_principal argument. If no user is specified, the command obtains credentials for the user who issues the command.
The command obtains a TGT for the user from the DCE Security Service. To obtain a TGT, a user must have a valid account in the registry database of the DCE cell. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine to identify the user's TGT. The TGT serves as the user's DCE credentials to provide authenticated access to files and directories in the DFS filespace from the NFS client on which the command is issued.
The dfs_login command also adds an entry for the user to the authentication table (AT) on the Gateway Server machine. The entry is a mapping that pairs the user's UID and the network address of the NFS client for which the user has DCE credentials with the user's PAG. Each Gateway Server machine maintains its own authentication table, so the DCE credentials are valid only for access via the Gateway Server machine on which they are stored. The credentials are also valid only for the NFS client from which the command is issued. To obtain authenticated access to DCE from a different NFS client, a user must issue the command from that client.
The command does not obtain a new TGT if you do not name a user other than yourself on the command line and you already have a valid TGT in the current login context. If you do not already have an entry in the authentication table for the NFS client from which you issue the command, the command uses your existing PAG to create a new entry for you. If you already have an entry in the authentication table for the NFS client, the command has no effect. In either case, the command does not affect existing entries in the authentication table, and it does not affect the remaining ticket lifetime of your existing TGT.
The dfs_login command provides essentially the same functionality as the dfsgw add command, with the exception that the dfs_login command lets you request a specific ticket lifetime. Use the dfs_logout command (or the dfsgw delete command) to end an authenticated session by removing an entry from the authentication table. Both the dfs_login and dfs_logout commands require a working Kerberos 5 environment on the NFS client from which they are issued. See Part 1 of the OSF DCE DFS Administration Guide and Reference for information about configuring an NFS client for use with the DFS/NFS Secure Gateway.
Privilege Required
No privileges are required.
Output
The dfs_login command displays the following prompt to request a DCE password:
Password for dce_principal: dce_password
where dce_principal is the name of the DCE principal for whom credentials are to be established, and dce_password is the DCE password that you supply for the named user. The command displays this prompt only if you do not specify a password on the command line and you either
· Name a user other than yourself on the command line.
· Do not name a user other than yourself on the command line and do not already have a valid TGT.
If the login succeeds, the command returns no further messages.
Files
/krb5/krb.conf
A Kerberos configuration file. The dfs_login command reads this file to determine the name of a DCE Security Server to contact.
/krb5/krb.realms
A Kerberos configuration file. The Kerberos runtime uses the information in this file to translate Internet domains to the corresponding Kerberos realms.
Variables
DFSGWSERVICE
An environment variable that can be set to specify the name of the DFS/NFS Secure Gateway service if the name of the service is changed to something other than
dfsgw. The named service provides the login facility for the DFS/NFS Secure Gateway. The dfs_login command uses the service to look up the port on the Gateway Server machine at
which the dfsgwd process is listening.
Notes
The dfs_login command uses the syntax conventions of all DCE commands, but it does not provide the shortcuts and help available with other DFS commands. When
specifying options, you must enter the name of each option in full (you cannot abbreviate the names of options), and each option must precede an argument specified for it (you cannot omit options).
Also, the command does not include a -help option.
Examples
The following command, issued on a properly configured NFS client, establishes DCE credentials for the user named ludwig. In the example, the DCE password of
the user ludwig is beethoven.
dfs_login ludwig
Password for ludwig@abc.com: beethoven
Exit Values
The dfs_login command returns an exit value of 0 (zero) if it adds an entry for the user to the authentication table. Otherwise, it returns a
non-zero exit value.
Related Information
Commands: dfsgw add(8dfs)