Carnegie Mellon University School of Computer Science

AFS Authentication

AFS does secure authentication through tokens that are usually obtained by interactively typing a password, either when logging in or by running a program such as kinit. The token you receive is used to verify your identity to the AFS servers when accessing files. Tokens have limited lifetimes (typically 25 hours) and need to be periodically renewed. Users and processes which are not authenticated to AFS typically only have the access rights system:anyuser. A user can only have one token per cell at any given time.

Managing AFS Authentication 

How to list your AFS tokens

The tokens command will list your AFS tokens and produce output like the following:

Tokens held by the Cache Manager:

User's (AFS ID 2102) tokens for [Expires Jun 13 22:04]
      --End of list--

To see the name of the user that corresponds to the given AFS id, use the command:

pts examine <AFS ID>

For example:

pts examine 2102

How to get AFS tokens on Unix hosts

You will automatically get AFS tokens for the AFS cell on a Facilitized Unix host when you login to the host by typing your password (as opposed to autologging in via telnet or SSH). To get tokens or renew tokens, you can use the command:

kinit <username>

Then type your SCS Kerberos password at the prompt.

To get tokens for the AFS cell, use the aklog command from faciltized SCS Linux hosts:


If you have valid Kerberos credentials, aklog will obtain AFS tokens for those credentials.

For macOS hosts:

aklog -k CS.CMU.EDU

If you have valid Kerberos credentials aklog will obtain AFS tokens for those credentials.

How to change your AFS password

Your AFS password for the AFS cell is exactly the same as your SCS Kerberos password. You can use the Kerberos Instance Manager or the command passwd -k to change this password. If you want to change your AFS password in another AFS cell, use the command:

kpasswd <username-in-other-cell> -c <cellname>