openafs/doc/man-pages/pod8/bos_addkey.pod

=head1 NAME

bos addkey - Adds a new server encryption key to the /usr/afs/etc/KeyFile
file

=head1 SYNOPSIS

B<bos addkey -server> <I<machine name>>  [-key <I<key>>]
B<-kvno> <I<key version number>>  [B<-cell> <I<cell name>>]
           [B<-noauth>]  [B<-localauth>]  [-help]

B<bos addk -s> <I<machine name>>  [B<-ke> <I<key>>]  -kv <I<key version number>>
[B<-ce> <I<cell name>>]  [B<-n>]  [B<-l>]  [B<-h>]

=head1 DESCRIPTION

The bos addkey command constructs a server encryption key from
the text string provided, assigns it the key version number specified with the
B<-kvno> argument, and adds it to the B</usr/afs/etc/KeyFile>
file on the machine specified with the B<-server> argument. Be
sure to use the B<kas setpassword> or B<kas setkey> command to
add the same key to the B<afs> entry in the Authentication
Database.

Do not use the -key argument, which echoes the password string
visibly on the screen. If the argument is omitted, the BOS Server
prompts for the string and does not echo it visibly:

   Input key:
   Retype input key:

The BOS Server prohibits reuse of any key version number already listed in
the B</usr/afs/etc/KeyFile> file. This ensures that users who
still have tickets sealed with the current key are not prevented from
communicating with a server process because the current key is overwritten
with a new key. Use the B<bos listkeys> command to display the
key version numbers in the B</usr/afs/etc/KeyFile> file.

=head1 OPTIONS

=over 4

=item -server
>

Indicates the server machine on which to change the
B</usr/afs/etc/KeyFile> file. Identify the machine by IP
address or its host name (either fully-qualified or abbreviated
unambiguously). For details, see the introductory reference page for
the B<bos> command suite. 

In cells that run the United States edition of AFS and use the Update
Server to distribute the contents of the B</usr/afs/etc> directory, it
is conventional to specify only the system control machine as a value for the
B<-server> argument. In cells that run the international
version of AFS, repeat the command for each file server machine. For
further discussion, see the introductory reference page for the B<bos>
command suite.

=item -key
>

Specifies a character string just like a password; the BOS Server
calls a DES conversion function to encode it into a form appropriate for use
as an encryption key. Omit this argument to have the BOS Server prompt
for the string instead.

=item -kvno
>

Defines the new key's key version number. It must be an
integer in the range from B<0> (zero) through B<255>.
For the sake of simplicity, use the number one higher than the current highest
key version number; use the B<bos listkeys> command to display
key version numbers.
L<(1)>

=item -cell
>

Names the cell in which to run the command. Do not combine this
argument with the B<-localauth> flag. For more details, see the
introductory B<bos> reference page.

=item -noauth
>

Assigns the unprivileged identity anonymous to the
issuer. Do not combine this flag with the B<-localauth>
flag. For more details, see the introductory B<bos> reference
page.

=item -localauth
>

Constructs a server ticket using a key from the local
B</usr/afs/etc/KeyFile> file. The B<bos> command
interpreter presents the ticket to the BOS Server during mutual
authentication. Do not combine this flag with the B<-cell> or
B<-noauth> options. For more details, see the introductory
B<bos> reference page.

=item -help

Prints the online help for this command. All other valid options
are ignored.

=back

=head1 OUTPUT

If the strings typed at the C<Input key> and C<Retype  input
key> prompts do not match, the following message appears, and the command
exits without adding a new key:

   Input key mismatch

=head1 EXAMPLES

The following command adds a new server encryption key with key version
number 14 to the B<KeyFile> file kept on the machine
B<fs1.abc.com> (the system control machine). The
issuer omits the B<-key> argument, as recommended, and provides the
password at the prompts.

   % bos addkey -server fs1.abc.com -kvno 14
   Input key:
   Retype input key:

=head1 PRIVILEGE REQUIRED

The issuer must be listed in the /usr/afs/etc/UserList file on
the machine named by the B<-server> argument, or must be logged onto a
server machine as the local superuser B<root> if the
B<-localauth> flag is included.

=head1 SEE ALSO

L<KeyFile(1)>,
L<UserList(1)>,
L<bos(1)>,
L<bos_listkeys(1)>,
L<bos_removekey(1)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
man-page-conversion-20051208 This is the initial conversion of the AFS Adminstrators Reference into POD for use as man pages. The man pages are now generated via pod2man from regen.sh so that only those working from CVS have to have pod2man available. The Makefile only installs. The pages have also been sorted out into pod1, pod5, and pod8 directories, making conversion to the right section of man page easier without maintaining a separate list and allowing for names to be duplicated between pod5 and pod1 or pod8 (which will likely be needed in a few cases). This reconversion is done with a new script based on work by Chas Williams. In some cases, the output is worse than the previous POD pages, but this is a more comprehensive conversion. This is only the first step, and this initial conversion has various problems. In addition, the file man pages that didn't have simple names have not been converted in this pass and will be added later. Some of the man pages have syntax problems and all of them have formatting errors. The next editing pass, coming shortly, will clean up most of the remaining mess. 2005-12-08 12:14:33 +00:00			`=head1 NAME`

			`bos addkey - Adds a new server encryption key to the /usr/afs/etc/KeyFile`
			`file`

			`=head1 SYNOPSIS`

			`B<bos addkey -server> <I<machine name>> [-key <I<key>>]`
			`B<-kvno> <I<key version number>> [B<-cell> <I<cell name>>]`
			`[B<-noauth>] [B<-localauth>] [-help]`

			`B<bos addk -s> <I<machine name>> [B<-ke> <I<key>>] -kv <I<key version number>>`
			`[B<-ce> <I<cell name>>] [B<-n>] [B<-l>] [B<-h>]`

			`=head1 DESCRIPTION`

			`The bos addkey command constructs a server encryption key from`
			`the text string provided, assigns it the key version number specified with the`
			`B<-kvno> argument, and adds it to the B</usr/afs/etc/KeyFile>`
			`file on the machine specified with the B<-server> argument. Be`
			`sure to use the B<kas setpassword> or B<kas setkey> command to`
			`add the same key to the B<afs> entry in the Authentication`
			`Database.`

			`Do not use the -key argument, which echoes the password string`
			`visibly on the screen. If the argument is omitted, the BOS Server`
			`prompts for the string and does not echo it visibly:`

			`Input key:`
			`Retype input key:`

			`The BOS Server prohibits reuse of any key version number already listed in`
			`the B</usr/afs/etc/KeyFile> file. This ensures that users who`
			`still have tickets sealed with the current key are not prevented from`
			`communicating with a server process because the current key is overwritten`
			`with a new key. Use the B<bos listkeys> command to display the`
			`key version numbers in the B</usr/afs/etc/KeyFile> file.`

			`=head1 OPTIONS`

			`=over 4`

			`=item -server`
			`>`

			`Indicates the server machine on which to change the`
			`B</usr/afs/etc/KeyFile> file. Identify the machine by IP`
			`address or its host name (either fully-qualified or abbreviated`
			`unambiguously). For details, see the introductory reference page for`
			`the B<bos> command suite.`

			`In cells that run the United States edition of AFS and use the Update`
			`Server to distribute the contents of the B</usr/afs/etc> directory, it`
			`is conventional to specify only the system control machine as a value for the`
			`B<-server> argument. In cells that run the international`
			`version of AFS, repeat the command for each file server machine. For`
			`further discussion, see the introductory reference page for the B<bos>`
			`command suite.`

			`=item -key`
			`>`

			`Specifies a character string just like a password; the BOS Server`
			`calls a DES conversion function to encode it into a form appropriate for use`
			`as an encryption key. Omit this argument to have the BOS Server prompt`
			`for the string instead.`

			`=item -kvno`
			`>`

			`Defines the new key's key version number. It must be an`
			`integer in the range from B<0> (zero) through B<255>.`
			`For the sake of simplicity, use the number one higher than the current highest`
			`key version number; use the B<bos listkeys> command to display`
			`key version numbers.`
			`L<(1)>`

			`=item -cell`
			`>`

			`Names the cell in which to run the command. Do not combine this`
			`argument with the B<-localauth> flag. For more details, see the`
			`introductory B<bos> reference page.`

			`=item -noauth`
			`>`

			`Assigns the unprivileged identity anonymous to the`
			`issuer. Do not combine this flag with the B<-localauth>`
			`flag. For more details, see the introductory B<bos> reference`
			`page.`

			`=item -localauth`
			`>`

			`Constructs a server ticket using a key from the local`
			`B</usr/afs/etc/KeyFile> file. The B<bos> command`
			`interpreter presents the ticket to the BOS Server during mutual`
			`authentication. Do not combine this flag with the B<-cell> or`
			`B<-noauth> options. For more details, see the introductory`
			`B<bos> reference page.`

			`=item -help`

			`Prints the online help for this command. All other valid options`
			`are ignored.`

			`=back`

			`=head1 OUTPUT`

			`If the strings typed at the C<Input key> and C<Retype input`
			`key> prompts do not match, the following message appears, and the command`
			`exits without adding a new key:`

			`Input key mismatch`

			`=head1 EXAMPLES`

			`The following command adds a new server encryption key with key version`
			`number 14 to the B<KeyFile> file kept on the machine`
			`B<fs1.abc.com> (the system control machine). The`
			`issuer omits the B<-key> argument, as recommended, and provides the`
			`password at the prompts.`

			`% bos addkey -server fs1.abc.com -kvno 14`
			`Input key:`
			`Retype input key:`

			`=head1 PRIVILEGE REQUIRED`

			`The issuer must be listed in the /usr/afs/etc/UserList file on`
			`the machine named by the B<-server> argument, or must be logged onto a`
			`server machine as the local superuser B<root> if the`
			`B<-localauth> flag is included.`

			`=head1 SEE ALSO`

			`L<KeyFile(1)>,`
			`L<UserList(1)>,`
			`L<bos(1)>,`
			`L<bos_listkeys(1)>,`
			`L<bos_removekey(1)>`

			`=head1 COPYRIGHT`

			`IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.`

			`This documentation is covered by the IBM Public License Version 1.0. It was`
			`converted from HTML to POD by software written by Chas Williams and Russ`
			`Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.`