=head1 NAME bos_util - Manipulate the AFS server Keyfile =head1 SYNOPSIS =for html
B add > B adddes > B delete > B list =for html
=head1 DESCRIPTION The B command manipulates the AFS server B. It can take a password from standard input, convert it to a key, and add it to the F; list the keys in the F; or remove a key from thet F. It is very similar in function to B, but B works with keytab files wheras B works with passwords directly. B expects one of the following subcommands: =over 4 =item add > Add a key with key version > to the F using a password from standard input. This command uses the normal AFS password salt algorithm to generate the key (equivalent to the des-cbc-crc:afs3 enctype in Kerberos v5). This command is basically equivalent to B. =item adddes > Add a key with key version > to the B using a password from standard input. This command does not salt the password when generating the key (equivalent to the des-cbc-crc:v4 enctype in Kerberos v5). Since this command applies no salt to the password, it can be used as a last resort for generating a DES key with a salt algorithm that other utilities don't know how to use by giving this command the pre-salted password. This can be useful when, for example, using Microsoft Active Directory as the Kerberos KDC, since Active Directory uses a different salt algorithm for service principals than most Unix Kerberos implementations. The best approach, however, is to find a way to generate a keytab and then use B. =item delete > Delete the key with the specified key version from the F. This command is equivalent to B or B. =item list List the keys in the F. This command is equivalent to B or B. =back The B command does not use the normal AFS option parsing library and its subcommands cannot be abbreviated. =head1 CAUTIONS B is intended for use with a Kerberos v4 environment and therefore is mostly obsolete. Normally, rather than using this command, you will want to use B to create a keytab (perhaps with its B command) and then use B as normal. B only supports the AFS password salt algorithm and no password salt algorithm and therefore may not produce the same key from a given password as Kerberos v5 utilities unless one is careful to use that same salt algorithm when creating the key in the KDC. Creating an AFS key with a known password and then using B or B to add that key to the F is not recommended. Human-created passwords are usually not as strong as a random key generated using a good entropy source, such as with the B<-randkey> option to the MIT Kerberos v5 B command or the equivalent in other Kerberos v5 implementations. The security of AFS depends on the strength of the AFS service key; it should therefore be as random as possible. It is imperative that the key version number (kvno) given matches the kvno on the Kerberos server. If it doesn't, users won't be able to authenticate. The key generated by B must also match the internal representation on the Kerberos server including the salt. =head1 OPTIONS B takes no options. =head1 PRIVILEGE REQUIRED The issuer must be logged onto a file server machine as the local superuser C. =head1 SEE ALSO L, L, L, L, kadmin(8), ktutil(8) =head1 COPYRIGHT Copyright 2007 Jason Edgecombe This documentation is covered by the IBM Public License Version 1.0. This man page was written by Jason Edgecombe for OpenAFS.