mirror of
https://git.openafs.org/openafs.git
synced 2025-01-19 07:20:11 +00:00
6ef9f39335
The NAME heading for man pages can't contain a space in the program side or the man pages won't index with some man implementations.
141 lines
4.6 KiB
Plaintext
141 lines
4.6 KiB
Plaintext
=head1 NAME
|
|
|
|
bos_addkey - Adds a new server encryption key to the KeyFile file
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
=for html
|
|
<div class="synopsis">
|
|
|
|
B<bos addkey> S<<< B<-server> <I<machine name>> >>> S<<< [B<-key> <I<key>>] >>>
|
|
S<<< B<-kvno> <I<key version number>> >>> S<<< [B<-cell> <I<cell name>>] >>>
|
|
[B<-noauth>] [B<-localauth>] [B<-help>]
|
|
|
|
B<bos addk> S<<< B<-s> <I<machine name>> >>> S<<< [B<-ke> <I<key>>] >>>
|
|
S<<< B<-kv> <I<key version number>> >>> S<<< [B<-ce> <I<cell name>>] >>> [B<-n>]
|
|
[B<-l>] [B<-h>]
|
|
|
|
=for html
|
|
</div>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The B<bos addkey> command constructs a server encryption key from the text
|
|
string provided, assigns it the key version number specified with the
|
|
B<-kvno> argument, and adds it to the F</usr/afs/etc/KeyFile> file on the
|
|
machine specified with the B<-server> argument. Be sure to use the B<kas
|
|
setpassword> or B<kas setkey> command to add the same key to the C<afs>
|
|
entry in the Authentication Database.
|
|
|
|
Do not use the B<-key> argument, which echoes the password string visibly
|
|
on the screen. If the argument is omitted, the BOS Server prompts for the
|
|
string and does not echo it visibly:
|
|
|
|
Input key:
|
|
Retype input key:
|
|
|
|
The BOS Server prohibits reuse of any key version number already listed in
|
|
the F</usr/afs/etc/KeyFile> file. This ensures that users who still have
|
|
tickets sealed with the current key are not prevented from communicating
|
|
with a server process because the current key is overwritten with a new
|
|
key. Use the B<bos listkeys> command to display the key version numbers in
|
|
the F</usr/afs/etc/KeyFile> file.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<-server> <I<machine name>>
|
|
|
|
Indicates the server machine on which to change the
|
|
F</usr/afs/etc/KeyFile> file. Identify the machine by IP address or its
|
|
host name (either fully-qualified or abbreviated unambiguously). For
|
|
details, see L<bos(8)>.
|
|
|
|
In cells that use the Update Server to distribute the contents of the
|
|
F</usr/afs/etc> directory, it is conventional to specify only the system
|
|
control machine as a value for the B<-server> argument. Otherwise, repeat
|
|
the command for each file server machine. For further discussion, see
|
|
L<bos(8)>.
|
|
|
|
=item B<-key> <I<key>>
|
|
|
|
Specifies a character string just like a password; the BOS Server calls a
|
|
DES conversion function to encode it into a form appropriate for use as an
|
|
encryption key. Omit this argument to have the BOS Server prompt for the
|
|
string instead.
|
|
|
|
=item B<-kvno> <I<key version number>>
|
|
|
|
Defines the new key's key version number. It must be an integer in the
|
|
range from C<0> (zero) through C<255>. For the sake of simplicity, use
|
|
the number one higher than the current highest key version number; use the
|
|
B<bos listkeys> command to display key version numbers.
|
|
|
|
=item B<-cell> <I<cell name>>
|
|
|
|
Names the cell in which to run the command. Do not combine this argument
|
|
with the B<-localauth> flag. For more details, see L<bos(8)>.
|
|
|
|
=item B<-noauth>
|
|
|
|
Assigns the unprivileged identity C<anonymous> to the issuer. Do not combine
|
|
this flag with the B<-localauth> flag. For more details, see L<bos(8)>.
|
|
|
|
=item B<-localauth>
|
|
|
|
Constructs a server ticket using a key from the local
|
|
F</usr/afs/etc/KeyFile> file. The B<bos> command interpreter presents the
|
|
ticket to the BOS Server during mutual authentication. Do not combine this
|
|
flag with the B<-cell> or B<-noauth> options. For more details, see
|
|
L<bos(8)>.
|
|
|
|
=item B<-help>
|
|
|
|
Prints the online help for this command. All other valid options are
|
|
ignored.
|
|
|
|
=back
|
|
|
|
=head1 OUTPUT
|
|
|
|
If the strings typed at the C<Input key> and C<Retype input key> prompts
|
|
do not match, the following message appears, and the command exits without
|
|
adding a new key:
|
|
|
|
Input key mismatch
|
|
|
|
=head1 EXAMPLES
|
|
|
|
The following command adds a new server encryption key with key version
|
|
number 14 to the B<KeyFile> file kept on the machine C<fs1.abc.com> (the
|
|
system control machine). The issuer omits the B<-key> argument, as
|
|
recommended, and provides the password at the prompts.
|
|
|
|
% bos addkey -server fs1.abc.com -kvno 14
|
|
Input key:
|
|
Retype input key:
|
|
|
|
=head1 PRIVILEGE REQUIRED
|
|
|
|
The issuer must be listed in the F</usr/afs/etc/UserList> file on the
|
|
machine named by the B<-server> argument, or must be logged onto a server
|
|
machine as the local superuser C<root> if the B<-localauth> flag is
|
|
included.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<KeyFile(5)>,
|
|
L<UserList(5)>,
|
|
L<bos(8)>,
|
|
L<bos_listkeys(8)>,
|
|
L<bos_removekey(8)>
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
|
|
|
|
This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
|