openafs/doc/man-pages/pod8/bos_addkey.pod

=head1 NAME

bos_addkey - Adds a new server encryption key to the KeyFile file

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<bos addkey> S<<< B<-server> <I<machine name>> >>> S<<< [B<-key> <I<key>>] >>>
    S<<< B<-kvno> <I<key version number>> >>> S<<< [B<-cell> <I<cell name>>] >>>
    [B<-noauth>] [B<-localauth>] [B<-help>]

B<bos addk> S<<< B<-s> <I<machine name>> >>> S<<< [B<-ke> <I<key>>] >>>
    S<<< B<-kv> <I<key version number>> >>> S<<< [B<-ce> <I<cell name>>] >>> [B<-n>]
    [B<-l>] [B<-h>]

=for html
</div>

=head1 DESCRIPTION

The B<bos addkey> command constructs a server encryption key from the text
string provided, assigns it the key version number specified with the
B<-kvno> argument, and adds it to the F</usr/afs/etc/KeyFile> file on the
machine specified with the B<-server> argument.

Normally, B<asetkey add> should be used instead of this command; see
L<asetkey(8)> for more details. The primary use of B<bos addkey> is for
cells that are still using the Authentication Server instead of a Kerberos
v5 KDC. It may, however, also be useful in unusual circumstances where a
key needs to be added based on a known password rather than via a Kerberos
v5 keytab.

When using B<bos addkey> with an AFS cell that uses the Authentication
Server, be sure to use the B<kas setpassword> or B<kas setkey> command to
add the same key to the C<afs> entry in the Authentication Database.

Do not use the B<-key> argument, which echoes the password string visibly
on the screen. If the argument is omitted, the BOS Server prompts for the
string and does not echo it visibly:

   Input key:
   Retype input key:

The BOS Server prohibits reuse of any key version number already listed in
the F</usr/afs/etc/KeyFile> file. This ensures that users who still have
tickets sealed with the current key are not prevented from communicating
with a server process because the current key is overwritten with a new
key. Use the B<bos listkeys> command to display the key version numbers in
the F</usr/afs/etc/KeyFile> file.

=head1 CAUTIONS

In the unusual case of using B<bos addkey> to add a key with a known
password matching a password used to generate Kerberos v5 keys, the key in
the Kerberos v5 KDC database must have only the DES encryption type and
must use C<afs3> salt, not the default Kerberos v5 salt. Otherwise, the
key generated by B<bos addkey> will not match the key generated by the
Kerberos v5 KDC.

This command can only add keys to the F<KeyFile>; these keys must
be DES keys.  The stronger keys used by the rxkad-k5 extension are
stored in the F<KeyFileExt>, which is not supported by this command.

As such, the use of this command is disrecommended; use
L<asetkey(8)> instead to benefit from the increased security
of the rxkad-k5 extension.

=head1 OPTIONS

=over 4

=item B<-server> <I<machine name>>

Indicates the server machine on which to change the
F</usr/afs/etc/KeyFile> file. Identify the machine by IP address or its
host name (either fully-qualified or abbreviated unambiguously). For
details, see L<bos(8)>.

In cells that use the Update Server to distribute the contents of the
F</usr/afs/etc> directory, it is conventional to specify only the system
control machine as a value for the B<-server> argument. Otherwise, repeat
the command for each file server machine. For further discussion, see
L<bos(8)>.

=item B<-key> <I<key>>

Specifies a character string just like a password; the BOS Server calls a
DES conversion function to encode it into a form appropriate for use as an
encryption key. Omit this argument to have the BOS Server prompt for the
string instead.

=item B<-kvno> <I<key version number>>

Defines the new key's key version number. It must be an integer in the
range from C<0> (zero) through C<255>.  For the sake of simplicity, use
the number one higher than the current highest key version number; use the
B<bos listkeys> command to display key version numbers.

=item B<-cell> <I<cell name>>

Names the cell in which to run the command. Do not combine this argument
with the B<-localauth> flag. For more details, see L<bos(8)>.

=item B<-noauth>

Assigns the unprivileged identity C<anonymous> to the issuer. Do not combine
this flag with the B<-localauth> flag. For more details, see L<bos(8)>.

=item B<-localauth>

Constructs a server ticket using a key from the local
F</usr/afs/etc/KeyFile> or F</usr/afs/etc/KeyFileExt> file.
The B<bos> command interpreter presents the
ticket to the BOS Server during mutual authentication. Do not combine this
flag with the B<-cell> or B<-noauth> options. For more details, see
L<bos(8)>.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 OUTPUT

If the strings typed at the C<Input key> and C<Retype input key> prompts
do not match, the following message appears, and the command exits without
adding a new key:

   Input key mismatch

=head1 EXAMPLES

The following command adds a new server encryption key with key version
number 14 to the B<KeyFile> file kept on the machine C<fs1.example.com> (the
system control machine). The issuer omits the B<-key> argument, as
recommended, and provides the password at the prompts.

   % bos addkey -server fs1.example.com -kvno 14
   Input key:
   Retype input key:

=head1 PRIVILEGE REQUIRED

The issuer must be listed in the F</usr/afs/etc/UserList> file on the
machine named by the B<-server> argument, or must be logged onto a server
machine as the local superuser C<root> if the B<-localauth> flag is
included.

=head1 SEE ALSO

L<KeyFile(5)>,
L<KeyFileExt(5)>,
L<UserList(5)>,
L<asetkey(8)>,
L<bos(8)>,
L<bos_listkeys(8)>,
L<bos_removekey(8)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It
was converted from HTML to POD by software written by Chas Williams and
Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.