mirror of
https://git.openafs.org/openafs.git
synced 2025-01-19 15:30:14 +00:00
176 lines
8.9 KiB
XML
176 lines
8.9 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry id="bos_addkey8">
|
|
<refmeta>
|
|
<refentrytitle>bos addkey</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
<refnamediv>
|
|
<refname>bos addkey</refname>
|
|
<refpurpose>Adds a new server encryption key to the KeyFile file</refpurpose>
|
|
</refnamediv>
|
|
<refsect1>
|
|
<title>Synopsis</title>
|
|
<para><emphasis role="bold">bos addkey</emphasis> <emphasis role="bold">-server</emphasis> <<emphasis>machine name</emphasis>> [<emphasis role="bold">-key</emphasis> <<emphasis>key</emphasis>>]
|
|
<emphasis role="bold">-kvno</emphasis> <<emphasis>key version number</emphasis>> [<emphasis role="bold">-cell</emphasis> <<emphasis>cell name</emphasis>>]
|
|
[<emphasis role="bold">-noauth</emphasis>] [<emphasis role="bold">-localauth</emphasis>] [<emphasis role="bold">-help</emphasis>]</para>
|
|
|
|
<para><emphasis role="bold">bos addk</emphasis> <emphasis role="bold">-s</emphasis> <<emphasis>machine name</emphasis>> [<emphasis role="bold">-ke</emphasis> <<emphasis>key</emphasis>>]
|
|
<emphasis role="bold">-kv</emphasis> <<emphasis>key version number</emphasis>> [<emphasis role="bold">-ce</emphasis> <<emphasis>cell name</emphasis>>] [<emphasis role="bold">-n</emphasis>]
|
|
[<emphasis role="bold">-l</emphasis>] [<emphasis role="bold">-h</emphasis>]</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Description</title>
|
|
<para>The <emphasis role="bold">bos addkey</emphasis> command constructs a server encryption key from the text
|
|
string provided, assigns it the key version number specified with the
|
|
<emphasis role="bold">-kvno</emphasis> argument, and adds it to the <replaceable>/usr/afs/etc/KeyFile</replaceable> file on the
|
|
machine specified with the <emphasis role="bold">-server</emphasis> argument. Be sure to use the <emphasis role="bold">kas
|
|
setpassword</emphasis> or <emphasis role="bold">kas setkey</emphasis> command to add the same key to the <computeroutput>afs</computeroutput>
|
|
entry in the Authentication Database.</para>
|
|
|
|
<para>Do not use the <emphasis role="bold">-key</emphasis> argument, which echoes the password string visibly
|
|
on the screen. If the argument is omitted, the BOS Server prompts for the
|
|
string and does not echo it visibly:</para>
|
|
|
|
<programlisting>
|
|
Input key:
|
|
Retype input key:
|
|
|
|
</programlisting>
|
|
<para>The BOS Server prohibits reuse of any key version number already listed in
|
|
the <replaceable>/usr/afs/etc/KeyFile</replaceable> file. This ensures that users who still have
|
|
tickets sealed with the current key are not prevented from communicating
|
|
with a server process because the current key is overwritten with a new
|
|
key. Use the <emphasis role="bold">bos listkeys</emphasis> command to display the key version numbers in
|
|
the <replaceable>/usr/afs/etc/KeyFile</replaceable> file.</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-server</emphasis> <<emphasis>machine name</emphasis>></term>
|
|
<listitem>
|
|
<para>Indicates the server machine on which to change the
|
|
<replaceable>/usr/afs/etc/KeyFile</replaceable> file. Identify the machine by IP address or its
|
|
host name (either fully-qualified or abbreviated unambiguously). For
|
|
details, see <link linkend="bos8">bos(8)</link>.</para>
|
|
|
|
<para>In cells that use the Update Server to distribute the contents of the
|
|
<replaceable>/usr/afs/etc</replaceable> directory, it is conventional to specify only the system
|
|
control machine as a value for the <emphasis role="bold">-server</emphasis> argument. Otherwise, repeat
|
|
the command for each file server machine. For further discussion, see
|
|
<link linkend="bos8">bos(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-key</emphasis> <<emphasis>key</emphasis>></term>
|
|
<listitem>
|
|
<para>Specifies a character string just like a password; the BOS Server calls a
|
|
DES conversion function to encode it into a form appropriate for use as an
|
|
encryption key. Omit this argument to have the BOS Server prompt for the
|
|
string instead.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-kvno</emphasis> <<emphasis>key version number</emphasis>></term>
|
|
<listitem>
|
|
<para>Defines the new key's key version number. It must be an integer in the
|
|
range from <computeroutput>0</computeroutput> (zero) through <computeroutput>255</computeroutput>. For the sake of simplicity, use
|
|
the number one higher than the current highest key version number; use the
|
|
<emphasis role="bold">bos listkeys</emphasis> command to display key version numbers.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-cell</emphasis> <<emphasis>cell name</emphasis>></term>
|
|
<listitem>
|
|
<para>Names the cell in which to run the command. Do not combine this argument
|
|
with the <emphasis role="bold">-localauth</emphasis> flag. For more details, see <link linkend="bos8">bos(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-noauth</emphasis></term>
|
|
<listitem>
|
|
<para>Assigns the unprivileged identity <computeroutput>anonymous</computeroutput> to the issuer. Do not combine
|
|
this flag with the <emphasis role="bold">-localauth</emphasis> flag. For more details, see <link linkend="bos8">bos(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-localauth</emphasis></term>
|
|
<listitem>
|
|
<para>Constructs a server ticket using a key from the local
|
|
<replaceable>/usr/afs/etc/KeyFile</replaceable> file. The <emphasis role="bold">bos</emphasis> command interpreter presents the
|
|
ticket to the BOS Server during mutual authentication. Do not combine this
|
|
flag with the <emphasis role="bold">-cell</emphasis> or <emphasis role="bold">-noauth</emphasis> options. For more details, see
|
|
<link linkend="bos8">bos(8)</link>.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">-help</emphasis></term>
|
|
<listitem>
|
|
<para>Prints the online help for this command. All other valid options are
|
|
ignored.</para>
|
|
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Output</title>
|
|
<para>If the strings typed at the <computeroutput>Input key</computeroutput> and <computeroutput>Retype input key</computeroutput> prompts
|
|
do not match, the following message appears, and the command exits without
|
|
adding a new key:</para>
|
|
|
|
<programlisting>
|
|
Input key mismatch
|
|
|
|
</programlisting>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
<para>The following command adds a new server encryption key with key version
|
|
number 14 to the <emphasis role="bold">KeyFile</emphasis> file kept on the machine <computeroutput>fs1.abc.com</computeroutput> (the
|
|
system control machine). The issuer omits the <emphasis role="bold">-key</emphasis> argument, as
|
|
recommended, and provides the password at the prompts.</para>
|
|
|
|
<programlisting>
|
|
% bos addkey -server fs1.abc.com -kvno 14
|
|
Input key:
|
|
Retype input key:
|
|
|
|
</programlisting>
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Privilege Required</title>
|
|
<para>The issuer must be listed in the <replaceable>/usr/afs/etc/UserList</replaceable> file on the
|
|
machine named by the <emphasis role="bold">-server</emphasis> argument, or must be logged onto a server
|
|
machine as the local superuser <computeroutput>root</computeroutput> if the <emphasis role="bold">-localauth</emphasis> flag is
|
|
included.</para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><link linkend="KeyFile5">KeyFile(5)</link>,
|
|
<link linkend="UserList5">UserList(5)</link>,
|
|
<link linkend="bos8">bos(8)</link>,
|
|
<link linkend="bos_listkeys8">bos_listkeys(8)</link>,
|
|
<link linkend="bos_removekey8">bos_removekey(8)</link></para>
|
|
|
|
</refsect1>
|
|
<refsect1>
|
|
<title>Copyright</title>
|
|
<para>IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.</para>
|
|
|
|
<para>This documentation is covered by the IBM Public License Version 1.0. It was
|
|
converted from HTML to POD by software written by Chas Williams and Russ
|
|
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.</para>
|
|
|
|
</refsect1>
|
|
</refentry>
|