jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-19 07:20:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fb311d271d
openafs/doc/man-pages/pod8/bos_listkeys.pod
Ken Dreyer 1cc8feb6fc doc: replace hostnames with IETF example hostnames 
There were several different real and made-up hostnames and company names used
throughout our documentation examples.

The IETF has reserved "example.com" and other "example" TLDs for use in
examples (RFC 2606). Replace almost all references to ABC Corporation, DEF
Corporation, and State University, as well as "abc.com", "bigcell.com",
"def.com", "def.gov", "ghi.com", "ghi.gov", "jkl.com", "mit.edu",
"stanford.edu", "state.edu", "stateu.edu", "uncc.edu", and "xyz.com".
Standardize on "Example Corporation", "Example Network", "Example
Organization" (example.com, example.net, and example.org).

The Scout documentation in the Admin Guide contains PNG images that contain
the old cell names, so I left those references until the images can be
replaced.

Change-Id: I4e44815b2d2ffe204810b7fd850842248f67c367
Reviewed-on: http://gerrit.openafs.org/6697
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
2012-02-17 20:51:58 -08:00

153 lines
4.8 KiB
Plaintext
Raw Blame History

=head1 NAME
bos_listkeys - Displays the server encryption keys from the KeyFile file
=head1 SYNOPSIS
=for html
<div class="synopsis">
B<bos listkeys> S<<< B<-server> <I<machine name>> >>> [B<-showkey>]
S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-localauth>] [B<-help>]
B<bos listk> S<<< B<-se> <I<machine name>> >>> [B<-sh>] S<<< [B<-c> <I<cell name>>] >>>
[B<-n>] [B<-l>] [B<-h>]
=for html
</div>
=head1 DESCRIPTION
The B<bos listkeys> command formats and displays the list of server
encryption keys from the F</usr/afs/etc/KeyFile> file on the server
machine named by the B<-server> argument. It is equivalent to B<asetkey
list>, but can be run remotely.
To edit the list of keys, use the B<asetkey> command; see L<asetkey(8)>
for more information. You can also remove keys remotely using the B<bos
removekey> command. If you are using the Authentication Server
(B<kaserver>) rather than a Kerberos v5 KDC, use the B<bos addkey> command
instead of B<asetkey> to add a new key.
=head1 CAUTIONS
Displaying actual keys on the standard output stream (by including the
B<-showkey> flag) is a security exposure. Displaying a checksum is
sufficient for most purposes.
=head1 OPTIONS
=over 4
=item B<-server> <I<machine name>>
Indicates the server machine from which to display the KeyFile
file. Identify the machine by IP address or its host name (either
fully-qualified or abbreviated unambiguously). For details, see L<bos(8)>.
For consistent performance in the cell, the output must be the same on
every server machine. L<asetkey(8)> explains how to keep the machines
synchronized.
=item B<-showkey>
Displays the octal digits that constitute each key. Anyone who has access
to the resulting output will have complete access to the AFS cell and will
be able to impersonate the AFS cell to any client, so be very careful when
using this option.
=item B<-cell> <I<cell name>>
Names the cell in which to run the command. Do not combine this argument
with the B<-localauth> flag. For more details, see L<bos(8)>.
=item B<-noauth>
Assigns the unprivileged identity C<anonymous> to the issuer. Do not
combine this flag with the B<-localauth> flag. For more details, see
L<bos(8)>.
=item B<-localauth>
Constructs a server ticket using a key from the local
F</usr/afs/etc/KeyFile> file. The B<bos> command interpreter presents the
ticket to the BOS Server during mutual authentication. Do not combine this
flag with the B<-cell> or B<-noauth> options. For more details, see
L<bos(8)>.
=item B<-help>
Prints the online help for this command. All other valid options are
ignored.
=back
=head1 OUTPUT
The output includes one line for each server encryption key listed in the
F<KeyFile> file, identified by its key version number.
If the B<-showkey> flag is included, the output displays the actual string
of eight octal numbers that constitute the key. Each octal number is a
backslash and three decimal digits.
If the B<-showkey> flag is not included, the output represents each key as
a checksum, which is a decimal number derived by encrypting a constant
with the key.
Following the list of keys or checksums, the string C<Keys last changed>
indicates when a key was last added to the F<KeyFile> file. The words
C<All done> indicate the end of the output.
For mutual authentication to work properly, the output from the command
C<kas examine afs> must match the key or checksum with the same key
version number in the output from this command.
=head1 EXAMPLES
The following example shows the checksums for the keys stored in the
F<KeyFile> file on the machine C<fs3.example.com>.
% bos listkeys fs3.example.com
key 1 has cksum 972037177
key 3 has cksum 2825175022
key 4 has cksum 260617746
key 6 has cksum 4178774593
Keys last changed on Mon Apr 12 11:24:46 1999.
All done.
The following example shows the actual keys from the F<KeyFile> file on
the machine C<fs6.example.com>.
% bos listkeys fs6.example.com -showkey
key 0 is '\040\205\211\241\345\002\023\211'
key 1 is '\343\315\307\227\255\320\135\244'
key 2 is '\310\310\255\253\326\236\261\211'
Keys last changed on Wed Mar 31 11:24:46 1999.
All done.
=head1 PRIVILEGE REQUIRED
The issuer must be listed in the F</usr/afs/etc/UserList> file on the
machine named by the B<-server> argument, or must be logged onto a server
machine as the local superuser C<root> if the B<-localauth> flag is
included.
=head1 SEE ALSO
L<KeyFile(5)>,
L<UserList(5)>,
L<asetkey(8)>,
L<bos_addkey(8)>,
L<bos_removekey(8)>,
L<bos_setauth(8)>,
L<kas_examine(8)>
=head1 COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It
was converted from HTML to POD by software written by Chas Williams and
Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
Reference in New Issue View Git Blame Copy Permalink