.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "BOS_UTIL 8" .TH BOS_UTIL 8 "2021-01-14" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" bos_util \- Manipulate the AFS server Keyfile .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBbos_util\fR add <\fIkvno\fR> .PP \&\fBbos_util\fR adddes <\fIkvno\fR> .PP \&\fBbos_util\fR delete <\fIkvno\fR> .PP \&\fBbos_util\fR list .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBbos_util\fR command manipulates the \s-1AFS\s0 server \fBKeyfile\fR. It can take a password from standard input, convert it to a key, and add it to the \&\fIKeyFile\fR; list the keys in the \fIKeyFile\fR; or remove a key from thet \&\fIKeyFile\fR. It is very similar in function to \fBasetkey\fR, but \fBasetkey\fR works with keytab files whereas \fBbos_util\fR works with passwords directly. .PP \&\fBbos_util\fR expects one of the following subcommands: .IP "add <\fIkvno\fR>" 4 .IX Item "add " Add a key with key version <\fIkvno\fR> to the \fIKeyFile\fR using a password from standard input. This command uses the normal \s-1AFS\s0 password salt algorithm to generate the key (equivalent to the des\-cbc\-crc:afs3 enctype in Kerberos v5). This command is basically equivalent to \fBbos addkey\fR. .IP "adddes <\fIkvno\fR>" 4 .IX Item "adddes " Add a key with key version <\fIkvno\fR> to the \fBKeyFile\fR using a password from standard input. This command does not salt the password when generating the key (equivalent to the des\-cbc\-crc:v4 enctype in Kerberos v5). .Sp Since this command applies no salt to the password, it can be used as a last resort for generating a \s-1DES\s0 key with a salt algorithm that other utilities don't know how to use by giving this command the pre-salted password. This can be useful when, for example, using Microsoft Active Directory as the Kerberos \s-1KDC,\s0 since Active Directory uses a different salt algorithm for service principals than most Unix Kerberos implementations. The best approach, however, is to find a way to generate a keytab and then use \fBasetkey\fR. .IP "delete <\fIkvno\fR>" 4 .IX Item "delete " Delete the key with the specified key version from the \fIKeyFile\fR. This command is equivalent to \fBasetkey delete\fR or \fBbos removekey\fR. .IP "list" 4 .IX Item "list" List the keys in the \fIKeyFile\fR. This command is equivalent to \fBasetkey list\fR or \fBbos listkeys\fR. .PP The \fBbos_util\fR command does not use the normal \s-1AFS\s0 option parsing library and its subcommands cannot be abbreviated. .SH "CAUTIONS" .IX Header "CAUTIONS" \&\fBbos_util\fR is intended for use with a Kerberos v4 environment and therefore is mostly obsolete. Normally, rather than using this command, you will want to use \fBktutil\fR to create a keytab (perhaps with its \&\fBadd_entry\fR command) and then use \fBasetkey\fR as normal. \fBbos_util\fR only supports the \s-1AFS\s0 password salt algorithm and no password salt algorithm and therefore may not produce the same key from a given password as Kerberos v5 utilities unless one is careful to use that same salt algorithm when creating the key in the \s-1KDC.\s0 .PP Creating an \s-1AFS\s0 key with a known password and then using \fBbos_util\fR or \&\fBbos addkey\fR to add that key to the \fIKeyFile\fR is not recommended. Human-created passwords are usually not as strong as a random key generated using a good entropy source, such as with the \fB\-randkey\fR option to the \s-1MIT\s0 Kerberos v5 \fBkadmin ktadd\fR command or the equivalent in other Kerberos v5 implementations. The security of \s-1AFS\s0 depends on the strength of the \s-1AFS\s0 service key; it should therefore be as random as possible. .PP It is imperative that the key version number (kvno) given matches the kvno on the Kerberos server. If it doesn't, users won't be able to authenticate. The key generated by \fBbos_util\fR must also match the internal representation on the Kerberos server including the salt. .SH "OPTIONS" .IX Header "OPTIONS" \&\fBbos_util\fR takes no options. .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" The issuer must be logged onto a file server machine as the local superuser \f(CW\*(C`root\*(C'\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBasetkey\fR\|(8), \&\fBbos_addkey\fR\|(8), \&\fBbos_listkeys\fR\|(8), \&\fBbos_removekey\fR\|(8), \&\fBkadmin\fR\|(8), \&\fBktutil\fR\|(8) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2007 Jason Edgecombe .PP This documentation is covered by the \s-1BSD\s0 License as written in the doc/LICENSE file. This man page was written by Jason Edgecombe for OpenAFS.