.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "BOS_LISTKEYS 8" .TH BOS_LISTKEYS 8 "2023-12-24" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" bos_listkeys \- Displays the server encryption keys from the KeyFile file .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBbos listkeys\fR \fB\-server\fR\ <\fImachine\ name\fR> [\fB\-showkey\fR] [\fB\-cell\fR\ <\fIcell\ name\fR>] [\fB\-noauth\fR] [\fB\-localauth\fR] [\fB\-help\fR] .PP \&\fBbos listk\fR \fB\-se\fR\ <\fImachine\ name\fR> [\fB\-sh\fR] [\fB\-c\fR\ <\fIcell\ name\fR>] [\fB\-n\fR] [\fB\-l\fR] [\fB\-h\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBbos listkeys\fR command formats and displays the list of server encryption keys from the \fI/etc/openafs/server/KeyFile\fR file on the server machine named by the \fB\-server\fR argument. It is equivalent to \fBasetkey list\fR, but can be run remotely. .PP To edit the list of keys, use the \fBasetkey\fR command; see \fBasetkey\fR\|(8) for more information. You can also remove keys remotely using the \fBbos removekey\fR command. If you are using the Authentication Server (\fBkaserver\fR) rather than a Kerberos v5 \s-1KDC,\s0 use the \fBbos addkey\fR command instead of \fBasetkey\fR to add a new key. .SH "CAUTIONS" .IX Header "CAUTIONS" Displaying actual keys on the standard output stream (by including the \&\fB\-showkey\fR flag) is a security exposure. Displaying a checksum is sufficient for most purposes. .PP This command will only list keys in the \fIKeyFile\fR; it cannot display keys from a \fIKeyFileExt\fR. A server running a modern, secure installation using only keys for the rxkad\-k5 extension will yield no keys in the output of this command. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-server\fR <\fImachine name\fR>" 4 .IX Item "-server " Indicates the server machine from which to display the KeyFile file. Identify the machine by \s-1IP\s0 address or its host name (either fully-qualified or abbreviated unambiguously). For details, see \fBbos\fR\|(8). .Sp For consistent performance in the cell, the output must be the same on every server machine. \fBasetkey\fR\|(8) explains how to keep the machines synchronized. .IP "\fB\-showkey\fR" 4 .IX Item "-showkey" Displays the octal digits that constitute each key. Anyone who has access to the resulting output will have complete access to the \s-1AFS\s0 cell and will be able to impersonate the \s-1AFS\s0 cell to any client, so be very careful when using this option. .IP "\fB\-cell\fR <\fIcell name\fR>" 4 .IX Item "-cell " Names the cell in which to run the command. Do not combine this argument with the \fB\-localauth\fR flag. For more details, see \fBbos\fR\|(8). .IP "\fB\-noauth\fR" 4 .IX Item "-noauth" Assigns the unprivileged identity \f(CW\*(C`anonymous\*(C'\fR to the issuer. Do not combine this flag with the \fB\-localauth\fR flag. For more details, see \&\fBbos\fR\|(8). .IP "\fB\-localauth\fR" 4 .IX Item "-localauth" Constructs a server ticket using a key from the local \&\fI/etc/openafs/server/KeyFile\fR or \fI/etc/openafs/server/KeyFileExt\fR file. The \fBbos\fR command interpreter presents the ticket to the \s-1BOS\s0 Server during mutual authentication. Do not combine this flag with the \fB\-cell\fR or \fB\-noauth\fR options. For more details, see \&\fBbos\fR\|(8). .IP "\fB\-help\fR" 4 .IX Item "-help" Prints the online help for this command. All other valid options are ignored. .SH "OUTPUT" .IX Header "OUTPUT" The output includes one line for each server encryption key listed in the \&\fIKeyFile\fR file, identified by its key version number. .PP If the \fB\-showkey\fR flag is included, the output displays the actual string of eight octal numbers that constitute the key. Each octal number is a backslash and three decimal digits. .PP If the \fB\-showkey\fR flag is not included, the output represents each key as a checksum, which is a decimal number derived by encrypting a constant with the key. .PP Following the list of keys or checksums, the string \f(CW\*(C`Keys last changed\*(C'\fR indicates when a key was last added to the \fIKeyFile\fR file. The words \&\f(CW\*(C`All done\*(C'\fR indicate the end of the output. .PP For mutual authentication to work properly, the output from the command \&\f(CW\*(C`kas examine afs\*(C'\fR must match the key or checksum with the same key version number in the output from this command. .SH "EXAMPLES" .IX Header "EXAMPLES" The following example shows the checksums for the keys stored in the \&\fIKeyFile\fR file on the machine \f(CW\*(C`fs3.example.com\*(C'\fR. .PP .Vb 7 \& % bos listkeys fs3.example.com \& key 1 has cksum 972037177 \& key 3 has cksum 2825175022 \& key 4 has cksum 260617746 \& key 6 has cksum 4178774593 \& Keys last changed on Mon Apr 12 11:24:46 1999. \& All done. .Ve .PP The following example shows the actual keys from the \fIKeyFile\fR file on the machine \f(CW\*(C`fs6.example.com\*(C'\fR. .PP .Vb 6 \& % bos listkeys fs6.example.com \-showkey \& key 0 is \*(Aq\e040\e205\e211\e241\e345\e002\e023\e211\*(Aq \& key 1 is \*(Aq\e343\e315\e307\e227\e255\e320\e135\e244\*(Aq \& key 2 is \*(Aq\e310\e310\e255\e253\e326\e236\e261\e211\*(Aq \& Keys last changed on Wed Mar 31 11:24:46 1999. \& All done. .Ve .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" The issuer must be listed in the \fI/etc/openafs/server/UserList\fR file on the machine named by the \fB\-server\fR argument, or must be logged onto a server machine as the local superuser \f(CW\*(C`root\*(C'\fR if the \fB\-localauth\fR flag is included. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBKeyFile\fR\|(5), \&\fBKeyFileExt\fR\|(5), \&\fBUserList\fR\|(5), \&\fBasetkey\fR\|(8), \&\fBbos_addkey\fR\|(8), \&\fBbos_removekey\fR\|(8), \&\fBbos_setauth\fR\|(8), \&\fBkas_examine\fR\|(8) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.