.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "KEYFILEEXT 5"
.TH KEYFILEEXT 5 "2023-12-24" "OpenAFS" "AFS File Reference"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
KeyFileExt \- Defines extended AFS server encryption keys
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fIKeyFileExt\fR file defines some of the server encryption keys
that the \s-1AFS\s0 server
processes running on the machine use to decrypt the tickets presented by
clients during the mutual authentication process. \s-1AFS\s0 server processes
perform privileged actions only for clients that possess a ticket
encrypted with one of the keys from the \fIKeyFile\fR or \fIKeyFileExt\fR.
The file must reside in the
\&\fI/etc/openafs/server\fR directory on every server machine. For more detailed
information on mutual authentication and server encryption keys, see the
\&\fIOpenAFS Administration Guide\fR.
.PP
Each key has a corresponding key version number and encryption
type that distinguishes it
from the other keys. The tickets that clients present are also marked with
a key version number and encryption type
to tell the server process which key to use to
decrypt it. The \fIKeyFileExt\fR file must always include a key with the same
key version number and encryption type
and contents as the key currently listed for the
\&\f(CW\*(C`afs/\f(CIcell\f(CW\*(C'\fR principal in the associated Kerberos v5 realm.
(The principal \f(CW\*(C`afs\*(C'\fR may be used if the cell and
realm names are the same, but adding the cell name to the principal is
recommended even in this case.)
Keys in the \fIKeyFile\fR must be \s-1DES\s0 keys; keys of stronger
encryption types (such as those used by the rxkad\-k5 extension) are
contained in the \fIKeyFileExt\fR.
.PP
The \fIKeyFileExt\fR file is in binary format, so always use the
\&\fBasetkey\fR command to administer it:
.IP "\(bu" 4
The \fBasetkey add\fR command to add a new key.
.IP "\(bu" 4
The \fBasetkey list\fR command to display the keys.
.IP "\(bu" 4
The \fBasetkey delete\fR command to remove a key from the file.
.PP
The \fBasetkey\fR commands must be run on the same server as the \fIKeyFileExt\fR
file to update. Normally, new
keys should be added from a Kerberos v5 keytab using \fBasetkey add\fR.
.PP
The file should be edited on each server machine.
.SH "CAUTIONS"
.IX Header "CAUTIONS"
The most common error caused by changes to \fIKeyFileExt\fR is to add a key that
does not match the corresponding key for the Kerberos v5 principal or
Authentication Server database entry. Both the key and the key version
number must match the key for the corresponding principal, either
\&\f(CW\*(C`afs/\f(CIcell\f(CW\*(C'\fR or \f(CW\*(C`afs\*(C'\fR, in the Kerberos v5 realm.  Using \fBasetkey\fR\|(8)
to add rxkad\-k5 keys to the \fIKeyFileExt\fR also requires specifying a krb5
encryption type number.  Since the encryption type must be specified
by its number (not a symbolic or string name), care must be taken to
determine the correct encryption type to add.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBKeyFile\fR\|(5),
\&\fBasetkey\fR\|(8),
.PP
The \fIOpenAFS Administration Guide\fR at
<http://docs.openafs.org/AdminGuide/>.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
\&\s-1IBM\s0 Corporation, 2000. <http://www.ibm.com/> All Rights Reserved.
Massachusetts Institute of Technology, 2015.