NAME¶
bos_util - Manipulate the AFS server Keyfile
SYNOPSIS¶
bos_util add <
kvno>
bos_util adddes <
kvno>
bos_util delete <
kvno>
bos_util list
DESCRIPTION¶
The
bos_util command manipulates the AFS server
Keyfile. It can
take a password from standard input, convert it to a key, and add it to the
KeyFile; list the keys in the
KeyFile; or remove a key from thet
KeyFile. It is very similar in function to
asetkey, but
asetkey works with keytab files whereas
bos_util works with
passwords directly.
bos_util expects one of the following subcommands:
- add <kvno>
- Add a key with key version <kvno> to the
KeyFile using a password from standard input. This command uses the
normal AFS password salt algorithm to generate the key (equivalent to the
des-cbc-crc:afs3 enctype in Kerberos v5). This command is basically
equivalent to bos addkey.
- adddes <kvno>
- Add a key with key version <kvno> to the
KeyFile using a password from standard input. This command does not
salt the password when generating the key (equivalent to the
des-cbc-crc:v4 enctype in Kerberos v5).
Since this command applies no salt to the password, it can be used as a last
resort for generating a DES key with a salt algorithm that other utilities
don't know how to use by giving this command the pre-salted password. This
can be useful when, for example, using Microsoft Active Directory as the
Kerberos KDC, since Active Directory uses a different salt algorithm for
service principals than most Unix Kerberos implementations. The best
approach, however, is to find a way to generate a keytab and then use
asetkey.
- delete <kvno>
- Delete the key with the specified key version from the
KeyFile. This command is equivalent to asetkey delete or
bos removekey.
- list
- List the keys in the KeyFile. This command is
equivalent to asetkey list or bos listkeys.
The
bos_util command does not use the normal AFS option parsing library
and its subcommands cannot be abbreviated.
CAUTIONS¶
bos_util is intended for use with a Kerberos v4 environment and therefore
is mostly obsolete. Normally, rather than using this command, you will want to
use
ktutil to create a keytab (perhaps with its
add_entry
command) and then use
asetkey as normal.
bos_util only supports
the AFS password salt algorithm and no password salt algorithm and therefore
may not produce the same key from a given password as Kerberos v5 utilities
unless one is careful to use that same salt algorithm when creating the key in
the KDC.
Creating an AFS key with a known password and then using
bos_util or
bos addkey to add that key to the
KeyFile is not recommended.
Human-created passwords are usually not as strong as a random key generated
using a good entropy source, such as with the
-randkey option to the
MIT Kerberos v5
kadmin ktadd command or the equivalent in other
Kerberos v5 implementations. The security of AFS depends on the strength of
the AFS service key; it should therefore be as random as possible.
It is imperative that the key version number (kvno) given matches the kvno on
the Kerberos server. If it doesn't, users won't be able to authenticate. The
key generated by
bos_util must also match the internal representation
on the Kerberos server including the salt.
OPTIONS¶
bos_util takes no options.
PRIVILEGE REQUIRED¶
The issuer must be logged onto a file server machine as the local superuser
"root".
SEE ALSO¶
asetkey(8),
bos_addkey(8),
bos_listkeys(8),
bos_removekey(8),
kadmin(8),
ktutil(8)
COPYRIGHT¶
Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>
This documentation is covered by the BSD License as written in the doc/LICENSE
file. This man page was written by Jason Edgecombe for OpenAFS.