2
''' $RCSfile$$Revision$$Date$
20
.ie \\n(.$>=3 .ne \\$3
36
''' Set up \*(-- to give an unbreakable dash;
37
''' string Tr holds user defined translation string.
38
''' Bell System Logo is used as a dummy character.
44
.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
45
.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
48
''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
49
''' \*(L" and \*(R", except that they are used on ".xx" lines,
50
''' such as .IP and .SH, which do another additional levels of
51
''' double-quote interpretation
80
.\" If the F register is turned on, we'll generate
81
.\" index entries out stderr for the following things:
86
.\" X<> Xref (embedded
87
.\" Of course, you have to process the output yourself
88
.\" in some meaninful fashion.
91
.tm Index:\\$1\t\\n%\t"\\$2"
96
.TH bos_util 8 "OpenAFS" "25/Dec/2007" "AFS Command Reference"
100
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
101
.de CQ \" put $1 in typewriter font
107
\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
110
.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
111
. \" AM - accent mark definitions
113
. \" fudge factors for nroff and troff
122
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
128
. \" simple accents for nroff and troff
141
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
142
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
143
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
144
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
145
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
146
. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
147
. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
148
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
149
. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
151
. \" troff and (daisy-wheel) nroff accents
152
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
153
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
154
.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
155
.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
156
.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
157
.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
158
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
159
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
160
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
161
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
162
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
163
.ds ae a\h'-(\w'a'u*4/10)'e
164
.ds Ae A\h'-(\w'A'u*4/10)'E
165
.ds oe o\h'-(\w'o'u*4/10)'e
166
.ds Oe O\h'-(\w'O'u*4/10)'E
167
. \" corrections for vroff
168
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
169
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
170
. \" for low resolution devices (crt and lpr)
171
.if \n(.H>23 .if \n(.V>19 \
175
. ds v \h'-1'\o'\(aa\(ga'
191
bos_util \- Manipulate the AFS server Keyfile
193
\fBbos_util\fR add <\fIkvno\fR>
195
\fBbos_util\fR adddes <\fIkvno\fR>
197
\fBbos_util\fR delete <\fIkvno\fR>
201
The \fBbos_util\fR command manipulates the AFS server \fBKeyfile\fR. It can take
202
a password from standard input, convert it to a key, and add it to the
203
\fIKeyFile\fR; list the keys in the \fIKeyFile\fR; or remove a key from thet
204
\fIKeyFile\fR. It is very similar in function to \fBasetkey\fR, but \fBasetkey\fR
205
works with keytab files wheras \fBbos_util\fR works with passwords directly.
207
\fBbos_util\fR expects one of the following subcommands:
208
.Ip "add <\fIkvno\fR>" 4
209
Add a key with key version <\fIkvno\fR> to the \fIKeyFile\fR using a password
210
from standard input. This command uses the normal \s-1AFS\s0 password salt
211
algorithm to generate the key (equivalent to the des-cbc-crc:afs3 enctype
212
in Kerberos v5). This command is basically equivalent to \fBbos addkey\fR.
213
.Ip "adddes <\fIkvno\fR>" 4
214
Add a key with key version <\fIkvno\fR> to the \fBKeyFile\fR using a password
215
from standard input. This command does not salt the password when
216
generating the key (equivalent to the des-cbc-crc:v4 enctype in Kerberos
219
Since this command applies no salt to the password, it can be used as a
220
last resort for generating a \s-1DES\s0 key with a salt algorithm that other
221
utilities don't know how to use by giving this command the pre-salted
222
password. This can be useful when, for example, using Microsoft Active
223
Directory as the Kerberos \s-1KDC\s0, since Active Directory uses a different
224
salt algorithm for service principals than most Unix Kerberos
225
implementations. The best approach, however, is to find a way to generate
226
a keytab and then use \fBasetkey\fR.
227
.Ip "delete <\fIkvno\fR>" 4
228
Delete the key with the specified key version from the \fIKeyFile\fR. This
229
command is equivalent to \fBasetkey delete\fR or \fBbos removekey\fR.
231
List the keys in the \fIKeyFile\fR. This command is equivalent to \fBasetkey
232
list\fR or \fBbos listkeys\fR.
234
The \fBbos_util\fR command does not use the normal \s-1AFS\s0 option parsing library
235
and its subcommands cannot be abbreviated.
237
\fBbos_util\fR is intended for use with a Kerberos v4 environment and
238
therefore is mostly obsolete. Normally, rather than using this command,
239
you will want to use \fBktutil\fR to create a keytab (perhaps with its
240
\fBadd_entry\fR command) and then use \fBasetkey\fR as normal. \fBbos_util\fR only
241
supports the AFS password salt algorithm and no password salt algorithm
242
and therefore may not produce the same key from a given password as
243
Kerberos v5 utilities unless one is careful to use that same salt
244
algorithm when creating the key in the KDC.
246
Creating an AFS key with a known password and then using \fBbos_util\fR or
247
\fBbos addkey\fR to add that key to the \fIKeyFile\fR is not recommended.
248
Human-created passwords are usually not as strong as a random key
249
generated using a good entropy source, such as with the \fB\-randkey\fR option
250
to the MIT Kerberos v5 \fBkadmin ktadd\fR command or the equivalent in other
251
Kerberos v5 implementations. The security of AFS depends on the strength
252
of the AFS service key; it should therefore be as random as possible.
254
It is imperative that the key version number (kvno) given matches the kvno
255
on the Kerberos server. If it doesn't, users won't be able to
256
authenticate. The key generated by \fBbos_util\fR must also match the
257
internal representation on the Kerberos server including the salt.
259
\fBbos_util\fR takes no options.
260
.SH "PRIVILEGE REQUIRED"
261
The issuer must be logged onto a file server machine as the local
262
superuser \f(CWroot\fR.
264
the \fIasetkey(8)\fR manpage,
265
the \fIbos_addkey(8)\fR manpage,
266
the \fIbos_listkeys(8)\fR manpage,
267
the \fIbos_removekey(8)\fR manpage,
271
Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>
273
This documentation is covered by the BSD License as written in the
274
doc/LICENSE file. This man page was written by Jason Edgecombe for
278
.IX Title "bos_util 8"
279
.IX Name "bos_util - Manipulate the AFS server Keyfile"
283
.IX Header "SYNOPSIS"
285
.IX Header "DESCRIPTION"
287
.IX Item "add <\fIkvno\fR>"
289
.IX Item "adddes <\fIkvno\fR>"
291
.IX Item "delete <\fIkvno\fR>"
295
.IX Header "CAUTIONS"
299
.IX Header "PRIVILEGE REQUIRED"
301
.IX Header "SEE ALSO"
303
.IX Header "COPYRIGHT"