Provided by: openafs-client_1.8.4~pre1-1ubuntu2.4_amd64 bug

NAME

       bos_listkeys - Displays the server encryption keys from the KeyFile file

SYNOPSIS

       bos listkeys -server <machine name> [-showkey]
           [-cell <cell name>] [-noauth] [-localauth] [-help]

       bos listk -se <machine name> [-sh] [-c <cell name>]
           [-n] [-l] [-h]

DESCRIPTION

       The bos listkeys command formats and displays the list of server encryption keys from the
       /etc/openafs/server/KeyFile file on the server machine named by the -server argument.  It
       is equivalent to asetkey list, but can be run remotely.

       To edit the list of keys, use the asetkey command; see asetkey(8) for more information.
       You can also remove keys remotely using the bos removekey command.  If you are using the
       Authentication Server (kaserver) rather than a Kerberos v5 KDC, use the bos addkey command
       instead of asetkey to add a new key.

CAUTIONS

       Displaying actual keys on the standard output stream (by including the -showkey flag) is a
       security exposure. Displaying a checksum is sufficient for most purposes.

       This command will only list keys in the KeyFile; it cannot display keys from a KeyFileExt.
       A server running a modern, secure installation using only keys for the rxkad-k5 extension
       will yield no keys in the output of this command.

OPTIONS

       -server <machine name>
           Indicates the server machine from which to display the KeyFile file. Identify the
           machine by IP address or its host name (either fully-qualified or abbreviated
           unambiguously). For details, see bos(8).

           For consistent performance in the cell, the output must be the same on every server
           machine.  asetkey(8) explains how to keep the machines synchronized.

       -showkey
           Displays the octal digits that constitute each key.  Anyone who has access to the
           resulting output will have complete access to the AFS cell and will be able to
           impersonate the AFS cell to any client, so be very careful when using this option.

       -cell <cell name>
           Names the cell in which to run the command. Do not combine this argument with the
           -localauth flag. For more details, see bos(8).

       -noauth
           Assigns the unprivileged identity "anonymous" to the issuer. Do not combine this flag
           with the -localauth flag. For more details, see bos(8).

       -localauth
           Constructs a server ticket using a key from the local /etc/openafs/server/KeyFile or
           /etc/openafs/server/KeyFileExt file.  The bos command interpreter presents the ticket
           to the BOS Server during mutual authentication. Do not combine this flag with the
           -cell or -noauth options. For more details, see bos(8).

       -help
           Prints the online help for this command. All other valid options are ignored.

OUTPUT

       The output includes one line for each server encryption key listed in the KeyFile file,
       identified by its key version number.

       If the -showkey flag is included, the output displays the actual string of eight octal
       numbers that constitute the key. Each octal number is a backslash and three decimal
       digits.

       If the -showkey flag is not included, the output represents each key as a checksum, which
       is a decimal number derived by encrypting a constant with the key.

       Following the list of keys or checksums, the string "Keys last changed" indicates when a
       key was last added to the KeyFile file. The words "All done" indicate the end of the
       output.

       For mutual authentication to work properly, the output from the command "kas examine afs"
       must match the key or checksum with the same key version number in the output from this
       command.

EXAMPLES

       The following example shows the checksums for the keys stored in the KeyFile file on the
       machine "fs3.example.com".

          % bos listkeys fs3.example.com
          key 1 has cksum 972037177
          key 3 has cksum 2825175022
          key 4 has cksum 260617746
          key 6 has cksum 4178774593
          Keys last changed on Mon Apr 12 11:24:46 1999.
          All done.

       The following example shows the actual keys from the KeyFile file on the machine
       "fs6.example.com".

          % bos listkeys fs6.example.com -showkey
          key 0 is '\040\205\211\241\345\002\023\211'
          key 1 is '\343\315\307\227\255\320\135\244'
          key 2 is '\310\310\255\253\326\236\261\211'
          Keys last changed on Wed Mar 31 11:24:46 1999.
          All done.

PRIVILEGE REQUIRED

       The issuer must be listed in the /etc/openafs/server/UserList file on the machine named by
       the -server argument, or must be logged onto a server machine as the local superuser
       "root" if the -localauth flag is included.

SEE ALSO

       KeyFile(5), KeyFileExt(5), UserList(5), asetkey(8), bos_addkey(8), bos_removekey(8),
       bos_setauth(8), kas_examine(8)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.