bionic (5) KeyFileExt.5.gz

Provided by: openafs-fileserver_1.8.0~pre5-1ubuntu1.2_amd64 bug

NAME
       KeyFileExt - Defines extended AFS server encryption keys


DESCRIPTION
       The KeyFileExt file defines some of the server encryption keys that the AFS server processes running on
       the machine use to decrypt the tickets presented by clients during the mutual authentication process. AFS
       server processes perform privileged actions only for clients that possess a ticket encrypted with one of
       the keys from the KeyFile or KeyFileExt.  The file must reside in the /etc/openafs/server directory on
       every server machine. For more detailed information on mutual authentication and server encryption keys,
       see the OpenAFS Administration Guide.

       Each key has a corresponding key version number and encryption type that distinguishes it from the other
       keys. The tickets that clients present are also marked with a key version number and encryption type to
       tell the server process which key to use to decrypt it. The KeyFileExt file must always include a key
       with the same key version number and encryption type and contents as the key currently listed for the
       "afs/cell" principal in the associated Kerberos v5 realm.  (The principal "afs" may be used if the cell
       and realm names are the same, but adding the cell name to the principal is recommended even in this
       case.)  Keys in the KeyFile must be DES keys; keys of stronger encryption types (such as those used by
       the rxkad-k5 extension) are contained in the KeyFileExt.

       The KeyFileExt file is in binary format, so always use the asetkey command to administer it:

       •   The asetkey add command to add a new key.

       •   The asetkey list command to display the keys.

       •   The asetkey delete command to remove a key from the file.

       The asetkey commands must be run on the same server as the KeyFileExt file to update. Normally, new keys
       should be added from a Kerberos v5 keytab using asetkey add.

       The file should be edited on each server machine.


CAUTIONS
       The most common error caused by changes to KeyFileExt is to add a key that does not match the
       corresponding key for the Kerberos v5 principal or Authentication Server database entry. Both the key and
       the key version number must match the key for the corresponding principal, either "afs/cell" or "afs", in
       the Kerberos v5 realm.  Using asetkey(8) to add rxkad-k5 keys to the KeyFileExt also requires specifying
       a krb5 encryption type number.  Since the encryption type must be specified by its number (not a symbolic
       or string name), care must be taken to determine the correct encryption type to add.


SEE ALSO
       KeyFile(5), asetkey(8),

       The OpenAFS Administration Guide at <http://docs.openafs.org/AdminGuide/>.


       IBM Corporation, 2000. <http://www.ibm.com/> All Rights Reserved.  Massachusetts Institute of Technology,
       2015.