oracular (8) bos_util.8.gz

Provided by: openafs-fileserver_1.8.12.1-1_amd64 bug

NAME

       bos_util - Manipulate the AFS server Keyfile

SYNOPSIS

       bos_util add <kvno>

       bos_util adddes <kvno>

       bos_util delete <kvno>

       bos_util list

DESCRIPTION

       The bos_util command manipulates the AFS server Keyfile. It can take a password from
       standard input, convert it to a key, and add it to the KeyFile; list the keys in the
       KeyFile; or remove a key from thet KeyFile. It is very similar in function to asetkey, but
       asetkey works with keytab files whereas bos_util works with passwords directly.

       bos_util expects one of the following subcommands:

       add <kvno>
           Add a key with key version <kvno> to the KeyFile using a password from standard input.
           This command uses the normal AFS password salt algorithm to generate the key
           (equivalent to the des-cbc-crc:afs3 enctype in Kerberos v5). This command is basically
           equivalent to bos addkey.

       adddes <kvno>
           Add a key with key version <kvno> to the KeyFile using a password from standard input.
           This command does not salt the password when generating the key (equivalent to the
           des-cbc-crc:v4 enctype in Kerberos v5).

           Since this command applies no salt to the password, it can be used as a last resort
           for generating a DES key with a salt algorithm that other utilities don't know how to
           use by giving this command the pre-salted password. This can be useful when, for
           example, using Microsoft Active Directory as the Kerberos KDC, since Active Directory
           uses a different salt algorithm for service principals than most Unix Kerberos
           implementations. The best approach, however, is to find a way to generate a keytab and
           then use asetkey.

       delete <kvno>
           Delete the key with the specified key version from the KeyFile. This command is
           equivalent to asetkey delete or bos removekey.

       list
           List the keys in the KeyFile. This command is equivalent to asetkey list or bos
           listkeys.

       The bos_util command does not use the normal AFS option parsing library and its
       subcommands cannot be abbreviated.

CAUTIONS

       bos_util is intended for use with a Kerberos v4 environment and therefore is mostly
       obsolete. Normally, rather than using this command, you will want to use ktutil to create
       a keytab (perhaps with its add_entry command) and then use asetkey as normal. bos_util
       only supports the AFS password salt algorithm and no password salt algorithm and therefore
       may not produce the same key from a given password as Kerberos v5 utilities unless one is
       careful to use that same salt algorithm when creating the key in the KDC.

       Creating an AFS key with a known password and then using bos_util or bos addkey to add
       that key to the KeyFile is not recommended.  Human-created passwords are usually not as
       strong as a random key generated using a good entropy source, such as with the -randkey
       option to the MIT Kerberos v5 kadmin ktadd command or the equivalent in other Kerberos v5
       implementations. The security of AFS depends on the strength of the AFS service key; it
       should therefore be as random as possible.

       It is imperative that the key version number (kvno) given matches the kvno on the Kerberos
       server. If it doesn't, users won't be able to authenticate. The key generated by bos_util
       must also match the internal representation on the Kerberos server including the salt.

OPTIONS

       bos_util takes no options.

PRIVILEGE REQUIRED

       The issuer must be logged onto a file server machine as the local superuser "root".

SEE ALSO

       asetkey(8), bos_addkey(8), bos_listkeys(8), bos_removekey(8), kadmin(8), ktutil(8)

       Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>

       This documentation is covered by the BSD License as written in the doc/LICENSE file. This
       man page was written by Jason Edgecombe for OpenAFS.