Provided by: openafs-client_1.6.7-1ubuntu1.1_amd64 bug

NAME
       bos_listkeys - Displays the server encryption keys from the KeyFile file


SYNOPSIS
       bos listkeys -server <machine name> [-showkey]
           [-cell <cell name>] [-noauth] [-localauth] [-help]

       bos listk -se <machine name> [-sh] [-c <cell name>]
           [-n] [-l] [-h]


DESCRIPTION
       The bos listkeys command formats and displays the list of server encryption keys from the
       /etc/openafs/server/KeyFile file on the server machine named by the -server argument.  It is equivalent
       to asetkey list, but can be run remotely.

       To edit the list of keys, use the asetkey command; see asetkey(8) for more information.  You can also
       remove keys remotely using the bos removekey command.  If you are using the Authentication Server
       (kaserver) rather than a Kerberos v5 KDC, use the bos addkey command instead of asetkey to add a new key.


CAUTIONS
       Displaying actual keys on the standard output stream (by including the -showkey flag) is a security
       exposure. Displaying a checksum is sufficient for most purposes.


OPTIONS
       -server <machine name>
           Indicates  the  server  machine  from  which  to display the KeyFile file. Identify the machine by IP
           address or its host name (either fully-qualified or  abbreviated  unambiguously).  For  details,  see
           bos(8).

           For  consistent  performance  in  the  cell,  the  output  must  be the same on every server machine.
           asetkey(8) explains how to keep the machines synchronized.

       -showkey
           Displays the octal digits that constitute each key.  Anyone who has access to  the  resulting  output
           will have complete access to the AFS cell and will be able to impersonate the AFS cell to any client,
           so be very careful when using this option.

       -cell <cell name>
           Names  the  cell  in which to run the command. Do not combine this argument with the -localauth flag.
           For more details, see bos(8).

       -noauth
           Assigns the unprivileged identity "anonymous" to the issuer.  Do  not  combine  this  flag  with  the
           -localauth flag. For more details, see bos(8).

       -localauth
           Constructs  a  server  ticket  using  a  key from the local /etc/openafs/server/KeyFile file. The bos
           command interpreter presents the ticket to the  BOS  Server  during  mutual  authentication.  Do  not
           combine this flag with the -cell or -noauth options. For more details, see bos(8).

       -help
           Prints the online help for this command. All other valid options are ignored.


OUTPUT
       The output includes one line for each server encryption key listed in the KeyFile file, identified by its
       key version number.

       If  the  -showkey  flag  is  included,  the output displays the actual string of eight octal numbers that
       constitute the key. Each octal number is a backslash and three decimal digits.

       If the -showkey flag is not included, the output represents each key as a checksum, which  is  a  decimal
       number derived by encrypting a constant with the key.

       Following  the  list  of  keys or checksums, the string "Keys last changed" indicates when a key was last
       added to the KeyFile file. The words "All done" indicate the end of the output.

       For mutual authentication to work properly, the output from the command "kas examine afs" must match  the
       key or checksum with the same key version number in the output from this command.


EXAMPLES
       The  following  example  shows  the  checksums  for  the  keys  stored in the KeyFile file on the machine
       "fs3.abc.com".

          % bos listkeys fs3.abc.com
          key 1 has cksum 972037177
          key 3 has cksum 2825175022
          key 4 has cksum 260617746
          key 6 has cksum 4178774593
          Keys last changed on Mon Apr 12 11:24:46 1999.
          All done.

       The following example shows the actual keys from the KeyFile file on the machine "fs6.abc.com".

          % bos listkeys fs6.abc.com -showkey
          key 0 is '\040\205\211\241\345\002\023\211'
          key 1 is '\343\315\307\227\255\320\135\244'
          key 2 is '\310\310\255\253\326\236\261\211'
          Keys last changed on Wed Mar 31 11:24:46 1999.
          All done.


PRIVILEGE REQUIRED
       The issuer must be listed in the /etc/openafs/server/UserList file on the machine named  by  the  -server
       argument, or must be logged onto a server machine as the local superuser "root" if the -localauth flag is
       included.


SEE ALSO
       KeyFile(5), UserList(5), asetkey(8), bos_addkey(8), bos_removekey(8), bos_setauth(8), kas_examine(8)


COPYRIGHT
       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This  documentation  is covered by the IBM Public License Version 1.0.  It was converted from HTML to POD
       by software written by Chas Williams and Russ Allbery, based on  work  by  Alf  Wachsmann  and  Elizabeth
       Cassell.

OpenAFS                                            2014-04-03                                    BOS_LISTKEYS(8)