From: Jason Edgecombe Date: Sat, 18 Aug 2007 01:41:39 +0000 (+0000) Subject: man-page-bos-util-20070817 X-Git-Tag: BP-openafs-windows-kdfs-ifs~553 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=815ac3c773d9312f2abf6e7903aa3d723618485a man-page-bos-util-20070817 Add a man page for bos_util. --- diff --git a/doc/man-pages/README b/doc/man-pages/README index 2584107..528b31c 100644 --- a/doc/man-pages/README +++ b/doc/man-pages/README @@ -197,7 +197,6 @@ Known Problems * The following installed commands have no man pages: - bos_util copyauth flushall (Windows only) fs getcalleraccess @@ -230,6 +229,9 @@ Known Problems * bos listkeys and the KeyFile man page assume that you're using the kaserver. + * bos addkey should be marked deprecated in favor of using asetkey with + a keytab. + * I'm fairly sure that the fileserver man page no longer documents all of the fileserver options. diff --git a/doc/man-pages/pod8/bos_util.pod b/doc/man-pages/pod8/bos_util.pod new file mode 100644 index 0000000..a26fccc --- /dev/null +++ b/doc/man-pages/pod8/bos_util.pod @@ -0,0 +1,118 @@ +=head1 NAME + +bos_util - Manipulate the AFS server Keyfile + +=head1 SYNOPSIS + +=for html +
+ +B add > + +B adddes > + +B delete > + +B list + +=for html +
+ +=head1 DESCRIPTION + +The B command manipulates the AFS server B. It can take +a password from standard input, convert it to a key, and add it to the +F; list the keys in the F; or remove a key from thet +F. It is very similar in function to B, but B +works with keytab files wheras B works with passwords directly. + +B expects one of the following subcommands: + +=over 4 + +=item add > + +Add a key with key version > to the F using a password +from standard input. This command uses the normal AFS password salt +algorithm to generate the key (equivalent to the des-cbc-crc:afs3 enctype +in Kerberos v5). This command is basically equivalent to B. + +=item adddes > + +Add a key with key version > to the B using a password +from standard input. This command does not salt the password when +generating the key (equivalent to the des-cbc-crc:v4 enctype in Kerberos +v5). + +Since this command applies no salt to the password, it can be used as a +last resort for generating a DES key with a salt algorithm that other +utilities don't know how to use by giving this command the pre-salted +password. This can be useful when, for example, using Microsoft Active +Directory as the Kerberos KDC, since Active Directory uses a different +salt algorithm for service principals than most Unix Kerberos +implementations. The best approach, however, is to find a way to generate +a keytab and then use B. + +=item delete > + +Delete the key with the specified key version from the F. This +command is equivalent to B or B. + +=item list + +List the keys in the F. This command is equivalent to B or B. + +=back + +The B command does not use the normal AFS option parsing library +and its subcommands cannot be abbreviated. + +=head1 CAUTIONS + +B is intended for use with a Kerberos v4 environment and +therefore is mostly obsolete. Normally, rather than using this command, +you will want to use B to create a keytab (perhaps with its +B command) and then use B as normal. B only +supports the AFS password salt algorithm and no password salt algorithm +and therefore may not produce the same key from a given password as +Kerberos v5 utilities unless one is careful to use that same salt +algorithm when creating the key in the KDC. + +Creating an AFS key with a known password and then using B or +B to add that key to the F is not recommended. +Human-created passwords are usually not as strong as a random key +generated using a good entropy source, such as with the B<-randkey> option +to the MIT Kerberos v5 B command or the equivalent in other +Kerberos v5 implementations. The security of AFS depends on the strength +of the AFS service key; it should therefore be as random as possible. + +It is imperative that the key version number (kvno) given matches the kvno +on the Kerberos server. If it doesn't, users won't be able to +authenticate. The key generated by B must also match the +internal representation on the Kerberos server including the salt. + +=head1 OPTIONS + +B takes no options. + +=head1 PRIVILEGE REQUIRED + +The issuer must be logged onto a file server machine as the local +superuser C. + +=head1 SEE ALSO + +L, +L, +L, +L, +kadmin(8), +ktutil(8) + +=head1 COPYRIGHT + +Copyright 2007 Jason Edgecombe + +This documentation is covered by the IBM Public License Version 1.0. +This man page was written by Jason Edgecombe for OpenAFS.