windows-issues-20050925

[openafs.git] / doc / html / AdminGuide / auagd014.htm

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Administration Guide</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3570/auagd000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 2 Oct 2000 at 11:42:14                -->
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 11:42:13">
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 11:42:13">
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 11:42:13">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Administration Guide</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auagd002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auagd013.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auagd015.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auagd026.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<HR><H1><A NAME="HDRWQ355" HREF="auagd002.htm#ToC_409">Managing Server Encryption Keys</A></H1>
<P>This chapter explains how to maintain your cell's
server encryption keys, which are vital for secure communications in
AFS.
<HR><H2><A NAME="HDRWQ356" HREF="auagd002.htm#ToC_410">Summary of Instructions</A></H2>
<P>This chapter explains how to perform the following tasks by
using the indicated commands:
<BR>
<TABLE WIDTH="100%">
<TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%">Add a new server encryption key
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><B>bos addkey</B> and <B>kas setpassword</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%">Inspect key checksums in the Authentication Database
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><B>kas examine</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%">Inspect key checksums in the <B>KeyFile</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><B>bos listkeys</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%">Remove an old server encryption key
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><B>bos removekey</B>
</TD></TR></TABLE>
<HR><H2><A NAME="HDRWQ358" HREF="auagd002.htm#ToC_411">About Server Encryption Keys</A></H2>
<A NAME="IDX7246"></A>
<A NAME="IDX7247"></A>
<P>An <I>encryption key</I> is a string of octal numbers used to encrypt
and decrypt packets of information. In AFS, a <I>server encryption
key</I> is the key used to protect information being transferred between AFS
server processes and between them and their clients. A server
encryption key is essentially a password for a server process and like a user
password is stored in the Authentication Database.
<P>Maintaining your cell's server encryption keys properly is the most
basic way to protect the information in your AFS filespace from access by
unauthorized users.
<P><H3><A NAME="Header_412" HREF="auagd002.htm#ToC_412">Keys and Mutual Authentication: A Review</A></H3>
<A NAME="IDX7248"></A>
<A NAME="IDX7249"></A>
<A NAME="IDX7250"></A>
<A NAME="IDX7251"></A>
<A NAME="IDX7252"></A>
<A NAME="IDX7253"></A>
<P>Server encryption keys play a central role in the mutual authentication
between client and server processes in AFS. For a more detailed
description of mutual authentication, see <A HREF="auagd007.htm#HDRWQ75">A More Detailed Look at Mutual Authentication</A>.
<P>When a client wants to contact an AFS server, it first contacts the
<I>Ticket Granting Service</I> (TGS) module of the Authentication
Server. After verifying the client's identity (based indirectly on
the password of the human user whom the client represents), the TGS gives the
client a <I>server ticket</I>. This ticket is encrypted with the
server's encryption key. (The TGS also invents a second encryption
key, called the <I>session key</I>, to be used only for a single episode
of communication between server and client. The server ticket and
session key, together with other pieces of information, are collectively
referred to as a <I>token</I>.)
<P>The client cannot read the server ticket or token because it does not know
the server encryption key. However, the client sends it to the AFS
server along with service requests, because the ticket proves to the AFS
server processes that it has already authenticated with the TGS. AFS
servers trust the TGS to grant tickets only to valid clients. The fact
that the client possesses a ticket encrypted with the server's encryption
key proves to the server that the client is valid. On the other hand,
the client assumes that only a genuine AFS server knows the server encryption
key needed to decrypt the ticket. The server's ability to decrypt
the ticket and understand its contents proves to the client that the server is
legitimate.
<P><H3><A NAME="Header_413" HREF="auagd002.htm#ToC_413">Maintaining AFS Server Encryption Keys</A></H3>
<P>As you maintain your cell's server encryption keys, keep the
following in mind.
<UL>
<P><LI>Change the key frequently to enhance your cell's security.
Changing the key at least once a month is strongly recommended.
<A NAME="IDX7254"></A>
<P><LI>The AFS server encryption key currently in use is stored in two
places. When you add a new key, you must make changes in both places
and make them in the correct order, as instructed in <A HREF="#HDRWQ362">Adding Server Encryption Keys</A>. Failure to follow the instructions can seriously
impair cell functioning, as clients and servers become unable to
communicate. The two storage sites for the current server encryption
key are the following:
<OL TYPE=1>
<P><LI>The file <B>/usr/afs/etc/KeyFile</B> on the local disk of every file
server machine. The file can list more than one key, each with an
associated numerical identifier, the <I>key version number</I> or
<I>kvno</I>. A client token records the key version number of the
key used to seal it, and the server process retrieves the appropriate key from
this file when the client presents the token. 
<A NAME="IDX7255"></A>
<A NAME="IDX7256"></A>
<A NAME="IDX7257"></A>
<A NAME="IDX7258"></A>
<A NAME="IDX7259"></A>
<P><LI>The <B>afs</B> entry in the Authentication Database. The
current server encryption key is in the entry's password field, just like
an individual user's scrambled password. The Authentication
Server's Ticket Granting Service (TGS) uses this key to encrypt the
tokens it gives to clients. There is only a single key in the entry,
because the TGS never needs to read existing tokens, but only to generate new
ones by using the current key.
<A NAME="IDX7260"></A>
<A NAME="IDX7261"></A>
<A NAME="IDX7262"></A>
</OL>
<P>For instructions on creating the initial <B>afs</B> entry and
<B>KeyFile</B> files as you install your cell's first server machine,
see the <I>IBM AFS Quick Beginnings</I>.
<P><LI>At any specific time, the tokens that the Authentication Server's
Ticket Granting Service gives to clients are sealed with only one of the
server encryption keys, namely the one stored in the <B>afs</B> entry in
the Authentication Database.
<P><LI>When you add a new server encryption key, you cannot immediately remove
the former key from the <B>/usr/afs/etc/KeyFile</B> file on the local disk
of every AFS server machine. Any time that you add a new key, it is
likely that some clients still have valid, unexpired tokens sealed with the
previous key. The more frequently you change the server encryption key,
the more such tickets there are likely to be. To be able to grant
service appropriately to clients with such tokens, an AFS server process must
still be able to access the server encryption key used to seal it. 
<P>You can safely delete an old server encryption key only when it is certain
that no clients have tokens sealed with that key. In general, wait a
period of time at least as long as the maximum token lifetime in your
cell. By default, the maximum token lifetime for users is 25 hours
(except for users whose Authentication Database entries were created by using
the 3.0 version of AFS, for whom the default is 100 hours). You
can use the <B>-lifetime</B> argument to the <B>kas setfields</B>
command to change this default.
<P>Instructions for removing obsolete keys appear in <A HREF="#HDRWQ368">Removing Server Encryption Keys</A>.
<P><LI>You create a new AFS server encryption key in much the same way regular
users change their passwords, by providing a character string that is
converted into an encryption key automatically. See <A HREF="#HDRWQ362">Adding Server Encryption Keys</A>.
<A NAME="IDX7263"></A>
<P><LI>In addition to using server encryption keys when communicating with
clients, the server processes use them to protect communications with other
server processes. Therefore, all server machines in your cell must have
the same version of the <B>KeyFile</B> file. The easiest way to
maintain consistency (if you run the United States edition of AFS) is to use
the Update Server to distribute the contents of the system control
machine's <B>/usr/afs/etc</B> directory to all of the other server
machines. There are two implications:
<UL>
<P><LI>You must run the <B>upserver</B> process on the system control machine
and an <B>upclientetc</B> process on all other server machines that
references the system control machine. The <I>IBM AFS Quick
Beginnings</I> explains how to install both processes. For
instructions on verifying that the Update Server processes are running, see <A HREF="auagd009.htm#HDRWQ158">Displaying Process Status and Information from the BosConfig File</A>.
<A NAME="IDX7264"></A>
<P><LI>Change the <B>KeyFile</B> file only on the system control machine
(except in the types of emergencies discussed in <A HREF="#HDRWQ370">Handling Server Encryption Key Emergencies</A>). Any changes you make on other server machines are
overwritten the next time the <B>upclientetc</B> process retrieves the
contents of the system control machine's <B>/usr/afs/etc</B>
directory. By default, this happens every five minutes.
<A NAME="IDX7265"></A>
</UL>
<P>If you run the international edition of AFS, do not use the Update Server
to distribute the contents of the <B>/usr/afs/etc</B> directory,
particularly the <B>KeyFile</B> file. The data in the file is too
sensitive for transfer in unencrypted form, and because of United States
government exports regulations the international edition of AFS does not
include the necessary encryption routines in a form that the Update Server can
use. You must instead modify the file on each server machine
individually, taking care to enter the same key on every server
machine.
<P><LI>Never edit the <B>KeyFile</B> directly with a text editor.
Instead, always use the appropriate <B>bos</B> commands as instructed in <A HREF="#HDRWQ362">Adding Server Encryption Keys</A> and <A HREF="#HDRWQ368">Removing Server Encryption Keys</A>.
</UL>
<HR><H2><A NAME="HDRWQ359" HREF="auagd002.htm#ToC_414">Displaying Server Encryption Keys</A></H2>
<P>To display the server encryption keys in the
<B>/usr/afs/etc/KeyFile</B> file on any file server machine, use the
<B>bos listkeys</B> command. Use the <B>kas examine</B> command
to display the key in the Authentication Database's <B>afs</B>
entry.
<P>By default the commands do not display the actual string of octal digits
that constitute a key, but rather a <I>checksum</I>, a decimal number
derived by encrypting a constant with the key. This prevents
unauthorized users from easily accessing the actual key, which they can then
use to falsify or eavesdrop on protected communications. 
<A NAME="IDX7266"></A>
<A NAME="IDX7267"></A>
The <B>bos listkeys</B> and <B>kas examine</B> commands generate the
same checksum for a given key, so displaying checksums rather than actual keys
is generally sufficient. If you suspect that the keys differ in a way
that the checksums are not revealing, then you are probably experiencing
authentication problems throughout your cell. The easiest solution is
to create a new server encryption key following the instructions in <A HREF="#HDRWQ362">Adding Server Encryption Keys</A> or <A HREF="#HDRWQ370">Handling Server Encryption Key Emergencies</A>. Another common reason to issue the
<B>bos listkeys</B> command is to display the key version numbers
currently in use, in preparation for choosing the next one; here, the
checksum is sufficient because the key itself is irrelevant.
<P>If it is important to display the actual octal digits, include the
<B>-showkey</B> argument to both the <B>bos listkeys</B> and <B>kas
examine</B> commands.
<A NAME="IDX7268"></A>
<A NAME="IDX7269"></A>
<A NAME="IDX7270"></A>
<A NAME="IDX7271"></A>
<A NAME="IDX7272"></A>
<A NAME="IDX7273"></A>
<P><H3><A NAME="HDRWQ360" HREF="auagd002.htm#ToC_415">To display the KeyFile file</A></H3>
<OL TYPE=1>
<P><LI>Verify that you are authenticated as a user listed in the
<B>/usr/afs/etc/UserList</B> file. If necessary, issue the <B>bos
listusers</B> command, which is fully described in <A HREF="auagd021.htm#HDRWQ593">To display the users in the UserList file</A>. 
<PRE>   % <B>bos listusers</B> &lt;<VAR>machine name</VAR>>
</PRE>
<P><LI>Issue the <B>bos listkeys</B> command to display the contents of one
machine's <B>/usr/afs/etc/KeyFile</B> file.
<PRE>   % <B>bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>> [<B>-showkey</B>]
</PRE> 
<P>where 
<DL>
<P><DT><B>listk
</B><DD>Is the shortest acceptable abbreviation of <B>listkeys</B>.
<P><DT><B><VAR>machine name</VAR>
</B><DD>Names a file server machine. In the normal case, it is acceptable
to name any machine, because correct cell functioning requires that the
<B>KeyFile</B> file be the same on all of them.
<P><DT><B><B>-showkey</B>
</B><DD>Displays the octal digits that constitute each key.
</DL>
</OL>
<P>In the following example, the output displays a checksum for each server
encryption key rather than the actual octal digits. The penultimate
line indicates when an administrator last changed the file, and the final line
confirms that the output is complete.
<PRE>   % <B>bos listkeys fs1.abc.com</B>
   key 0 has cksum 972037177
   key 1 has cksum 2825165022
   Keys last changed on Wed Jan 13 11:20:29 1999. 
   All done.
</PRE>
<A NAME="IDX7274"></A>
<A NAME="IDX7275"></A>
<A NAME="IDX7276"></A>
<A NAME="IDX7277"></A>
<A NAME="IDX7278"></A>
<A NAME="IDX7279"></A>
<P><H3><A NAME="HDRWQ361" HREF="auagd002.htm#ToC_416">To display the afs key from the Authentication Database</A></H3>
<OL TYPE=1>
<P><LI>Issue the <B>kas examine</B> command to display the <B>afs</B>
entry in the Authentication Database. 
<P>The Authentication Server performs its own authentication rather than
accepting your existing AFS token. By default, it authenticates your
local (UNIX) identity, which possibly does not correspond to an AFS-privileged
administrator. Include the <B>-admin</B> argument to name an
identity that has the <TT>ADMIN</TT> flag on its Authentication Database
entry. To verify that an entry has the flag, issue the <B>kas
examine</B> command as described in <A HREF="auagd021.htm#HDRWQ590">To check if the ADMIN flag is set</A>.
<PRE>   % <B>kas examine afs</B> [<B>-showkey</B>]  \
                 <B>-admin</B>  &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication</VAR>>  
   Administrator's (<VAR>admin_user</VAR>) password: <VAR>admin_password</VAR> 
</PRE> 
<P>where
<DL>
<P><DT><B><B>e</B>
</B><DD>Is the shortest acceptable abbreviation of <B>examine</B>.
<P><DT><B>afs
</B><DD>Designates the <B>afs</B> entry.
<P><DT><B><B>-showkey</B>
</B><DD>Displays the octal digits that constitute the key.
<P><DT><B>-admin
</B><DD>Names an administrative account with the <TT>ADMIN</TT> flag on its
Authentication Database entry, such as <B>admin</B>. The password
prompt echoes it as <VAR>admin_user</VAR>. Enter the appropriate password
as <VAR>admin_password</VAR>.
</DL>
</OL>
<P>In the following example, the <B>admin</B> user displays the
<B>afs</B> entry without using the <B>-showkey</B> flag. The
second line shows the key version number in parentheses and the key's
checksum. The line that begins with the string <TT>last mod</TT>
reports the date on which the indicated administrator changed the key.
There is no necessary relationship between this date and the date reported by
the <B>bos listkeys</B> command, because the latter date changes for any
type of change to the <B>KeyFile</B> file, not just a key addition.
For a description of the other lines in the output from the <B>kas
examine</B> command, see its reference page in the <I>IBM AFS
Administration Reference</I>.
<PRE>   % <B>kas examine afs  -admin admin</B>
   Administrator's (admin) password: <VAR>admin_password</VAR> 
   User data for afs
    key (1) cksum is 2825165022, last cpw: no date
    password will never expire.
    An unlimited number of unsuccessful authentications is permitted.
    entry expires on never. Max ticket lifetime 100.00 hours.
    last mod on Wed Jan 13 11:21:36 1999 by admin
    permit password reuse
</PRE>
<HR><H2><A NAME="HDRWQ362" HREF="auagd002.htm#ToC_417">Adding Server Encryption Keys</A></H2>
<A NAME="IDX7280"></A>
<A NAME="IDX7281"></A>
<A NAME="IDX7282"></A>
<A NAME="IDX7283"></A>
<A NAME="IDX7284"></A>
<A NAME="IDX7285"></A>
<A NAME="IDX7286"></A>
<A NAME="IDX7287"></A>
<A NAME="IDX7288"></A>
<P>As noted, AFS records server encryption keys in two separate places:
<OL TYPE=1>
<P><LI>In the file <B>/usr/afs/etc/KeyFile</B> on the local disk of each
server machine, for use by the AFS server processes running on the machine
<P><LI>In the <B>afs</B> entry in the Authentication Database, for use by the
Ticket Granting Service (TGS) when creating tokens
</OL>
<P>To ensure that server processes and the TGS share the same AFS server
encryption key, execute all the steps in this section without
interruption.
<P>The following instructions include a step in which you restart the database
server processes (the Authentication, Backup, Protection, and Volume Location
Server processes) on all database server machines. As a database server
process starts, it reads in the server encryption key that has the highest key
version number in the <B>KeyFile</B> file and uses it to protect the
messages that it sends for synchronizing the database and maintaining
quorum. It uses the same key throughout its lifetime, which can be for
an extended period, even if you remove the key from the <B>KeyFile</B>
file. However, if one of the peer database server processes restarts
and the others do not, quorum and database synchronization break down because
the processes are no longer using the same key: the restarted process is
using the key that currently has the highest key version number, and the other
processes are still using the key they read in when they originally
started. To avoid this problem, it is safest to restart all of the
database server processes when adding a new key.
<P>After adding a new key, you can remove obsolete keys from the
<B>KeyFile</B> file to prevent it from becoming cluttered. However,
you must take care not to remove keys that client or server processes are
still using. For discussion and instructions, see <A HREF="#HDRWQ368">Removing Server Encryption Keys</A>.
<P><H3><A NAME="HDRWQ363" HREF="auagd002.htm#ToC_418">To add a new server encryption key</A></H3>
<OL TYPE=1>
<P><LI>Verify that you are authenticated as a user listed in the
<B>/usr/afs/etc/UserList</B> file. If necessary, issue the <B>bos
listusers</B> command, which is fully described in <A HREF="auagd021.htm#HDRWQ593">To display the users in the UserList file</A>. 
<PRE>   % <B>bos listusers</B> &lt;<VAR>machine name</VAR>>
</PRE>
<P><LI><A NAME="LIWQ364"></A>Issue the <B>bos listkeys</B> command to display the key
version numbers that are already in use, as a first step in choosing the key
version number for the new key. 
<PRE>   % <B>bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>>
</PRE> 
<P>where 
<DL>
<P><DT><B>listk
</B><DD>Is the shortest acceptable abbreviation of <B>listkeys</B>.
<P><DT><B><VAR>machine name</VAR>
</B><DD>Names any file server machine.
</DL>
<P><LI><A NAME="LIWQ365"></A>Choose a key version number for the new key, based on the
output from Step <A HREF="#LIWQ364">2</A> and the following requirements: 
<UL>
<P><LI>A key version number must be an integer between 0 (zero) and 255 to comply
with Kerberos standards. It is simplest if you keep your key version
numbers in sequence by choosing a key version number one greater than the
largest existing one.
<P><LI>Do not reuse a key version number currently found in the
<B>KeyFile</B> file, particularly if it is also the one in the
Authentication Database <B>afs</B> entry. Client processes possibly
still have tickets sealed with the key that originally had that key version
number, but the server processes start using the new key marked with that key
version number. Because the keys do not match, the server processes
refuse requests from clients who hold legitimate tokens.
</UL>
<A NAME="IDX7289"></A>
<A NAME="IDX7290"></A>
<P><LI><A NAME="LIWQ366"></A>Issue the <B>bos addkey</B> command to create a new AFS
server encryption key in the <B>KeyFile</B> file. 
<P>If you run the United States edition of AFS and use the Update Server to
distribute the contents of the system control machine's
<B>/usr/afs/etc</B> directory, substitute the system control machine for
the <VAR>machine name</VAR> argument. (If you have forgotten which
machine is the system control machine, see <A HREF="auagd008.htm#HDRWQ96">To locate the system control machine</A>.)
<P>If you run the international edition of AFS or do not use the Update
Server, repeat the <B>bos addkey</B> command, substituting each server
machine in your cell for the <VAR>machine name</VAR> argument in turn.
<P>To avoid visible echoing of the string that corresponds to the new key,
omit the <B>-key</B> argument from the command line; instead enter
the string at the prompts that appear when you omit it, as shown in the
following syntax specification. 
<PRE>   % <B>bos addkey  -server</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-kvno</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>>
   input key: <VAR>afs_password</VAR>
   Retype input key: <VAR>afs_password</VAR>
</PRE> 
<P>where
<DL>
<P><DT><B><B>addk</B>
</B><DD>Is the shortest acceptable abbreviation of <B>addkey</B>.
<P><DT><B>-server
</B><DD>Names the cell's system control machine if you are using the Update
Server, or each server machine in turn if you are not.
<P><DT><B>-kvno
</B><DD>Specifies the new key's key version number as an integer from the
range 0 (zero) through 255.
<P>Remember the number. You need to use it again in Step <A HREF="#LIWQ367">6</A>. If you are using the international edition of AFS,
be sure to type the same number each time you issue this command.
<P><DT><B><VAR>afs_password</VAR>
</B><DD>Is a character string similar to a user password, of any length from one
to about 1,000 characters. To improve security, include nonalphabetic
characters and make the string as long as is practical (you need to type it
only in this step and in Step <A HREF="#LIWQ367">6</A>). If you are using the international edition of AFS,
be sure to type the same string each time you issue this command. 
<P>Do not enter an octal string directly. The BOS Server scrambles the
character string into an octal string appropriate for use as an encryption key
before recording it in the <B>KeyFile</B> file.
</DL>
<P><LI>If you are using the Update Server, wait for a few minutes while the
Update Server distributes the new <B>KeyFile</B> file to all server
machines. The maximum necessary waiting period is the largest value
provided for the <B>-t</B> argument to the <B>upclientetc</B>
process's initialization command used on any of the server machines;
the default time is five minutes. 
<P>To be certain that all machines have the same <B>KeyFile</B> file,
issue the <B>bos listkeys</B> command for every file server machine and
verify that the checksum for the new key is the same on all machines. 
<PRE>   % <B>bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>>
</PRE> 
<P>If you are not using the Update Server, try to complete Step <A HREF="#LIWQ366">4</A> within five minutes.
<A NAME="IDX7291"></A>
<A NAME="IDX7292"></A>
<P><LI><A NAME="LIWQ367"></A>Issue the <B>kas setpassword</B> command to enter the same
key in the <B>afs</B> entry in the Authentication Database. 
<P>The Authentication Server performs its own authentication rather than
accepting your existing AFS token. By default, it authenticates your
local (UNIX) identity, which possibly does not correspond to an AFS-privileged
administrator. Include the <B>-admin</B> argument to name an
identity that has the <TT>ADMIN</TT> flag on its Authentication Database
entry. To verify that an entry has the flag, issue the <B>kas
examine</B> command as described in <A HREF="auagd021.htm#HDRWQ590">To check if the ADMIN flag is set</A>. 
<PRE>   % <B>kas setpassword -name afs -kvno</B> &lt;<VAR>kvno</VAR>>  \
                     <B>-admin</B>  &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication</VAR>>  
   Administrator's (<VAR>admin_user</VAR>) password: <VAR>admin_password</VAR> 
   new_password: <VAR>afs_password</VAR>
   Verifying, please re-enter new_password: <VAR>afs_password</VAR>
</PRE> 
<P>where 
<DL>
<P><DT><B><B>sp</B>
</B><DD>Is an acceptable alias for <B>setpassword</B> (<B>setp</B> is the
shortest acceptable abbreviation).
<P><DT><B>-name afs
</B><DD>Creates the new key in the <B>afs</B> entry.
<P><DT><B>-kvno
</B><DD>Specifies the same key version number as in Step <A HREF="#LIWQ366">4</A>.
<P><DT><B>-admin
</B><DD>Names an administrative account with the <TT>ADMIN</TT> flag on its
Authentication Database entry, such as <B>admin</B>. The password
prompt echoes it as <VAR>admin_user</VAR>. Enter the appropriate password
as <VAR>admin_password</VAR>.
<P><DT><B><VAR>afs_password</VAR>
</B><DD>Is the same character string you entered in Step <A HREF="#LIWQ366">4</A>.
</DL>
<P><LI><B>(Optional.)</B> If you want to verify that the keys you just
created in the <B>KeyFile</B> file and the Authentication Database
<B>afs</B> entry are identical and have the same key version number,
follow the instructions in <A HREF="#HDRWQ359">Displaying Server Encryption Keys</A>.
<P><LI>Issue the <B>bos restart</B> command to restart the database server
processes on all database server machines. This forces them to start
using the key in the <B>KeyFile</B> file that currently has the highest
key version number. 
<P>Repeat this command in quick succession for each database server machine,
starting with the machine that has the lowest IP address. 
<PRE>   % <B>bos restart</B>  &lt;<VAR>machine&nbsp;name</VAR>> <B>buserver kaserver ptserver vlserver</B>
</PRE> 
<P>where 
<DL>
<P><DT><B><B>res</B>
</B><DD>Is the shortest acceptable abbreviation of <B>restart</B>.
<P><DT><B><VAR>machine name</VAR>
</B><DD>Names each database server machine in turn.
<P><DT><B>buserver kaserver ptserver vlserver
</B><DD>Designates the Backup Server, Authentication Server, Protection Server,
and Volume Location (VL) Server, respectively.
</DL>
</OL>
<HR><H2><A NAME="HDRWQ368" HREF="auagd002.htm#ToC_419">Removing Server Encryption Keys</A></H2>
<A NAME="IDX7293"></A>
<A NAME="IDX7294"></A>
<A NAME="IDX7295"></A>
<P>You can periodically remove old keys from the
<B>/usr/afs/etc/KeyFile</B> file to keep it to a reasonable size.
To avoid disturbing cell functioning, do not remove an old key until all
tokens sealed with the key and held by users or client processes have
expired. After adding a new key, wait to remove old keys at least as
long as the longest token lifetime you use in your cell. For
Authentication Database user entries created under AFS version 3.1 or
higher, the default token lifetime is 25 hours; for entries created under
AFS version 3.0, it is 100 hours.
<P>There is no command for removing the key from the <B>afs</B> entry in
the Authentication Database, because the key field in that entry must never be
empty. Use the <B>kas setpassword</B> command to replace the
<B>afs</B> key, but only as part of the complete procedure detailed in <A HREF="#HDRWQ363">To add a new server encryption key</A>.
<P>Never remove from the <B>KeyFile</B> file the key that is currently in
the <B>afs</B> entry in the Authentication Database. AFS server
processes become unable to decrypt the tickets that clients present to
them.
<P><H3><A NAME="HDRWQ369" HREF="auagd002.htm#ToC_420">To remove a key from the KeyFile file</A></H3>
<OL TYPE=1>
<P><LI>Verify that you are authenticated as a user listed in the
<B>/usr/afs/etc/UserList</B> file. If necessary, issue the <B>bos
listusers</B> command, which is fully described in <A HREF="auagd021.htm#HDRWQ593">To display the users in the UserList file</A>. 
<PRE>   % <B>bos listusers</B> &lt;<VAR>machine name</VAR>>
</PRE>
<P><LI>Issue the <B>bos listkeys</B> command to display the key version
number of each key you want to remove. The output also reveals whether
it has been at least 25 hours since a new key was placed in the
<B>KeyFile</B> file. For complete instructions for the <B>bos
listkeys</B> command, see <A HREF="#HDRWQ360">To display the KeyFile file</A>. 
<PRE>   % <B>bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>>
</PRE>
<P><LI>Issue the <B>kas examine</B> command to verify that the key currently
in the Authentication Database's <B>afs</B> entry does not have the
same key version number as any of the keys you are removing from the
<B>KeyFile</B> file. For detailed instructions for the <B>kas
examine</B> command, see <A HREF="#HDRWQ361">To display the afs key from the Authentication Database</A>. 
<PRE>   % <B>kas examine afs  -admin</B> &lt;<VAR>admin&nbsp;principal&nbsp;to&nbsp;use&nbsp;for&nbsp;authentication</VAR>>  
   Administrator's (<VAR>admin_user</VAR>) password: <VAR>admin_password</VAR> 
</PRE>
<A NAME="IDX7296"></A>
<A NAME="IDX7297"></A>
<P><LI>Issue the <B>bos removekey</B> command to remove one or more server
encryption keys from the <B>KeyFile</B> file. 
<P>If you run the United States edition of AFS and use the Update Server to
distribute the contents of the system control machine's
<B>/usr/afs/etc</B> directory, substitute the system control machine for
the <VAR>machine name</VAR> argument. (If you have forgotten which
machine is the system control machine, see <A HREF="auagd008.htm#HDRWQ96">To locate the system control machine</A>.)
<P>If you run the international edition of AFS or do not use the Update
Server, repeat the <B>bos removekey</B> command, substituting each server
machine in your cell for the <VAR>machine name</VAR> argument in turn. 
<PRE>   % <B>bos removekey</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>>
</PRE> 
<P>where 
<DL>
<P><DT><B><B>removek</B>
</B><DD>Is the shortest acceptable abbreviation of <B>removekey</B>.
<P><DT><B><VAR>machine name</VAR>
</B><DD>Names the cell's system control machine if you are using the Update
Server, or each server machine in turn if you are not.
<P><DT><B><VAR>key version number</VAR>
</B><DD>Specifies the key version number of each key to remove.
</DL>
</OL>
<HR><H2><A NAME="HDRWQ370" HREF="auagd002.htm#ToC_421">Handling Server Encryption Key Emergencies</A></H2>
<A NAME="IDX7298"></A>
<A NAME="IDX7299"></A>
<A NAME="IDX7300"></A>
<A NAME="IDX7301"></A>
<A NAME="IDX7302"></A>
<P>In rare circumstances, the AFS server processes can become unable to
decrypt the server tickets that clients or peer server processes are
presenting. Activity in your cell can come to a halt, because the
server processes believe that the tickets are forged or expired, and refuse to
execute any actions. This can happen on one machine or several;
the effect is more serious when more machines are involved.
<P>One common cause of server encryption key problems is that the
client's ticket is encrypted with a key that the server process does not
know. Usually this means that the <B>/usr/afs/etc/KeyFile</B> on
the server machine does not include the key in the <B>afs</B>
Authentication Database entry, which the Authentication Server's Ticket
Granting Service (TGS) module is using to encrypt server tickets.
<P>Another possibility is that the <B>KeyFile</B> files on different
machines do not contain the same keys. In this case, communications
among server processes themselves become impossible. For instance,
AFS's replicated database mechanism (Ubik) breaks down if the instances
of a database server process on the different database server machines are not
using the same key.
<P>The appearance of the following error message when you direct a
<B>bos</B> command to a file server machine in the local cell is one
possible symptom of server encryption key mismatch. (Note, however,
that you can also get this message if you forget to include the
<B>-cell</B> argument when directing the <B>bos</B> command to a file
server machine in a foreign cell.)
<PRE>   bos: failed to contact host's bosserver (security object was passed a bad ticket).
</PRE>
<P>The solution to server encryption key emergencies is to put a new AFS
server encryption key in both the Authentication Database and the
<B>KeyFile</B> file on every server machine, so that the TGS and all
server processes again share the same key.
<P>Handling key emergencies requires some unusual actions. The reasons
for these actions are explained in the following sections; the actual
procedures appear in the subsequent instructions.
<P><H3><A NAME="HDRWQ371" HREF="auagd002.htm#ToC_422">Prevent Mutual Authentication</A></H3>
<P>It is necessary to prevent the server processes from trying
to mutually authenticate with you as you deal with a key emergency, because
they possibly cannot decrypt your token. When you do not mutually
authenticate, the server processes assign you the identity
<B>anonymous</B>. To prevent mutual authentication, use the
<B>unlog</B> command to discard your tokens and include the
<B>-noauth</B> flag on every command where it is available.
<P><H3><A NAME="Header_423" HREF="auagd002.htm#ToC_423">Disable Authorization Checking by Hand</A></H3>
<P>Because the server processes recognize you as the user
<B>anonymous</B> when you do not mutually authenticate, you must turn off
authorization checking. Only with authorization checking disabled do
the server processes allow the <B>anonymous</B> user to perform privileged
actions such as key creation.
<P>In an emergency, disable authorization checking by creating the file
<B>/usr/afs/local/NoAuth</B> by hand. In normal circumstances, use
the <B>bos setauth</B> command instead.
<P><H3><A NAME="Header_424" HREF="auagd002.htm#ToC_424">Work Quickly on Each Machine</A></H3>
<P>Disabling authorization checking is a serious security exposure,
because server processes on the affected machine perform any action for
anyone. Disable authorization checking only for as long as necessary,
completing all steps in an uninterrupted session and as quickly as
possible.
<P><H3><A NAME="Header_425" HREF="auagd002.htm#ToC_425">Work at the Console</A></H3>
<P>Working at the console of each server machine on which you disable
authorization checking ensures that no one else logs onto the console while
you are working there. It does not prevent others from connecting to
the machine remotely (using the <B>telnet</B> program, for example), which
is why it is important to work quickly. The only way to ensure complete
security is to disable network traffic, which is not a viable option in many
environments. You can improve security in general by limiting the
number of people who can connect remotely to your server machines at any time,
as recommended in <A HREF="auagd007.htm#HDRWQ74">Improving Security in Your Cell</A>.
<P><H3><A NAME="HDRWQ372" HREF="auagd002.htm#ToC_426">Change Individual KeyFile Files</A></H3>
<P>If you use the Update Server to distribute the contents of
the <B>/usr/afs/etc</B> directory, an emergency is the only time when it
is appropriate to change the <B>KeyFile</B> file on individual machines
instead. Updating each machine's file is necessary because
mismatched keys can prevent the system control machine's
<B>upserver</B> process from mutually authenticating with
<B>upclientetc</B> processes on other server machines, in which case the
<B>upserver</B> process refuses to distribute its <B>KeyFile</B> file
to them.
<P>Even if it appears that the Update Server is working correctly, the only
way to verify that is to change the key on the system control machine and wait
the standard delay period to see if the <B>upclientetc</B> processes
retrieve the key. During an emergency, it does not usually make sense
to wait the standard delay period. It is more efficient simply to
update the file on each server machine separately. Also, even if the
Update Server can distribute the file correctly, other processes can have
trouble because of mismatched keys. The following instructions add the
new key file on the system control machine first. If the Update Server
is working, then it is distributing the same change as you are making on each
server machine individually.
<P>If your cell does not use the Update Server, or uses the international
edition of AFS, you always change keys on server machines individually.
The following instructions are also appropriate for you.
<P><H3><A NAME="Header_427" HREF="auagd002.htm#ToC_427">Two Component Procedures</A></H3>
<P>There are two subprocedures used frequently in the following
instructions: disabling authorization checking and reenabling it.
For the sake of clarity, the procedures are detailed here; the
instructions refer to them as necessary.
<P><H4><A NAME="HDRWQ373">Disabling Authorization Checking in an Emergency</A></H4>
<OL TYPE=1>
<P><LI>Become the local superuser <B>root</B> on the machine, if you are not
already, by issuing the <B>su</B> command. 
<PRE>   % <B>su root</B>
   Password: <VAR>root_password</VAR>
</PRE>
<A NAME="IDX7303"></A>
<P><LI><A NAME="LIWQ374"></A>Create the file <B>/usr/afs/local/NoAuth</B> to disable
authorization checking. 
<PRE>   # <B>touch /usr/afs/local/NoAuth</B>
</PRE>
<A NAME="IDX7304"></A>
<P><LI>Discard your tokens, in case they were sealed with an incompatible key,
which can prevent some commands from executing. 
<PRE>   # <B>unlog</B>
</PRE>
</OL>
<P><H4><A NAME="HDRWQ375">Reenabling Authorization Checking in an Emergency</A></H4>
<OL TYPE=1>
<P><LI>Become the local superuser <B>root</B> on the machine, if you are not
already, by issuing the <B>su</B> command. 
<PRE>   % <B>su root</B>
   Password: <VAR>root_password</VAR>
</PRE>
<P><LI>Remove the <B>/usr/afs/local/NoAuth</B> file. 
<PRE>   # <B>rm /usr/afs/local/NoAuth</B>
</PRE>
<A NAME="IDX7305"></A>
<P><LI>Authenticate as an administrative identity that belongs to the
<B>system:administrators</B> group and is listed in the
<B>/usr/afs/etc/UserList</B> file. 
<PRE>   # <B>klog</B> &lt;<VAR>admin_user</VAR>>
   Password: &lt;<VAR>admin_password</VAR>>
</PRE>
<P><LI>If appropriate, log out from the console (or close the remote connection
you are using), after issuing the <B>unlog</B> command to destroy your
tokens.
</OL>
<P><H3><A NAME="Header_430" HREF="auagd002.htm#ToC_430">To create a new server encryption key in emergencies</A></H3>
<OL TYPE=1>
<P><LI><A NAME="LIWQ376"></A><B>On the system control machine</B>, disable authorization
checking as instructed in <A HREF="#HDRWQ373">Disabling Authorization Checking in an Emergency</A>.
<P><LI><A NAME="LIWQ377"></A>Issue the <B>bos listkeys</B> command to display the key
version numbers already in use in the <B>KeyFile</B> file, as a first step
in choosing the new key's key version number. 
<PRE>   #<B> bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-noauth</B>
</PRE> 
<P>where 
<DL>
<P><DT><B><B>listk</B>
</B><DD>Is the shortest acceptable abbreviation of <B>listkeys</B>.
<P><DT><B><VAR>machine name</VAR>
</B><DD>Specifies a file server machine.
<P><DT><B><B>-noauth</B>
</B><DD>Bypasses mutual authentication with the BOS Server. Include it in
case the key emergency is preventing successful mutual authentication.
</DL>
<P><LI><A NAME="LIWQ378"></A>Choose a key version number for the new key, based on what you
learned in Step <A HREF="#LIWQ377">2</A> plus the following requirements: 
<UL>
<P><LI>It is best to keep your key version numbers in sequence by choosing a key
version number one greater than the largest existing one.
<P><LI>Key version numbers must be integers between 0 and 255 to comply with
Kerberos standards.
<P><LI>Do not reuse a key version number currently listed in the
<B>KeyFile</B> file.
</UL>
<A NAME="IDX7306"></A>
<P><LI><A NAME="LIWQ379"></A><B>On the system control machine</B>, issue the <B>bos
addkey</B> command to create a new AFS server encryption key in the
<B>KeyFile</B> file. 
<PRE>   # <B>bos addkey</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-kvno</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>> <B>-noauth</B>
   input key: <VAR>afs_password</VAR>
   Retype input key: <VAR>afs_password</VAR>
</PRE> 
<P>where 
<DL>
<P><DT><B><B>addk</B>
</B><DD>Is the shortest acceptable abbreviation of <B>addkey</B>.
<P><DT><B><VAR>machine name</VAR>
</B><DD>Names the file server machine on which to define the new key in the
<B>KeyFile</B> file.
<P><DT><B>-kvno
</B><DD>Specifies the key version number you chose in Step <A HREF="#LIWQ378">3</A>, an integer in the range 0 (zero) through 255. You
must specify the same number in Steps <A HREF="#LIWQ382">7</A>, <A HREF="#LIWQ383">8</A>, and <A HREF="#LIWQ386">13</A>.
<P><DT><B><B>-noauth</B>
</B><DD>Bypasses mutual authentication with the BOS Server. Include it in
case the key emergency is preventing successful mutual authentication.
<P><DT><B><VAR>afs_password</VAR>
</B><DD>Is a character string similar to a user password, of any length from one
to about 1,000 characters. To improve security, make the string as long
as is practical, and include nonalphabetic characters. 
<P>Do not type an octal string directly. The BOS Server scrambles the
character string into an octal string appropriate for use as an encryption key
before recording it in the <B>KeyFile</B> file.
<P>Remember the string. You need to use it again in Steps <A HREF="#LIWQ382">7</A>, <A HREF="#LIWQ383">8</A>, and <A HREF="#LIWQ386">13</A>.
</DL>
<P><LI><A NAME="LIWQ380"></A><B>On every database server machine in your cell</B> (other
than the system control machine), disable authorization checking as instructed
in <A HREF="#HDRWQ373">Disabling Authorization Checking in an Emergency</A>. Do not repeat the procedure on the system control
machine, if it is a database server machine, because you already disabled
authorization checking in Step <A HREF="#LIWQ376">1</A>. (If you need to learn which machines are database
server machines, use the <B>bos listhosts</B> command as described in <A HREF="auagd008.htm#HDRWQ95">To locate database server machines</A>.)
<P><LI><A NAME="LIWQ381"></A>Wait at least 90 seconds after finishing Step <A HREF="#LIWQ380">5</A>, to allow each of the database server processes (the
Authentication, Backup, Protection and Volume Location Servers) to finish
electing a new sync site. Then issue the <B>udebug</B> command to
verify that the election worked properly. Issue the following commands,
substituting each database server machine's name for <VAR>server
machine</VAR> in turn. Include the system control machine if it is a
database server machine. 
<PRE>   # <B>udebug</B> &lt;<VAR>server&nbsp;machine</VAR>> <B>buserver</B>
   # <B>udebug</B> &lt;<VAR>server&nbsp;machine</VAR>> <B>kaserver</B>
   # <B>udebug</B> &lt;<VAR>server&nbsp;machine</VAR>> <B>ptserver</B>
   # <B>udebug</B> &lt;<VAR>server&nbsp;machine</VAR>> <B>vlserver</B>
</PRE> 
<P>For each process, the output from all of the database server machines must
agree on which one is the sync site for the process. It is not,
however, necessary that the same machine serves as the sync site for each of
the four processes. For each process, the output from only one machine
must include the following string: 
<PRE>   I am sync site ...
</PRE> 
<P>The output on the other machines instead includes the following line 
<PRE>   I am not sync site
</PRE> 
<P>and a subsequent line that begins with the string <TT>Sync host</TT> and
specifies the IP address of the machine claiming to be the sync site.
<P>If the output does not meet these requirements or seems abnormal in another
way, contact AFS Product Support for assistance.
<P><LI><A NAME="LIWQ382"></A><B>On every database server machine in your cell</B> (other
than the system control machine), issue the <B>bos addkey</B> command
described in Step <A HREF="#LIWQ379">4</A>. Be sure to use the same values for
<VAR>afs_password</VAR> and <VAR>kvno</VAR> as you used in that step.
<A NAME="IDX7307"></A>
<P><LI><A NAME="LIWQ383"></A>Issue the <B>kas setpassword</B> command to define the new
key in the Authentication Database's <B>afs</B> entry. It must
match the key you created in Step <A HREF="#LIWQ379">4</A> and Step <A HREF="#LIWQ382">7</A>. 
<PRE>   # <B>kas setpassword  -name afs</B>  <B>-kvno</B> &lt;<VAR>key&nbsp;version&nbsp;number</VAR>> <B>-noauth</B>
   new_password: <VAR>afs_password</VAR>
   Verifying, please re-enter new_password: <VAR>afs_password</VAR>
</PRE> 
<P>where 
<DL>
<P><DT><B><B>sp</B>
</B><DD>Is an acceptable alias for <B>setpassword</B> (<B>setp</B> is the
shortest acceptable abbreviation).
<P><DT><B>-kvno
</B><DD>Is the same key version number you specified in Step <A HREF="#LIWQ379">4</A>.
<P><DT><B><VAR>afs_password</VAR>
</B><DD>Is the same character string you specified as <VAR>afs_password</VAR> in
Step <A HREF="#LIWQ379">4</A>. It does not echo visibly.
</DL>
<P><LI><A NAME="LIWQ384"></A><B>On every database server machine in your cell</B>
(including the system control machine if it is a database server machine),
reenable authorization checking as instructed in <A HREF="#HDRWQ375">Reenabling Authorization Checking in an Emergency</A>. If the system control machine is not a database
server machine, do not perform this procedure until Step <A HREF="#LIWQ385">11</A>.
<P><LI>Repeat Step <A HREF="#LIWQ381">6</A> to verify that each database server process has properly
elected a sync site after being restarted in Step <A HREF="#LIWQ384">9</A>.
<P><LI><A NAME="LIWQ385"></A><B>On the system control machine</B> (if it is not a
database server machine), reenable authorization checking as instructed in <A HREF="#HDRWQ375">Reenabling Authorization Checking in an Emergency</A>. If it is a database server machine, you already
performed the procedure in Step <A HREF="#LIWQ384">9</A>.
<P><LI><B>On all remaining (simple) file server machines</B>, disable
authorization checking as instructed in <A HREF="#HDRWQ373">Disabling Authorization Checking in an Emergency</A>.
<P><LI><A NAME="LIWQ386"></A><B>On all remaining (simple) file server machines</B>,
issue the <B>bos addkey</B> command described in Step <A HREF="#LIWQ379">4</A>. Be sure to use the same values for
<VAR>afs_password</VAR> and <VAR>kvno</VAR> as you used in that step.
<P><LI><B>On all remaining (simple) file server machines</B>, reenable
authorization checking as instructed in <A HREF="#HDRWQ375">Reenabling Authorization Checking in an Emergency</A>.
</OL>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auagd002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auagd013.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auagd015.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auagd026.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>