viced-multiple-ports-per-client-20051208

[openafs.git] / doc / man-pages / pod / bos_setauth.pod

=head1 NAME

bos setauth - Sets authorization checking requirements for all server processes

=head1 SYNOPSIS

bos setauth B<-server> I<machine name>
B<-authrequired> I<on or off: authentication required for admin requests>
[B<-cell> I<cell name>]  [B<-noauth>]  [B<-localauth>]  [B<-help>]

bos seta B<-s> I<machine name>
B<-a> I<on or off: authentication required for admin requests>
[B<-c> I<cell name>]  [B<-n>]  [B<-l>]  [B<-h>]

=head1 DESCRIPTION

The C<bos setauth> command enables or disables authorization checking on
the server machine named by the B<-server> argument. When authorization
checking is enabled (the normal case), the AFS server processes
running on the machine verify that the issuer of a command meets its
privilege requirements. When authorization checking is disabled,
server processes perform any action for anyone, including the
unprivileged user B<anonymous>; this security exposure precludes
disabling of authorization checking except during installation or
emergencies.

To indicate to the server processes that authorization checking is
disabled, the BOS Server creates the zero-length file
B</usr/afs/local/NoAuth> on its local disk. All AFS server processes
constantly monitor for the B<NoAuth> file's presence and do not check for
authorization when it is present. The BOS Server removes the file when
this command is used to reenable authorization checking.

=head1 OPTIONS

=over 4

=item B<-server> I<machine name>

Indicates the server machine on which to enable or disable
authorization checking. Identify the machine by IP address or
its host name (either fully-qualified or abbreviated
unambiguously). For details, see the introductory reference
page for the C<bos> command suite.

=item B<-authrequired> I<on or off: authentication required for admin requests>

Enables authorization checking if the value is C<on>, or disables
it if the value is C<off>.

=item B<-cell> I<cell name>

Names the cell in which to run the command. Do not combine this
argument with the B<-localauth> flag. For more details, see the
introductory L<bos(1)> reference page.

=item B<-noauth>

Assigns the unprivileged identity B<anonymous> to the issuer. Do
not combine this flag with the B<-localauth> flag. For more
details, see the introductory L<bos(1)> reference page.

=item B<-localauth>

Constructs a server ticket using a key from the local
B</usr/afs/etc/KeyFile> file. The C<bos> command interpreter presents
the ticket to the BOS Server during mutual authentication. Do
not combine this flag with the B<-cell> or B<-noauth> options. For
more details, see the introductory L<bos(1)> reference page.

=item B<-help>

Prints the online help for this command. All other valid
options are ignored.

=back

=head1 EXAMPLES

The following example disables authorization checking on the machine
B<fs7.abc.com>:

    bos setauth -server fs7.abc.com -authrequired off

=head1 PRIVILEGE REQUIRED

The issuer must be listed in the B</usr/afs/etc/UserList> file on the
machine named by the B<-server> argument, or must be logged onto a server
machine as the local superuser B<root> if the B<-localauth> flag is
included.

=head1 CAVEATS

Do not create the B<NoAuth> file directly, except when directed by
instructions for dealing with emergencies (doing so requires being
logged in as the local superuser B<root>). Use this command instead.

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

Converted from html to pod by Alf Wachsmann <alfw@slac.stanford.edu>, 2003,
and Elizabeth Cassell <e_a_c@mailsnare.net>, 2004,
Stanford Linear Accelerator Center, a department of Stanford University.

=head1 SEE ALSO

L<KeyFile(1)>,
L<NoAuth(1)>,
L<UserList(1)>,
L<bos(1)>,
L<bos_restart(1)>

=cut