1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Managing Server Encryption Keys</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="AFS Administration Guide"
11 HREF="book1.html"><LINK
13 TITLE="Managing File Server Machines"
14 HREF="p3023.html"><LINK
16 TITLE="Monitoring and Auditing AFS Performance"
17 HREF="c18360.html"><LINK
19 TITLE="Managing Client Machines"
20 HREF="p21471.html"></HEAD
31 SUMMARY="Header navigation table"
40 >AFS Administration Guide: Version 3.6</TH
77 >Chapter 9. Managing Server Encryption Keys</H1
79 >This chapter explains how to maintain your cell's server encryption keys, which are vital for secure communications in
87 >Summary of Instructions</A
90 >This chapter explains how to perform the following tasks by using the indicated commands:</P
105 >Add a new server encryption key</TD
123 >Inspect key checksums in the Authentication Database</TD
135 >Inspect key checksums in the <SPAN
153 >Remove an old server encryption key</TD
173 >About Server Encryption Keys</A
176 >An encryption key is a string of octal numbers used to encrypt and decrypt packets of information. In AFS, a server
177 encryption key is the key used to protect information being transferred between AFS server processes and between them and their
178 clients. A server encryption key is essentially a password for a server process and like a user password is stored in the
179 Authentication Database.</P
181 >Maintaining your cell's server encryption keys properly is the most basic way to protect the information in your AFS
182 filespace from access by unauthorized users.</P
189 >Keys and Mutual Authentication: A Review</A
192 >Server encryption keys play a central role in the mutual authentication between client and server processes in AFS. For
193 a more detailed description of mutual authentication, see <A
194 HREF="c667.html#HDRWQ75"
195 >A More Detailed Look at Mutual
199 >When a client wants to contact an AFS server, it first contacts the Ticket Granting Service (TGS) module of the
200 Authentication Server. After verifying the client's identity (based indirectly on the password of the human user whom the
201 client represents), the TGS gives the client a server ticket. This ticket is encrypted with the server's encryption key. (The
202 TGS also invents a second encryption key, called the session key, to be used only for a single episode of communication
203 between server and client. The server ticket and session key, together with other pieces of information, are collectively
204 referred to as a token.)</P
206 >The client cannot read the server ticket or token because it does not know the server encryption key. However, the
207 client sends it to the AFS server along with service requests, because the ticket proves to the AFS server processes that it
208 has already authenticated with the TGS. AFS servers trust the TGS to grant tickets only to valid clients. The fact that the
209 client possesses a ticket encrypted with the server's encryption key proves to the server that the client is valid. On the
210 other hand, the client assumes that only a genuine AFS server knows the server encryption key needed to decrypt the ticket.
211 The server's ability to decrypt the ticket and understand its contents proves to the client that the server is
220 >Maintaining AFS Server Encryption Keys</A
223 >As you maintain your cell's server encryption keys, keep the following in mind. <UL
226 >Change the key frequently to enhance your cell's security. Changing the key at least once a month is strongly
231 >The AFS server encryption key currently in use is stored in two places. When you add a new key, you must make
232 changes in both places and make them in the correct order, as instructed in <A
233 HREF="c20494.html#HDRWQ362"
236 >. Failure to follow the instructions can seriously impair cell functioning, as clients and servers
237 become unable to communicate. The two storage sites for the current server encryption key are the following:
246 >/usr/afs/etc/KeyFile</B
248 > on the local disk of every file server
249 machine. The file can list more than one key, each with an associated numerical identifier, the key version number
250 or kvno. A client token records the key version number of the key used to seal it, and the server process
251 retrieves the appropriate key from this file when the client presents the token.</P
261 > entry in the Authentication Database. The current server encryption
262 key is in the entry's password field, just like an individual user's scrambled password. The Authentication
263 Server's Ticket Granting Service (TGS) uses this key to encrypt the tokens it gives to clients. There is only a
264 single key in the entry, because the TGS never needs to read existing tokens, but only to generate new ones by
265 using the current key.</P
270 >For instructions on creating the initial <SPAN
282 > files as you install your cell's first server machine, see the IBM AFS Quick
287 >At any specific time, the tokens that the Authentication Server's Ticket Granting Service gives to clients are
288 sealed with only one of the server encryption keys, namely the one stored in the <SPAN
295 entry in the Authentication Database.</P
299 >When you add a new server encryption key, you cannot immediately remove the former key from the <SPAN
303 >/usr/afs/etc/KeyFile</B
305 > file on the local disk of every AFS server machine. Any time that you add a
306 new key, it is likely that some clients still have valid, unexpired tokens sealed with the previous key. The more
307 frequently you change the server encryption key, the more such tickets there are likely to be. To be able to grant
308 service appropriately to clients with such tokens, an AFS server process must still be able to access the server
309 encryption key used to seal it.</P
311 >You can safely delete an old server encryption key only when it is certain that no clients have tokens sealed with
312 that key. In general, wait a period of time at least as long as the maximum token lifetime in your cell. By default, the
313 maximum token lifetime for users is 25 hours (except for users whose Authentication Database entries were created by
314 using the 3.0 version of AFS, for whom the default is 100 hours). You can use the <SPAN
320 > argument to the <SPAN
326 > command to change this
329 >Instructions for removing obsolete keys appear in <A
330 HREF="c20494.html#HDRWQ368"
331 >Removing Server Encryption
337 >You create a new AFS server encryption key in much the same way regular users change their passwords, by providing
338 a character string that is converted into an encryption key automatically. See <A
339 HREF="c20494.html#HDRWQ362"
346 >In addition to using server encryption keys when communicating with clients, the server processes use them to
347 protect communications with other server processes. Therefore, all server machines in your cell must have the same
354 > file. The easiest way to maintain consistency (if you run the
355 United States edition of AFS) is to use the Update Server to distribute the contents of the system control machine's
362 > directory to all of the other server machines. There are two implications:
366 >You must run the <SPAN
372 > process on the system control machine and an
379 > process on all other server machines that references the system
380 control machine. The IBM AFS Quick Beginnings explains how to install both processes. For instructions on
381 verifying that the Update Server processes are running, see <A
382 HREF="c6449.html#HDRWQ158"
383 >Displaying Process Status and
384 Information from the BosConfig File</A
395 > file only on the system control machine (except in the
396 types of emergencies discussed in <A
397 HREF="c20494.html#HDRWQ370"
398 >Handling Server Encryption Key Emergencies</A
400 changes you make on other server machines are overwritten the next time the <SPAN
406 > process retrieves the contents of the system control machine's <SPAN
412 > directory. By default, this happens every five minutes.</P
417 >If you run the international edition of AFS, do not use the Update Server to distribute the contents of the
424 > directory, particularly the <SPAN
431 The data in the file is too sensitive for transfer in unencrypted form, and because of United States government exports
432 regulations the international edition of AFS does not include the necessary encryption routines in a form that the
433 Update Server can use. You must instead modify the file on each server machine individually, taking care to enter the
434 same key on every server machine.</P
438 >Never edit the <SPAN
444 > directly with a text editor. Instead, always use the
451 > commands as instructed in <A
452 HREF="c20494.html#HDRWQ362"
456 HREF="c20494.html#HDRWQ368"
457 >Removing Server Encryption Keys</A
470 >Displaying Server Encryption Keys</A
473 >To display the server encryption keys in the <SPAN
477 >/usr/afs/etc/KeyFile</B
479 > file on any file server
480 machine, use the <SPAN
486 > command. Use the <SPAN
493 command to display the key in the Authentication Database's <SPAN
501 >By default the commands do not display the actual string of octal digits that constitute a key, but rather a checksum, a
502 decimal number derived by encrypting a constant with the key. This prevents unauthorized users from easily accessing the actual
503 key, which they can then use to falsify or eavesdrop on protected communications. The <SPAN
516 > commands generate the same checksum for a given key, so
517 displaying checksums rather than actual keys is generally sufficient. If you suspect that the keys differ in a way that the
518 checksums are not revealing, then you are probably experiencing authentication problems throughout your cell. The easiest
519 solution is to create a new server encryption key following the instructions in <A
520 HREF="c20494.html#HDRWQ362"
524 HREF="c20494.html#HDRWQ370"
525 >Handling Server Encryption Key Emergencies</A
526 >. Another common reason to
533 > command is to display the key version numbers currently in use, in
534 preparation for choosing the next one; here, the checksum is sufficient because the key itself is irrelevant.</P
536 >If it is important to display the actual octal digits, include the <SPAN
562 >To display the KeyFile file</A
568 >Verify that you are authenticated as a user listed in the <SPAN
572 >/usr/afs/etc/UserList</B
575 file. If necessary, issue the <SPAN
581 > command, which is fully described in <A
582 HREF="c32432.html#HDRWQ593"
583 >To display the users in the UserList file</A
585 CLASS="programlisting"
607 > command to display the contents of one machine's <SPAN
611 >/usr/afs/etc/KeyFile</B
614 CLASS="programlisting"
647 >Is the shortest acceptable abbreviation of <SPAN
665 >Names a file server machine. In the normal case, it is acceptable to name any machine, because correct cell
666 functioning requires that the <SPAN
672 > file be the same on all of them.</P
684 >Displays the octal digits that constitute each key.</P
692 >In the following example, the output displays a checksum for each server encryption key rather than the actual octal
693 digits. The penultimate line indicates when an administrator last changed the file, and the final line confirms that the
694 output is complete.</P
696 CLASS="programlisting"
701 >bos listkeys fs1.abc.com</B
704 key 0 has cksum 972037177
705 key 1 has cksum 2825165022
706 Keys last changed on Wed Jan 13 11:20:29 1999.
716 >To display the afs key from the Authentication Database</A
728 > command to display the <SPAN
735 entry in the Authentication Database.</P
737 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
738 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
745 > argument to name an identity that has the
747 CLASS="computeroutput"
749 > flag on its Authentication Database entry. To verify that an entry has the flag,
756 > command as described in <A
757 HREF="c32432.html#HDRWQ590"
762 CLASS="programlisting"
784 >admin principal to use for authentication</VAR
786 Administrator's (admin_user) password: <<VAR
805 >Is the shortest acceptable abbreviation of <SPAN
823 >Designates the <SPAN
841 >Displays the octal digits that constitute the key.</P
853 >Names an administrative account with the <SAMP
854 CLASS="computeroutput"
856 > flag on its Authentication
857 Database entry, such as <SPAN
863 >. The password prompt echoes it as admin_user. Enter
864 the appropriate password as admin_password.</P
872 >In the following example, the <SPAN
878 > user displays the <SPAN
884 > entry without using the <SPAN
890 > flag. The second line shows the
891 key version number in parentheses and the key's checksum. The line that begins with the string <SAMP
892 CLASS="computeroutput"
895 > reports the date on which the indicated administrator changed the key. There is no necessary relationship
896 between this date and the date reported by the <SPAN
902 > command, because the latter date
903 changes for any type of change to the <SPAN
909 > file, not just a key addition. For a
910 description of the other lines in the output from the <SPAN
916 > command, see its reference
917 page in the IBM AFS Administration Reference.</P
919 CLASS="programlisting"
924 >kas examine afs -admin admin</B
927 Administrator's (admin) password: <<VAR
932 key (1) cksum is 2825165022, last cpw: no date
933 password will never expire.
934 An unlimited number of unsuccessful authentications is permitted.
935 entry expires on never. Max ticket lifetime 100.00 hours.
936 last mod on Wed Jan 13 11:21:36 1999 by admin
937 permit password reuse
947 >Adding Server Encryption Keys</A
950 >As noted, AFS records server encryption keys in two separate places: <OL
958 >/usr/afs/etc/KeyFile</B
960 > on the local disk of each server machine, for use
961 by the AFS server processes running on the machine</P
971 > entry in the Authentication Database, for use by the Ticket Granting
972 Service (TGS) when creating tokens</P
977 >To ensure that server processes and the TGS share the same AFS server encryption key, execute all the steps in this
978 section without interruption.</P
980 >The following instructions include a step in which you restart the database server processes (the Authentication, Backup,
981 Protection, and Volume Location Server processes) on all database server machines. As a database server process starts, it reads
982 in the server encryption key that has the highest key version number in the <SPAN
989 uses it to protect the messages that it sends for synchronizing the database and maintaining quorum. It uses the same key
990 throughout its lifetime, which can be for an extended period, even if you remove the key from the <SPAN
996 > file. However, if one of the peer database server processes restarts and the others do not,
997 quorum and database synchronization break down because the processes are no longer using the same key: the restarted process is
998 using the key that currently has the highest key version number, and the other processes are still using the key they read in
999 when they originally started. To avoid this problem, it is safest to restart all of the database server processes when adding a
1002 >After adding a new key, you can remove obsolete keys from the <SPAN
1008 > file to prevent it
1009 from becoming cluttered. However, you must take care not to remove keys that client or server processes are still using. For
1010 discussion and instructions, see <A
1011 HREF="c20494.html#HDRWQ368"
1012 >Removing Server Encryption Keys</A
1020 >To add a new server encryption key</A
1026 >Verify that you are authenticated as a user listed in the <SPAN
1030 >/usr/afs/etc/UserList</B
1033 file. If necessary, issue the <SPAN
1039 > command, which is fully described in <A
1040 HREF="c32432.html#HDRWQ593"
1041 >To display the users in the UserList file</A
1043 CLASS="programlisting"
1068 > command to display the key version
1069 numbers that are already in use, as a first step in choosing the key version number for the new key. <PRE
1070 CLASS="programlisting"
1085 CLASS="variablelist"
1097 >Is the shortest acceptable abbreviation of <SPAN
1115 >Names any file server machine.</P
1126 >Choose a key version number for the new key, based on the output from Step <A
1127 HREF="c20494.html#LIWQ364"
1129 > and the following requirements: <UL
1132 >A key version number must be an integer between 0 (zero) and 255 to comply with Kerberos standards. It is
1133 simplest if you keep your key version numbers in sequence by choosing a key version number one greater than the
1134 largest existing one.</P
1138 >Do not reuse a key version number currently found in the <SPAN
1145 particularly if it is also the one in the Authentication Database <SPAN
1152 processes possibly still have tickets sealed with the key that originally had that key version number, but the
1153 server processes start using the new key marked with that key version number. Because the keys do not match, the
1154 server processes refuse requests from clients who hold legitimate tokens.</P
1170 > command to create a new AFS server
1171 encryption key in the <SPAN
1179 >If you run the United States edition of AFS and use the Update Server to distribute the contents of the system
1180 control machine's <SPAN
1186 > directory, substitute the system control machine for the
1187 machine name argument. (If you have forgotten which machine is the system control machine, see <A
1188 HREF="c3025.html#HDRWQ96"
1190 locate the system control machine</A
1193 >If you run the international edition of AFS or do not use the Update Server, repeat the <SPAN
1200 > command, substituting each server machine in your cell for the machine name argument in turn.</P
1202 >To avoid visible echoing of the string that corresponds to the new key, omit the <SPAN
1208 > argument from the command line; instead enter the string at the prompts that appear when you
1209 omit it, as shown in the following syntax specification.</P
1211 CLASS="programlisting"
1216 >bos addkey -server</B
1229 >key version number</VAR
1231 input key: <<VAR
1235 Retype input key: <<VAR
1242 CLASS="variablelist"
1254 >Is the shortest acceptable abbreviation of <SPAN
1272 >Names the cell's system control machine if you are using the Update Server, or each server machine in turn
1285 >Specifies the new key's key version number as an integer from the range 0 (zero) through 255.</P
1287 >Remember the number. You need to use it again in Step <A
1288 HREF="c20494.html#LIWQ367"
1290 >. If you are using the
1291 international edition of AFS, be sure to type the same number each time you issue this command.</P
1303 >Is a character string similar to a user password, of any length from one to about 1,000 characters. To
1304 improve security, include nonalphabetic characters and make the string as long as is practical (you need to type
1305 it only in this step and in Step <A
1306 HREF="c20494.html#LIWQ367"
1308 >). If you are using the international edition of
1309 AFS, be sure to type the same string each time you issue this command.</P
1311 >Do not enter an octal string directly. The BOS Server scrambles the character string into an octal string
1312 appropriate for use as an encryption key before recording it in the <SPAN
1327 >If you are using the Update Server, wait for a few minutes while the Update Server distributes the new <SPAN
1333 > file to all server machines. The maximum necessary waiting period is the largest value
1334 provided for the <SPAN
1340 > argument to the <SPAN
1347 process's initialization command used on any of the server machines; the default time is five minutes.</P
1349 >To be certain that all machines have the same <SPAN
1355 > file, issue the <SPAN
1361 > command for every file server machine and verify that the checksum for the new key is
1362 the same on all machines.</P
1364 CLASS="programlisting"
1377 >If you are not using the Update Server, try to complete Step <A
1378 HREF="c20494.html#LIWQ366"
1394 > command to enter the same key in
1401 > entry in the Authentication Database.</P
1403 >The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
1404 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
1411 > argument to name an identity that has the
1413 CLASS="computeroutput"
1415 > flag on its Authentication Database entry. To verify that an entry has the flag,
1422 > command as described in <A
1423 HREF="c32432.html#HDRWQ590"
1425 ADMIN flag is set</A
1428 CLASS="programlisting"
1433 >kas setpassword -name afs -kvno</B
1447 >admin principal to use for authentication</VAR
1449 Administrator's (admin_user) password: <<VAR
1451 >admin_password</VAR
1453 new_password: afs_password
1454 Verifying, please re-enter new_password: <<VAR
1456 >admin_password</VAR
1461 CLASS="variablelist"
1473 >Is an acceptable alias for <SPAN
1485 > is the shortest acceptable abbreviation).</P
1497 >Creates the new key in the <SPAN
1515 >Specifies the same key version number as in Step <A
1516 HREF="c20494.html#LIWQ366"
1530 >Names an administrative account with the <SAMP
1531 CLASS="computeroutput"
1533 > flag on its Authentication
1534 Database entry, such as <SPAN
1540 >. The password prompt echoes it as admin_user. Enter
1541 the appropriate password as admin_password.</P
1553 >Is the same character string you entered in Step <A
1554 HREF="c20494.html#LIWQ366"
1570 > If you want to verify that the keys you just created in the <SPAN
1576 > file and the Authentication Database <SPAN
1583 identical and have the same key version number, follow the instructions in <A
1584 HREF="c20494.html#HDRWQ359"
1597 > command to restart the database server processes on all
1598 database server machines. This forces them to start using the key in the <SPAN
1605 that currently has the highest key version number.</P
1607 >Repeat this command in quick succession for each database server machine, starting with the machine that has the
1608 lowest IP address.</P
1610 CLASS="programlisting"
1624 >buserver kaserver ptserver vlserver</B
1630 CLASS="variablelist"
1642 >Is the shortest acceptable abbreviation of <SPAN
1660 >Names each database server machine in turn.</P
1667 >buserver kaserver ptserver vlserver</B
1672 >Designates the Backup Server, Authentication Server, Protection Server, and Volume Location (VL) Server,
1688 >Removing Server Encryption Keys</A
1691 >You can periodically remove old keys from the <SPAN
1695 >/usr/afs/etc/KeyFile</B
1697 > file to keep it to a
1698 reasonable size. To avoid disturbing cell functioning, do not remove an old key until all tokens sealed with the key and held by
1699 users or client processes have expired. After adding a new key, wait to remove old keys at least as long as the longest token
1700 lifetime you use in your cell. For Authentication Database user entries created under AFS version 3.1 or higher, the default
1701 token lifetime is 25 hours; for entries created under AFS version 3.0, it is 100 hours.</P
1703 >There is no command for removing the key from the <SPAN
1709 > entry in the Authentication
1710 Database, because the key field in that entry must never be empty. Use the <SPAN
1717 command to replace the <SPAN
1723 > key, but only as part of the complete procedure detailed in <A
1724 HREF="c20494.html#HDRWQ363"
1725 >To add a new server encryption key</A
1728 >Never remove from the <SPAN
1734 > file the key that is currently in the <SPAN
1740 > entry in the Authentication Database. AFS server processes become unable to decrypt the tickets that
1741 clients present to them.</P
1748 >To remove a key from the KeyFile file</A
1754 >Verify that you are authenticated as a user listed in the <SPAN
1758 >/usr/afs/etc/UserList</B
1761 file. If necessary, issue the <SPAN
1767 > command, which is fully described in <A
1768 HREF="c32432.html#HDRWQ593"
1769 >To display the users in the UserList file</A
1771 CLASS="programlisting"
1793 > command to display the key version number of each key you
1794 want to remove. The output also reveals whether it has been at least 25 hours since a new key was placed in the <SPAN
1800 > file. For complete instructions for the <SPAN
1808 HREF="c20494.html#HDRWQ360"
1809 >To display the KeyFile file</A
1811 CLASS="programlisting"
1833 > command to verify that the key currently in the
1834 Authentication Database's <SPAN
1840 > entry does not have the same key version number as any of
1841 the keys you are removing from the <SPAN
1847 > file. For detailed instructions for the
1855 HREF="c20494.html#HDRWQ361"
1856 >To display the afs key from the
1857 Authentication Database</A
1859 CLASS="programlisting"
1864 >kas examine afs -admin</B
1868 >admin principal to use for authentication</VAR
1870 Administrator's (admin_user) password: <<VAR
1872 >admin_password</VAR
1885 > command to remove one or more server encryption keys from
1894 >If you run the United States edition of AFS and use the Update Server to distribute the contents of the system
1895 control machine's <SPAN
1901 > directory, substitute the system control machine for the
1902 machine name argument. (If you have forgotten which machine is the system control machine, see <A
1903 HREF="c3025.html#HDRWQ96"
1905 locate the system control machine</A
1908 >If you run the international edition of AFS or do not use the Update Server, repeat the <SPAN
1915 > command, substituting each server machine in your cell for the machine name argument in turn.</P
1917 CLASS="programlisting"
1929 >key version number</VAR
1934 CLASS="variablelist"
1946 >Is the shortest acceptable abbreviation of <SPAN
1964 >Names the cell's system control machine if you are using the Update Server, or each server machine in turn
1972 >key version number</B
1977 >Specifies the key version number of each key to remove.</P
1992 >Handling Server Encryption Key Emergencies</A
1995 >In rare circumstances, the AFS server processes can become unable to decrypt the server tickets that clients or peer
1996 server processes are presenting. Activity in your cell can come to a halt, because the server processes believe that the tickets
1997 are forged or expired, and refuse to execute any actions. This can happen on one machine or several; the effect is more serious
1998 when more machines are involved.</P
2000 >One common cause of server encryption key problems is that the client's ticket is encrypted with a key that the server
2001 process does not know. Usually this means that the <SPAN
2005 >/usr/afs/etc/KeyFile</B
2007 > on the server machine
2008 does not include the key in the <SPAN
2014 > Authentication Database entry, which the Authentication
2015 Server's Ticket Granting Service (TGS) module is using to encrypt server tickets.</P
2017 >Another possibility is that the <SPAN
2023 > files on different machines do not contain the
2024 same keys. In this case, communications among server processes themselves become impossible. For instance, AFS's replicated
2025 database mechanism (Ubik) breaks down if the instances of a database server process on the different database server machines
2026 are not using the same key.</P
2028 >The appearance of the following error message when you direct a <SPAN
2035 server machine in the local cell is one possible symptom of server encryption key mismatch. (Note, however, that you can also
2036 get this message if you forget to include the <SPAN
2042 > argument when directing the <SPAN
2048 > command to a file server machine in a foreign cell.)</P
2050 CLASS="programlisting"
2051 > bos: failed to contact host's bosserver (security object was passed a bad ticket).
2054 >The solution to server encryption key emergencies is to put a new AFS server encryption key in both the Authentication
2055 Database and the <SPAN
2061 > file on every server machine, so that the TGS and all server processes
2062 again share the same key.</P
2064 >Handling key emergencies requires some unusual actions. The reasons for these actions are explained in the following
2065 sections; the actual procedures appear in the subsequent instructions.</P
2072 >Prevent Mutual Authentication</A
2075 >It is necessary to prevent the server processes from trying to mutually authenticate with you as you deal with a key
2076 emergency, because they possibly cannot decrypt your token. When you do not mutually authenticate, the server processes assign
2077 you the identity <SPAN
2083 >. To prevent mutual authentication, use the <SPAN
2089 > command to discard your tokens and include the <SPAN
2096 every command where it is available.</P
2104 >Disable Authorization Checking by Hand</A
2107 >Because the server processes recognize you as the user <SPAN
2114 mutually authenticate, you must turn off authorization checking. Only with authorization checking disabled do the server
2115 processes allow the <SPAN
2121 > user to perform privileged actions such as key creation.</P
2123 >In an emergency, disable authorization checking by creating the file <SPAN
2127 >/usr/afs/local/NoAuth</B
2129 > by hand. In normal circumstances, use the <SPAN
2136 > command instead.</P
2144 >Work Quickly on Each Machine</A
2147 >Disabling authorization checking is a serious security exposure, because server processes on the affected machine
2148 perform any action for anyone. Disable authorization checking only for as long as necessary, completing all steps in an
2149 uninterrupted session and as quickly as possible.</P
2157 >Work at the Console</A
2160 >Working at the console of each server machine on which you disable authorization checking ensures that no one else logs
2161 onto the console while you are working there. It does not prevent others from connecting to the machine remotely (using the
2168 > program, for example), which is why it is important to work quickly. The only way to
2169 ensure complete security is to disable network traffic, which is not a viable option in many environments. You can improve
2170 security in general by limiting the number of people who can connect remotely to your server machines at any time, as
2172 HREF="c667.html#HDRWQ74"
2173 >Improving Security in Your Cell</A
2182 >Change Individual KeyFile Files</A
2185 >If you use the Update Server to distribute the contents of the <SPAN
2192 an emergency is the only time when it is appropriate to change the <SPAN
2198 > file on individual
2199 machines instead. Updating each machine's file is necessary because mismatched keys can prevent the system control machine's
2206 > process from mutually authenticating with <SPAN
2212 > processes on other server machines, in which case the <SPAN
2218 > process refuses to distribute its <SPAN
2227 >Even if it appears that the Update Server is working correctly, the only way to verify that is to change the key on the
2228 system control machine and wait the standard delay period to see if the <SPAN
2235 retrieve the key. During an emergency, it does not usually make sense to wait the standard delay period. It is more efficient
2236 simply to update the file on each server machine separately. Also, even if the Update Server can distribute the file
2237 correctly, other processes can have trouble because of mismatched keys. The following instructions add the new key file on the
2238 system control machine first. If the Update Server is working, then it is distributing the same change as you are making on
2239 each server machine individually.</P
2241 >If your cell does not use the Update Server, or uses the international edition of AFS, you always change keys on server
2242 machines individually. The following instructions are also appropriate for you.</P
2250 >Two Component Procedures</A
2253 >There are two subprocedures used frequently in the following instructions: disabling authorization checking and
2254 reenabling it. For the sake of clarity, the procedures are detailed here; the instructions refer to them as necessary.</P
2261 >Disabling Authorization Checking in an Emergency</A
2267 >Become the local superuser <SPAN
2273 > on the machine, if you are not already, by
2281 CLASS="programlisting"
2301 >Create the file <SPAN
2305 >/usr/afs/local/NoAuth</B
2308 authorization checking. <PRE
2309 CLASS="programlisting"
2314 >touch /usr/afs/local/NoAuth</B
2322 >Discard your tokens, in case they were sealed with an incompatible key, which can prevent some commands from
2324 CLASS="programlisting"
2343 >Reenabling Authorization Checking in an Emergency</A
2349 >Become the local superuser <SPAN
2355 > on the machine, if you are not already, by
2363 CLASS="programlisting"
2384 >/usr/afs/local/NoAuth</B
2387 CLASS="programlisting"
2392 >rm /usr/afs/local/NoAuth</B
2400 >Authenticate as an administrative identity that belongs to the <SPAN
2404 >system:administrators</B
2406 > group and is listed in the <SPAN
2410 >/usr/afs/etc/UserList</B
2413 CLASS="programlisting"
2426 >admin_password</VAR
2433 >If appropriate, log out from the console (or close the remote connection you are using), after issuing the
2440 > command to destroy your tokens.</P
2451 >To create a new server encryption key in emergencies</A
2464 >On the system control machine</B
2466 >, disable authorization
2467 checking as instructed in <A
2468 HREF="c20494.html#HDRWQ373"
2469 >Disabling Authorization Checking in an Emergency</A
2483 > command to display the key version
2484 numbers already in use in the <SPAN
2490 > file, as a first step in choosing the new key's key
2491 version number. <PRE
2492 CLASS="programlisting"
2513 CLASS="variablelist"
2525 >Is the shortest acceptable abbreviation of <SPAN
2543 >Specifies a file server machine.</P
2555 >Bypasses mutual authentication with the BOS Server. Include it in case the key emergency is preventing
2556 successful mutual authentication.</P
2567 >Choose a key version number for the new key, based on what you learned in Step <A
2568 HREF="c20494.html#LIWQ377"
2570 > plus the following requirements: <UL
2573 >It is best to keep your key version numbers in sequence by choosing a key version number one greater than the
2574 largest existing one.</P
2578 >Key version numbers must be integers between 0 and 255 to comply with Kerberos standards.</P
2582 >Do not reuse a key version number currently listed in the <SPAN
2603 >On the system control machine</B
2611 > command to create a new AFS server encryption key in the <SPAN
2618 CLASS="programlisting"
2636 >key version number</VAR
2644 input key: <<VAR
2648 Retype input key: <<VAR
2656 CLASS="variablelist"
2668 >Is the shortest acceptable abbreviation of <SPAN
2686 >Names the file server machine on which to define the new key in the <SPAN
2705 >Specifies the key version number you chose in Step <A
2706 HREF="c20494.html#LIWQ378"
2708 >, an integer in the range
2709 0 (zero) through 255. You must specify the same number in Steps <A
2710 HREF="c20494.html#LIWQ382"
2713 HREF="c20494.html#LIWQ383"
2716 HREF="c20494.html#LIWQ386"
2730 >Bypasses mutual authentication with the BOS Server. Include it in case the key emergency is preventing
2731 successful mutual authentication.</P
2743 >Is a character string similar to a user password, of any length from one to about 1,000 characters. To
2744 improve security, make the string as long as is practical, and include nonalphabetic characters.</P
2746 >Do not type an octal string directly. The BOS Server scrambles the character string into an octal string
2747 appropriate for use as an encryption key before recording it in the <SPAN
2756 >Remember the string. You need to use it again in Steps <A
2757 HREF="c20494.html#LIWQ382"
2760 HREF="c20494.html#LIWQ383"
2763 HREF="c20494.html#LIWQ386"
2780 >On every database server machine in your cell</B
2783 the system control machine), disable authorization checking as instructed in <A
2784 HREF="c20494.html#HDRWQ373"
2786 Authorization Checking in an Emergency</A
2787 >. Do not repeat the procedure on the system control machine, if it is a
2788 database server machine, because you already disabled authorization checking in Step <A
2789 HREF="c20494.html#LIWQ376"
2792 you need to learn which machines are database server machines, use the <SPAN
2799 command as described in <A
2800 HREF="c3025.html#HDRWQ95"
2801 >To locate database server machines</A
2809 >Wait at least 90 seconds after finishing Step <A
2810 HREF="c20494.html#LIWQ380"
2813 of the database server processes (the Authentication, Backup, Protection and Volume Location Servers) to finish electing a
2814 new sync site. Then issue the <SPAN
2820 > command to verify that the election worked properly.
2821 Issue the following commands, substituting each database server machine's name for server machine in turn. Include the
2822 system control machine if it is a database server machine. <PRE
2823 CLASS="programlisting"
2832 >server machine</VAR
2848 >server machine</VAR
2864 >server machine</VAR
2880 >server machine</VAR
2891 >For each process, the output from all of the database server machines must agree on which one is the sync site for
2892 the process. It is not, however, necessary that the same machine serves as the sync site for each of the four processes.
2893 For each process, the output from only one machine must include the following string:</P
2895 CLASS="programlisting"
2896 > I am sync site ...
2899 >The output on the other machines instead includes the following line</P
2901 CLASS="programlisting"
2902 > I am not sync site
2905 >and a subsequent line that begins with the string <SAMP
2906 CLASS="computeroutput"
2908 > and specifies the IP
2909 address of the machine claiming to be the sync site.</P
2911 >If the output does not meet these requirements or seems abnormal in another way, contact AFS Product Support for
2923 >On every database server machine in your cell</B
2926 the system control machine), issue the <SPAN
2932 > command described in Step <A
2933 HREF="c20494.html#LIWQ379"
2935 >. Be sure to use the same values for afs_password and kvno as you used in that step.</P
2948 > command to define the new key in
2949 the Authentication Database's <SPAN
2955 > entry. It must match the key you created in Step <A
2956 HREF="c20494.html#LIWQ379"
2959 HREF="c20494.html#LIWQ382"
2962 CLASS="programlisting"
2967 >kas setpassword -name afs</B
2977 >key version number</VAR
2985 new_password: <<VAR
2989 Verifying, please re-enter new_password: <<VAR
2997 CLASS="variablelist"
3009 >Is an acceptable alias for <SPAN
3021 > is the shortest acceptable abbreviation).</P
3033 >Is the same key version number you specified in Step <A
3034 HREF="c20494.html#LIWQ379"
3048 >Is the same character string you specified as afs_password in Step <A
3049 HREF="c20494.html#LIWQ379"
3052 not echo visibly.</P
3067 >On every database server machine in your cell</B
3070 system control machine if it is a database server machine), reenable authorization checking as instructed in <A
3071 HREF="c20494.html#HDRWQ375"
3072 >Reenabling Authorization Checking in an Emergency</A
3073 >. If the system control machine is not a
3074 database server machine, do not perform this procedure until Step <A
3075 HREF="c20494.html#LIWQ385"
3082 HREF="c20494.html#LIWQ381"
3084 > to verify that each database server process has properly elected a sync
3085 site after being restarted in Step <A
3086 HREF="c20494.html#LIWQ384"
3099 >On the system control machine</B
3101 > (if it is not a database
3102 server machine), reenable authorization checking as instructed in <A
3103 HREF="c20494.html#HDRWQ375"
3104 >Reenabling Authorization
3105 Checking in an Emergency</A
3106 >. If it is a database server machine, you already performed the procedure in Step <A
3107 HREF="c20494.html#LIWQ384"
3117 >On all remaining (simple) file server machines</B
3119 >, disable authorization checking as
3121 HREF="c20494.html#HDRWQ373"
3122 >Disabling Authorization Checking in an Emergency</A
3134 >On all remaining (simple) file server machines</B
3143 > command described in Step <A
3144 HREF="c20494.html#LIWQ379"
3146 >. Be sure to use the
3147 same values for afs_password and kvno as you used in that step.</P
3155 >On all remaining (simple) file server machines</B
3157 >, reenable authorization checking as
3159 HREF="c20494.html#HDRWQ375"
3160 >Reenabling Authorization Checking in an Emergency</A
3172 SUMMARY="Footer navigation table"
3211 >Monitoring and Auditing AFS Performance</TD
3225 >Managing Client Machines</TD
git://git.openafs.org / openafs.git / blob