Administration Reference


[Return to Library] [Contents] [Previous Topic] [Bottom of Topic] [Next Topic] [Index]

bos listkeys

Purpose

Displays the server encryption keys from the /usr/afs/etc/KeyFile file

Synopsis

bos listkeys -server <machine name>  [-showkey]  [-cell <cell name>]  
             [-noauth]  [-localauth]  [-help]
   
bos listk -se <machine name>  [-sh]  [-c <cell name>]  [-n]  [-l]  [-h]

Description

The bos listkeys command formats and displays the list of server encryption keys from the /usr/afs/etc/KeyFile file on the server machine named by the -server argument.

To edit the list of keys, use the bos addkey and bos removekey commands.

Cautions

Displaying actual keys on the standard output stream (by including the -showkey flag) is a security exposure. Displaying a checksum is sufficient for most purposes.

Options

-server
Indicates the server machine from which to display the KeyFile file. Identify the machine by IP address or its host name (either fully-qualified or abbreviated unambiguously). For details, see the introductory reference page for the bos command suite.

For consistent performance in the cell, the output must be the same on every server machine. The bos addkey reference page explains how to keep the machines synchronized.

-showkey
Displays the octal digits that constitute each key.

-cell
Names the cell in which to run the command. Do not combine this argument with the -localauth flag. For more details, see the introductory bos reference page.

-noauth
Assigns the unprivileged identity anonymous to the issuer. Do not combine this flag with the -localauth flag. For more details, see the introductory bos reference page.

-localauth
Constructs a server ticket using a key from the local /usr/afs/etc/KeyFile file. The bos command interpreter presents the ticket to the BOS Server during mutual authentication. Do not combine this flag with the -cell or -noauth options. For more details, see the introductory bos reference page.

-help
Prints the online help for this command. All other valid options are ignored.

Output

The output includes one line for each server encryption key listed in the KeyFile file, identified by its key version number.

If the -showkey flag is included, the output displays the actual string of eight octal numbers that constitute the key. Each octal number is a backslash and three decimal digits.

If the -showkey flag is not included, the output represents each key as a checksum, which is a decimal number derived by encrypting a constant with the key.

Following the list of keys or checksums, the string Keys last changed indicates when a key was last added to the KeyFile file. The words All done indicate the end of the output.

For mutual authentication to work properly, the output from the command kas examine afs must match the key or checksum with the same key version number in the output from this command.

Examples

The following example shows the checksums for the keys stored in the KeyFile file on the machine fs3.abc.com.

   % bos listkeys fs3.abc.com
   key 1 has cksum 972037177
   key 3 has cksum 2825175022
   key 4 has cksum 260617746
   key 6 has cksum 4178774593
   Keys last changed on Mon Apr 12 11:24:46 1999.
   All done.
    

The following example shows the actual keys from the KeyFile file on the machine fs6.abc.com.

   % bos listkeys fs6.abc.com -showkey
   key 0 is '\040\205\211\241\345\002\023\211'
   key 1 is '\343\315\307\227\255\320\135\244'
   key 2 is '\310\310\255\253\326\236\261\211'
   Keys last changed on Wed Mar 31 11:24:46 1999.
   All done.
   

Privilege Required

The issuer must be listed in the /usr/afs/etc/UserList file on the machine named by the -server argument, or must be logged onto a server machine as the local superuser root if the -localauth flag is included.

Related Information

KeyFile

UserList

bos addkey

bos removekey

bos setauth

kas examine


[Return to Library] [Contents] [Previous Topic] [Top of Topic] [Next Topic] [Index]



© IBM Corporation 2000. All Rights Reserved