harvey/sys/man/8/auth

.TH AUTH 8
.SH NAME
changeuser, wrkey, convkeys, convkeys2, printnetkey, status, authsrv, guard.srv, login, disable, enable \- maintain authentication databases
.SH SYNOPSIS
.B auth/changeuser
.RB [ -np ]
.I user
.PP
.B auth/wrkey
.PP
.B auth/convkeys
.RB [ -p ]
.I keyfile
.PP
.B auth/convkeys
.RB [ -p ]
.I keyfile
.PP
.B auth/printnetkey
.I user
.PP
.B auth/status
.I user
.PP
.B auth/enable
.I user
.PP
.B auth/disable
.I user
.PP
.B auth/authsrv
.PP
.B auth/guard.srv
.PP
.B auth/login
.I user
.SH DESCRIPTION
These administrative commands run only on the authentication server.
.IR Changeuser
manipulates an authentication database file system served by
.IR keyfs (4)
and used by file servers.
There are two authentication databases,
one holding information about Plan 9 accounts
and one holding SecureNet keys.
A
.I user
need not be installed in both databases
but must be installed in the Plan 9 database to connect to a Plan 9 service.
.PP
.I Changeuser
installs or changes
.I user
in an authentication database.
It does not install a user on a Plan 9 file server; see
.IR fs (8)
for that.
.PP
Option
.B -p
installs
.I user
in the Plan 9 database.
.I Changeuser
asks twice for a password for the new
.IR user .
If the responses do not match
or the password is too easy to guess
the
.I user
is not installed.
.I Changeuser
also asks for an APOP secret.
This secret is used in the APOP (RFC1939),
CRAM (RFC2195), and
Microsoft challenge/response protocols used for
POP3, IMAP, and VPN access.
.PP
Option
.B -n
installs
.I user
in the SecureNet database and prints out a key for the SecureNet box.
The key is chosen by
.IR changeuser .
.PP
If neither option
.B -p
or option
.B -n
is given,
.I changeuser
installs the
.I user
in the Plan 9 database.
.PP
.I Changeuser
prompts for
biographical information such as email address,
user name, sponsor and department number and
appends it to the file
.B /adm/netkeys.who
or
.BR /adm/keys.who .
.PP
.I Wrkey
prompts for a machine key, host owner, and host domain and stores them in
local non-volatile RAM.
.PP
.I Convkeys
re-encrypts the key file
.IR keyfile .
Re-encryption is performed in place.
Without the
.B -p
option
.I convkeys
uses the key stored in
.B /dev/keys
to decrypt the file, and encrypts it using the new key.
By default, 
.I convkeys
prompts twice for the new password.
The
.B -p
forces
.I convkeys
to also prompt for the old password.
The format of
.I keyfile
is described in
.IR keyfs (4).
.PP
The format of the key file changed between Release 2
and 3 of Plan 9.
.I Convkeys2
is like
.IR convkeys .
However, in addition to rekeying, it converts from
the previous format to the Release 3 format.
.PP
.I Printnetkey
displays the network key as it should be entered into the
hand-held Securenet box.
.PP
.I Status
is a shell script that prints out everything known about
a user and the user's key status.
.PP
.I Enable/disable
are shell scripts that enable/disable both the Plan 9 and
Netkey keys for individual users.
.PP
.I Authsrv
is the program, run only on the authentication server, that handles ticket requests
on IL port 566.
It is started
by an incoming call to the server
requesting a conversation ticket; its standard input and output
are the network connection.
.I Authsrv
executes the authentication server's end of the appropriate protocol as
described in
.IR authsrv (6).
.PP
.I Guard.srv
is similar.  It is called whenever a foreign (e.g. Unix) system wants
to do a SecureNet challenge/response authentication.
.PP
.I Login
allows a user to change his authenticated id to
.IR user .
.I Login
sets up a new namespace from
.B /lib/namespace
and exec's
.IR rc (1)
under the new id.
.SH FILES
.TF /sys/lib/httppasswords
.TP
.B /lib/ndb/auth
Speaksfor relationships and mappings for
rasius server id's.
.TP
.B /adm/keys.who
List of users in the Plan 9 database.
.TP
.B /adm/netkeys.who
List of users in  the SecureNet database.
.TP
.B /sys/lib/httppasswords
List of realms and passwords for HTTP access.
.SH SOURCE
.B /sys/src/cmd/auth
.SH "SEE ALSO"
.IR keyfs (4),
.IR securenet (8)