auth 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
  1. .TH AUTH 8
  2. .SH NAME
  3. changeuser, wrkey, convkeys, convkeys2, printnetkey, status, authsrv, guard.srv, login, disable, enable \- maintain authentication databases
  4. .SH SYNOPSIS
  5. .B auth/changeuser
  6. .RB [ -np ]
  7. .I user
  8. .PP
  9. .B auth/wrkey
  10. .PP
  11. .B auth/convkeys
  12. .RB [ -p ]
  13. .I keyfile
  14. .PP
  15. .B auth/convkeys2
  16. .RB [ -p ]
  17. .I keyfile
  18. .PP
  19. .B auth/printnetkey
  20. .I user
  21. .PP
  22. .B auth/status
  23. .I user
  24. .PP
  25. .B auth/enable
  26. .I user
  27. .PP
  28. .B auth/disable
  29. .I user
  30. .PP
  31. .B auth/authsrv
  32. .PP
  33. .B auth/guard.srv
  34. .PP
  35. .B auth/login
  36. .I user
  37. .PP
  38. .B auth/none
  39. .SH DESCRIPTION
  40. These administrative commands run only on the authentication server.
  41. .IR Changeuser
  42. manipulates an authentication database file system served by
  43. .IR keyfs (4)
  44. and used by file servers.
  45. There are two authentication databases,
  46. one holding information about Plan 9 accounts
  47. and one holding SecureNet keys.
  48. A
  49. .I user
  50. need not be installed in both databases
  51. but must be installed in the Plan 9 database to connect to a Plan 9 service.
  52. .PP
  53. .I Changeuser
  54. installs or changes
  55. .I user
  56. in an authentication database.
  57. It does not install a user on a Plan 9 file server; see
  58. .IR fs (8)
  59. for that.
  60. .PP
  61. Option
  62. .B -p
  63. installs
  64. .I user
  65. in the Plan 9 database.
  66. .I Changeuser
  67. asks twice for a password for the new
  68. .IR user .
  69. If the responses do not match
  70. or the password is too easy to guess
  71. the
  72. .I user
  73. is not installed.
  74. .I Changeuser
  75. also asks for an APOP secret.
  76. This secret is used in the APOP (RFC1939),
  77. CRAM (RFC2195), and
  78. Microsoft challenge/response protocols used for
  79. POP3, IMAP, and VPN access.
  80. .PP
  81. Option
  82. .B -n
  83. installs
  84. .I user
  85. in the SecureNet database and prints out a key for the SecureNet box.
  86. The key is chosen by
  87. .IR changeuser .
  88. .PP
  89. If neither option
  90. .B -p
  91. or option
  92. .B -n
  93. is given,
  94. .I changeuser
  95. installs the
  96. .I user
  97. in the Plan 9 database.
  98. .PP
  99. .I Changeuser
  100. prompts for
  101. biographical information such as email address,
  102. user name, sponsor and department number and
  103. appends it to the file
  104. .B /adm/netkeys.who
  105. or
  106. .BR /adm/keys.who .
  107. .PP
  108. .I Wrkey
  109. prompts for a machine key, host owner, and host domain and stores them in
  110. local non-volatile RAM.
  111. .PP
  112. .I Convkeys
  113. re-encrypts the key file
  114. .IR keyfile .
  115. Re-encryption is performed in place.
  116. Without the
  117. .B -p
  118. option
  119. .I convkeys
  120. uses the key stored in
  121. .B /dev/keys
  122. to decrypt the file, and encrypts it using the new key.
  123. By default,
  124. .I convkeys
  125. prompts twice for the new password.
  126. The
  127. .B -p
  128. forces
  129. .I convkeys
  130. to also prompt for the old password.
  131. The format of
  132. .I keyfile
  133. is described in
  134. .IR keyfs (4).
  135. .PP
  136. The format of the key file changed between Release 2
  137. and 3 of Plan 9.
  138. .I Convkeys2
  139. is like
  140. .IR convkeys .
  141. However, in addition to rekeying, it converts from
  142. the previous format to the Release 3 format.
  143. .PP
  144. .I Printnetkey
  145. displays the network key as it should be entered into the
  146. hand-held Securenet box.
  147. .PP
  148. .I Status
  149. is a shell script that prints out everything known about
  150. a user and the user's key status.
  151. .PP
  152. .I Enable/disable
  153. are shell scripts that enable/disable both the Plan 9 and
  154. Netkey keys for individual users.
  155. .PP
  156. .I Authsrv
  157. is the program, run only on the authentication server, that handles ticket requests
  158. on TCP port 567.
  159. It is started
  160. by an incoming call to the server
  161. requesting a conversation ticket; its standard input and output
  162. are the network connection.
  163. .I Authsrv
  164. executes the authentication server's end of the appropriate protocol as
  165. described in
  166. .IR authsrv (6).
  167. .PP
  168. .I Guard.srv
  169. is similar. It is called whenever a foreign (e.g. Unix) system wants
  170. to do a SecureNet challenge/response authentication.
  171. .PP
  172. .I Login
  173. allows a user to change his authenticated id to
  174. .IR user .
  175. .I Login
  176. sets up a new namespace from
  177. .B /lib/namespace
  178. and exec's
  179. .IR rc (1)
  180. under the new id.
  181. .PP
  182. .I None
  183. sets up a new namespace from
  184. .B /lib/namespace
  185. and exec's its arguments
  186. under the new id. It's
  187. an easy way to run a command as none.
  188. .SH FILES
  189. .TF /sys/lib/httppasswords
  190. .TP
  191. .B /lib/ndb/auth
  192. Speaksfor relationships and mappings for
  193. RADIUS server id's.
  194. .TP
  195. .B /adm/keys.who
  196. List of users in the Plan 9 database.
  197. .TP
  198. .B /adm/netkeys.who
  199. List of users in the SecureNet database.
  200. .TP
  201. .B /sys/lib/httppasswords
  202. List of realms and passwords for HTTP access.
  203. .SH SOURCE
  204. .B /sys/src/cmd/auth
  205. .SH "SEE ALSO"
  206. .IR keyfs (4),
  207. .IR securenet (8)