| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 |
- .TH AUTH 8
- .SH NAME
- changeuser, wrkey, convkeys, convkeys2, printnetkey, status, authsrv, guard.srv, login, disable, enable \- maintain authentication databases
- .SH SYNOPSIS
- .B auth/changeuser
- .RB [ -np ]
- .I user
- .PP
- .B auth/wrkey
- .PP
- .B auth/convkeys
- .RB [ -p ]
- .I keyfile
- .PP
- .B auth/convkeys2
- .RB [ -p ]
- .I keyfile
- .PP
- .B auth/printnetkey
- .I user
- .PP
- .B auth/status
- .I user
- .PP
- .B auth/enable
- .I user
- .PP
- .B auth/disable
- .I user
- .PP
- .B auth/authsrv
- .PP
- .B auth/guard.srv
- .PP
- .B auth/login
- .I user
- .PP
- .B auth/none
- .SH DESCRIPTION
- These administrative commands run only on the authentication server.
- .IR Changeuser
- manipulates an authentication database file system served by
- .IR keyfs (4)
- and used by file servers.
- There are two authentication databases,
- one holding information about Plan 9 accounts
- and one holding SecureNet keys.
- A
- .I user
- need not be installed in both databases
- but must be installed in the Plan 9 database to connect to a Plan 9 service.
- .PP
- .I Changeuser
- installs or changes
- .I user
- in an authentication database.
- It does not install a user on a Plan 9 file server; see
- .IR fs (8)
- for that.
- .PP
- Option
- .B -p
- installs
- .I user
- in the Plan 9 database.
- .I Changeuser
- asks twice for a password for the new
- .IR user .
- If the responses do not match
- or the password is too easy to guess
- the
- .I user
- is not installed.
- .I Changeuser
- also asks for an APOP secret.
- This secret is used in the APOP (RFC1939),
- CRAM (RFC2195), and
- Microsoft challenge/response protocols used for
- POP3, IMAP, and VPN access.
- .PP
- Option
- .B -n
- installs
- .I user
- in the SecureNet database and prints out a key for the SecureNet box.
- The key is chosen by
- .IR changeuser .
- .PP
- If neither option
- .B -p
- or option
- .B -n
- is given,
- .I changeuser
- installs the
- .I user
- in the Plan 9 database.
- .PP
- .I Changeuser
- prompts for
- biographical information such as email address,
- user name, sponsor and department number and
- appends it to the file
- .B /adm/netkeys.who
- or
- .BR /adm/keys.who .
- .PP
- .I Wrkey
- prompts for a machine key, host owner, and host domain and stores them in
- local non-volatile RAM.
- .PP
- .I Convkeys
- re-encrypts the key file
- .IR keyfile .
- Re-encryption is performed in place.
- Without the
- .B -p
- option
- .I convkeys
- uses the key stored in
- .B /dev/keys
- to decrypt the file, and encrypts it using the new key.
- By default,
- .I convkeys
- prompts twice for the new password.
- The
- .B -p
- forces
- .I convkeys
- to also prompt for the old password.
- The format of
- .I keyfile
- is described in
- .IR keyfs (4).
- .PP
- The format of the key file changed between Release 2
- and 3 of Plan 9.
- .I Convkeys2
- is like
- .IR convkeys .
- However, in addition to rekeying, it converts from
- the previous format to the Release 3 format.
- .PP
- .I Printnetkey
- displays the network key as it should be entered into the
- hand-held Securenet box.
- .PP
- .I Status
- is a shell script that prints out everything known about
- a user and the user's key status.
- .PP
- .I Enable/disable
- are shell scripts that enable/disable both the Plan 9 and
- Netkey keys for individual users.
- .PP
- .I Authsrv
- is the program, run only on the authentication server, that handles ticket requests
- on TCP port 567.
- It is started
- by an incoming call to the server
- requesting a conversation ticket; its standard input and output
- are the network connection.
- .I Authsrv
- executes the authentication server's end of the appropriate protocol as
- described in
- .IR authsrv (6).
- .PP
- .I Guard.srv
- is similar. It is called whenever a foreign (e.g. Unix) system wants
- to do a SecureNet challenge/response authentication.
- .PP
- .I Login
- allows a user to change his authenticated id to
- .IR user .
- .I Login
- sets up a new namespace from
- .B /lib/namespace
- and exec's
- .IR rc (1)
- under the new id.
- .PP
- .I None
- sets up a new namespace from
- .B /lib/namespace
- and exec's its arguments
- under the new id. It's
- an easy way to run a command as none.
- .SH FILES
- .TF /sys/lib/httppasswords
- .TP
- .B /lib/ndb/auth
- Speaksfor relationships and mappings for
- RADIUS server id's.
- .TP
- .B /adm/keys.who
- List of users in the Plan 9 database.
- .TP
- .B /adm/netkeys.who
- List of users in the SecureNet database.
- .TP
- .B /sys/lib/httppasswords
- List of realms and passwords for HTTP access.
- .SH SOURCE
- .B /sys/src/cmd/auth
- .SH "SEE ALSO"
- .IR keyfs (4),
- .IR securenet (8)
|
