auth 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263
  1. .TH AUTH 8
  2. .SH NAME
  3. changeuser, convkeys, convkeys2, printnetkey, status, enable, disable, authsrv, guard.srv, wrkey, login, newns, none \- maintain or query authentication databases
  4. .SH SYNOPSIS
  5. .B auth/changeuser
  6. .RB [ -np ]
  7. .I user
  8. .PP
  9. .B auth/convkeys
  10. .RB [ -p ]
  11. .I keyfile
  12. .PP
  13. .B auth/convkeys2
  14. .RB [ -p ]
  15. .I keyfile
  16. .PP
  17. .B auth/printnetkey
  18. .I user
  19. .PP
  20. .B auth/status
  21. .I user
  22. .PP
  23. .B auth/enable
  24. .I user
  25. .PP
  26. .B auth/disable
  27. .I user
  28. .PP
  29. .B auth/authsrv
  30. .PP
  31. .B auth/guard.srv
  32. .PP
  33. .B auth/wrkey
  34. .PP
  35. .B auth/login
  36. .I user
  37. .PP
  38. .B auth/newns
  39. [
  40. .B -ad
  41. ] [
  42. .B -n
  43. .I namespace
  44. ]
  45. .I command
  46. .I arg
  47. \&...
  48. .PP
  49. .B auth/none
  50. [
  51. .B -n
  52. .I namespace
  53. ]
  54. .I command
  55. .I arg
  56. \&...
  57. .SH DESCRIPTION
  58. These administrative commands run only on the authentication server.
  59. .IR Changeuser
  60. manipulates an authentication database file system served by
  61. .IR keyfs (4)
  62. and used by file servers.
  63. There are two authentication databases,
  64. one holding information about Plan 9 accounts
  65. and one holding SecureNet keys.
  66. A
  67. .I user
  68. need not be installed in both databases
  69. but must be installed in the Plan 9 database to connect to a Plan 9 service.
  70. .PP
  71. .I Changeuser
  72. installs or changes
  73. .I user
  74. in an authentication database.
  75. It does not install a user on a Plan 9 file server; see
  76. .IR fs (8)
  77. for that.
  78. .PP
  79. Option
  80. .B -p
  81. installs
  82. .I user
  83. in the Plan 9 database.
  84. .I Changeuser
  85. asks twice for a password for the new
  86. .IR user .
  87. If the responses do not match
  88. or the password is too easy to guess
  89. the
  90. .I user
  91. is not installed.
  92. .I Changeuser
  93. also asks for an APOP secret.
  94. This secret is used in the APOP (RFC1939),
  95. CRAM (RFC2195), and
  96. Microsoft challenge/response protocols used for
  97. POP3, IMAP, and VPN access.
  98. .PP
  99. Option
  100. .B -n
  101. installs
  102. .I user
  103. in the SecureNet database and prints out a key for the SecureNet box.
  104. The key is chosen by
  105. .IR changeuser .
  106. .PP
  107. If neither option
  108. .B -p
  109. or option
  110. .B -n
  111. is given,
  112. .I changeuser
  113. installs the
  114. .I user
  115. in the Plan 9 database.
  116. .PP
  117. .I Changeuser
  118. prompts for
  119. biographical information such as email address,
  120. user name, sponsor and department number and
  121. appends it to the file
  122. .B /adm/netkeys.who
  123. or
  124. .BR /adm/keys.who .
  125. .PP
  126. .I Convkeys
  127. re-encrypts the key file
  128. .IR keyfile .
  129. Re-encryption is performed in place.
  130. Without the
  131. .B -p
  132. option
  133. .I convkeys
  134. uses the key stored in NVRAM
  135. to decrypt the file, and encrypts it using the new key.
  136. By default,
  137. .I convkeys
  138. prompts twice for the new password.
  139. The
  140. .B -p
  141. forces
  142. .I convkeys
  143. to also prompt for the old password.
  144. The format of
  145. .I keyfile
  146. is described in
  147. .IR keyfs (4).
  148. .PP
  149. The format of the key file changed between Release 2
  150. and 3 of Plan 9.
  151. .I Convkeys2
  152. is like
  153. .IR convkeys .
  154. However, in addition to rekeying, it converts from
  155. the previous format to the Release 3 format.
  156. .PP
  157. .I Printnetkey
  158. displays the network key as it should be entered into the
  159. hand-held Securenet box.
  160. .PP
  161. .I Status
  162. is a shell script that prints out everything known about
  163. a user and the user's key status.
  164. .PP
  165. .I Enable/disable
  166. are shell scripts that enable/disable both the Plan 9 and
  167. Netkey keys for individual users.
  168. .PP
  169. .I Authsrv
  170. is the program, run only on the authentication server, that handles ticket requests
  171. on TCP port 567.
  172. It is started
  173. by an incoming call to the server
  174. requesting a conversation ticket; its standard input and output
  175. are the network connection.
  176. .I Authsrv
  177. executes the authentication server's end of the appropriate protocol as
  178. described in
  179. .IR authsrv (6).
  180. .PP
  181. .I Guard.srv
  182. is similar. It is called whenever a foreign (e.g. Unix) system wants
  183. to do a SecureNet challenge/response authentication.
  184. .PP
  185. The remaining commands need not be run on an authentication server.
  186. .PP
  187. .I Wrkey
  188. prompts for a machine key, host owner, and host domain and stores them in
  189. local non-volatile RAM.
  190. .PP
  191. .I Login
  192. allows a user to change his authenticated id to
  193. .IR user .
  194. .I Login
  195. sets up a new namespace from
  196. .BR /lib/namespace ,
  197. starts a
  198. .IR factotum (4)
  199. under the new id and
  200. .IR exec s
  201. .IR rc (1)
  202. under the new id.
  203. .PP
  204. .I Newns
  205. sets up a new namespace from
  206. .I namespace
  207. (default
  208. .BR /lib/namespace )
  209. and
  210. .IR exec s
  211. its arguments.
  212. If there are no arguments, it
  213. .IR exec s
  214. .BR /bin/rc .
  215. Under
  216. .BR -a ,
  217. .I newns
  218. adds to the current namespace instead of constructing a new one.
  219. The
  220. .BR -d
  221. option enables debugging output.
  222. .PP
  223. .I None
  224. sets up a new namespace from
  225. .I namespace
  226. (default
  227. .BR /lib/namespace )
  228. as the user
  229. .I none
  230. and
  231. .IR exec s
  232. its arguments under the new id.
  233. If there are no arguments, it
  234. .IR exec s
  235. .BR /bin/rc .
  236. It's an easy way to run a command as
  237. .IR none .
  238. .SH FILES
  239. .TF /sys/lib/httppasswords
  240. .TP
  241. .B /lib/ndb/auth
  242. Speaksfor relationships and mappings for
  243. RADIUS server id's.
  244. .TP
  245. .B /adm/keys.who
  246. List of users in the Plan 9 database.
  247. .TP
  248. .B /adm/netkeys.who
  249. List of users in the SecureNet database.
  250. .TP
  251. .B /sys/lib/httppasswords
  252. List of realms and passwords for HTTP access.
  253. .SH SOURCE
  254. .B /sys/src/cmd/auth
  255. .SH "SEE ALSO"
  256. .IR passwd (1),
  257. .I readnvram
  258. in
  259. .IR authsrv (2),
  260. .IR keyfs (4),
  261. .IR securenet (8)
  262. .SH BUGS
  263. Only CPU kernels permit changing userid.