auth 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292
  1. .TH AUTH 8
  2. .SH NAME
  3. changeuser, convkeys, convkeys2, printnetkey, status, enable, disable, authsrv, guard.srv, debug, wrkey, login, newns, none, as \- maintain or query authentication databases
  4. .SH SYNOPSIS
  5. .B auth/changeuser
  6. .RB [ -np ]
  7. .I user
  8. .PP
  9. .B auth/convkeys
  10. .RB [ -p ]
  11. .I keyfile
  12. .PP
  13. .B auth/convkeys2
  14. .RB [ -p ]
  15. .I keyfile
  16. .PP
  17. .B auth/printnetkey
  18. .I user
  19. .PP
  20. .B auth/status
  21. .I user
  22. .PP
  23. .B auth/enable
  24. .I user
  25. .PP
  26. .B auth/disable
  27. .I user
  28. .PP
  29. .B auth/authsrv
  30. .PP
  31. .B auth/guard.srv
  32. .PP
  33. .B auth/debug
  34. .PP
  35. .B auth/wrkey
  36. .PP
  37. .B auth/login
  38. .I user
  39. .PP
  40. .B auth/newns
  41. [
  42. .B -ad
  43. ] [
  44. .B -n
  45. .I namespace
  46. ]
  47. .I command
  48. .I arg
  49. \&...
  50. .PP
  51. .B auth/none
  52. [
  53. .B -n
  54. .I namespace
  55. ]
  56. .I command
  57. .I arg
  58. \&...
  59. .PP
  60. .B auth/as
  61. .I user
  62. .I command
  63. .SH DESCRIPTION
  64. These administrative commands run only on the authentication server.
  65. .IR Changeuser
  66. manipulates an authentication database file system served by
  67. .IR keyfs (4)
  68. and used by file servers.
  69. There are two authentication databases,
  70. one holding information about Plan 9 accounts
  71. and one holding SecureNet keys.
  72. A
  73. .I user
  74. need not be installed in both databases
  75. but must be installed in the Plan 9 database to connect to a Plan 9 service.
  76. .PP
  77. .I Changeuser
  78. installs or changes
  79. .I user
  80. in an authentication database.
  81. It does not install a user on a Plan 9 file server; see
  82. .IR fs (8)
  83. for that.
  84. .PP
  85. Option
  86. .B -p
  87. installs
  88. .I user
  89. in the Plan 9 database.
  90. .I Changeuser
  91. asks twice for a password for the new
  92. .IR user .
  93. If the responses do not match
  94. or the password is too easy to guess
  95. the
  96. .I user
  97. is not installed.
  98. .I Changeuser
  99. also asks for an APOP secret.
  100. This secret is used in the APOP (RFC1939),
  101. CRAM (RFC2195), and
  102. Microsoft challenge/response protocols used for
  103. POP3, IMAP, and VPN access.
  104. .PP
  105. Option
  106. .B -n
  107. installs
  108. .I user
  109. in the SecureNet database and prints out a key for the SecureNet box.
  110. The key is chosen by
  111. .IR changeuser .
  112. .PP
  113. If neither option
  114. .B -p
  115. or option
  116. .B -n
  117. is given,
  118. .I changeuser
  119. installs the
  120. .I user
  121. in the Plan 9 database.
  122. .PP
  123. .I Changeuser
  124. prompts for
  125. biographical information such as email address,
  126. user name, sponsor and department number and
  127. appends it to the file
  128. .B /adm/netkeys.who
  129. or
  130. .BR /adm/keys.who .
  131. .PP
  132. .I Convkeys
  133. re-encrypts the key file
  134. .IR keyfile .
  135. Re-encryption is performed in place.
  136. Without the
  137. .B -p
  138. option
  139. .I convkeys
  140. uses the key stored in NVRAM
  141. to decrypt the file, and encrypts it using the new key.
  142. By default,
  143. .I convkeys
  144. prompts twice for the new password.
  145. The
  146. .B -p
  147. forces
  148. .I convkeys
  149. to also prompt for the old password.
  150. The format of
  151. .I keyfile
  152. is described in
  153. .IR keyfs (4).
  154. .PP
  155. The format of the key file changed between Release 2
  156. and 3 of Plan 9.
  157. .I Convkeys2
  158. is like
  159. .IR convkeys .
  160. However, in addition to rekeying, it converts from
  161. the previous format to the Release 3 format.
  162. .PP
  163. .I Printnetkey
  164. displays the network key as it should be entered into the
  165. hand-held Securenet box.
  166. .PP
  167. .I Status
  168. is a shell script that prints out everything known about
  169. a user and the user's key status.
  170. .PP
  171. .I Enable/disable
  172. are shell scripts that enable/disable both the Plan 9 and
  173. Netkey keys for individual users.
  174. .PP
  175. .I Authsrv
  176. is the program, run only on the authentication server, that handles ticket requests
  177. on TCP port 567.
  178. It is started
  179. by an incoming call to the server
  180. requesting a conversation ticket; its standard input and output
  181. are the network connection.
  182. .I Authsrv
  183. executes the authentication server's end of the appropriate protocol as
  184. described in
  185. .IR authsrv (6).
  186. .PP
  187. .I Guard.srv
  188. is similar. It is called whenever a foreign (e.g. Unix) system wants
  189. to do a SecureNet challenge/response authentication.
  190. .SS Anywhere commands
  191. .PP
  192. The remaining commands need not be run on an authentication server.
  193. .PP
  194. .I Debug
  195. attempts to authenticate using each
  196. .B p9sk1
  197. key found in
  198. .I factotum
  199. and prints progress reports.
  200. .PP
  201. .I Wrkey
  202. prompts for a machine key, host owner, and host domain and stores them in
  203. local non-volatile RAM.
  204. .PP
  205. .I Login
  206. allows a user to change his authenticated id to
  207. .IR user .
  208. .I Login
  209. sets up a new namespace from
  210. .BR /lib/namespace ,
  211. starts a
  212. .IR factotum (4)
  213. under the new id and
  214. .IR exec s
  215. .IR rc (1)
  216. under the new id.
  217. .PP
  218. .I Newns
  219. sets up a new namespace from
  220. .I namespace
  221. (default
  222. .BR /lib/namespace )
  223. and
  224. .IR exec s
  225. its arguments.
  226. If there are no arguments, it
  227. .IR exec s
  228. .BR /bin/rc .
  229. Under
  230. .BR -a ,
  231. .I newns
  232. adds to the current namespace instead of constructing a new one.
  233. The
  234. .BR -d
  235. option enables debugging output.
  236. .PP
  237. .I None
  238. sets up a new namespace from
  239. .I namespace
  240. (default
  241. .BR /lib/namespace )
  242. as the user
  243. .I none
  244. and
  245. .IR exec s
  246. its arguments under the new id.
  247. If there are no arguments, it
  248. .IR exec s
  249. .BR /bin/rc .
  250. It's an easy way to run a command as
  251. .IR none .
  252. .PP
  253. .I As
  254. executes
  255. .I command
  256. as
  257. .IR user .
  258. .I Command
  259. is a single argument to
  260. .IR rc ,
  261. containing an arbitrary
  262. .I rc
  263. command.
  264. This only works for the hostowner and only if
  265. .L #¤/caphash
  266. still exists.
  267. .SH FILES
  268. .TF /sys/lib/httppasswords
  269. .TP
  270. .B /lib/ndb/auth
  271. Speaksfor relationships and mappings for
  272. RADIUS server id's.
  273. .TP
  274. .B /adm/keys.who
  275. List of users in the Plan 9 database.
  276. .TP
  277. .B /adm/netkeys.who
  278. List of users in the SecureNet database.
  279. .TP
  280. .B /sys/lib/httppasswords
  281. List of realms and passwords for HTTP access.
  282. .SH SOURCE
  283. .B /sys/src/cmd/auth
  284. .SH "SEE ALSO"
  285. .IR passwd (1),
  286. .I readnvram
  287. in
  288. .IR authsrv (2),
  289. .IR keyfs (4),
  290. .IR securenet (8)
  291. .SH BUGS
  292. Only CPU kernels permit changing userid.