Provided by: openafs-client_1.8.13.2-1ubuntu1_amd64 bug

NAME
       bos_listkeys - Displays the server encryption keys from the KeyFile file


SYNOPSIS
       bos listkeys -server <machine name> [-showkey]
           [-cell <cell name>] [-noauth] [-localauth] [-help]

       bos listk -se <machine name> [-sh] [-c <cell name>]
           [-n] [-l] [-h]


DESCRIPTION
       The bos listkeys command formats and displays the list of server encryption keys from the
       /etc/openafs/server/KeyFile file on the server machine named by the -server argument.  It is equivalent
       to asetkey list, but can be run remotely.

       To edit the list of keys, use the asetkey command; see asetkey(8) for more information.  You can also
       remove keys remotely using the bos removekey command.  If you are using the Authentication Server
       (kaserver) rather than a Kerberos v5 KDC, use the bos addkey command instead of asetkey to add a new key.


CAUTIONS
       Displaying actual keys on the standard output stream (by including the -showkey flag) is a security
       exposure. Displaying a checksum is sufficient for most purposes.

       This command will only list keys in the KeyFile; it cannot display keys from a KeyFileExt.  A server
       running a modern, secure installation using only keys for the rxkad-k5 extension will yield no keys in
       the output of this command.


OPTIONS
       -server <machine name>
           Indicates  the  server  machine  from  which  to display the KeyFile file. Identify the machine by IP
           address or its host name (either fully-qualified or  abbreviated  unambiguously).  For  details,  see
           bos(8).

           For  consistent  performance  in  the  cell,  the  output  must  be the same on every server machine.
           asetkey(8) explains how to keep the machines synchronized.

       -showkey
           Displays the octal digits that constitute each key.  Anyone who has access to  the  resulting  output
           will have complete access to the AFS cell and will be able to impersonate the AFS cell to any client,
           so be very careful when using this option.

       -cell <cell name>
           Names  the  cell  in which to run the command. Do not combine this argument with the -localauth flag.
           For more details, see bos(8).

       -noauth
           Assigns the unprivileged identity "anonymous" to the issuer.  Do  not  combine  this  flag  with  the
           -localauth flag. For more details, see bos(8).

       -localauth
           Constructs   a   server   ticket   using   a   key  from  the  local  /etc/openafs/server/KeyFile  or
           /etc/openafs/server/KeyFileExt file.  The bos command interpreter presents  the  ticket  to  the  BOS
           Server  during mutual authentication. Do not combine this flag with the -cell or -noauth options. For
           more details, see bos(8).

       -help
           Prints the online help for this command. All other valid options are ignored.


OUTPUT
       The output includes one line for each server encryption key listed in the KeyFile file, identified by its
       key version number.

       If the -showkey flag is included, the output displays the actual  string  of  eight  octal  numbers  that
       constitute the key. Each octal number is a backslash and three decimal digits.

       If  the  -showkey  flag is not included, the output represents each key as a checksum, which is a decimal
       number derived by encrypting a constant with the key.

       Following the list of keys or checksums, the string "Keys last changed" indicates when  a  key  was  last
       added to the KeyFile file. The words "All done" indicate the end of the output.

       For  mutual authentication to work properly, the output from the command "kas examine afs" must match the
       key or checksum with the same key version number in the output from this command.


EXAMPLES
       The following example shows the checksums for the  keys  stored  in  the  KeyFile  file  on  the  machine
       "fs3.example.com".

          % bos listkeys fs3.example.com
          key 1 has cksum 972037177
          key 3 has cksum 2825175022
          key 4 has cksum 260617746
          key 6 has cksum 4178774593
          Keys last changed on Mon Apr 12 11:24:46 1999.
          All done.

       The following example shows the actual keys from the KeyFile file on the machine "fs6.example.com".

          % bos listkeys fs6.example.com -showkey
          key 0 is '\040\205\211\241\345\002\023\211'
          key 1 is '\343\315\307\227\255\320\135\244'
          key 2 is '\310\310\255\253\326\236\261\211'
          Keys last changed on Wed Mar 31 11:24:46 1999.
          All done.


PRIVILEGE REQUIRED
       The  issuer  must  be listed in the /etc/openafs/server/UserList file on the machine named by the -server
       argument, or must be logged onto a server machine as the local superuser "root" if the -localauth flag is
       included.


SEE ALSO
       KeyFile(5), KeyFileExt(5),  UserList(5),  asetkey(8),  bos_addkey(8),  bos_removekey(8),  bos_setauth(8),
       kas_examine(8)


COPYRIGHT
       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This  documentation  is covered by the IBM Public License Version 1.0.  It was converted from HTML to POD
       by software written by Chas Williams and Russ Allbery, based on  work  by  Alf  Wachsmann  and  Elizabeth
       Cassell.

OpenAFS                                            2025-03-21                                    BOS_LISTKEYS(8)