AUTH(8)AUTH(8)
NAME
changeuser, convkeys, printnetkey, status, enable, disable, authsrv, guard.srv, debug, wrkey, login, newns, none, as – maintain or query authentication databases
SYNOPSIS
auth/changeuser
[-np]
user
auth/convkeys
[-pa]
keyfile
auth/printnetkey
user
auth/status
user
auth/enable
user
auth/disable
user
auth/authsrv
[-N]
auth/guard.srv
auth/debug
auth/wrkey
auth/login
[
-a
authdom
]
user
auth/newns
[
-ad
] [
-n
namespace
]
command
arg
...
auth/none
[
-d
] [
-n
namespace
]
command
arg
...
auth/as
[
-d
] [
-n
namespace
]
user
command
arg
...
DESCRIPTION
These administrative commands run only on the authentication server.
Changeuser
manipulates an authentication database file system served by
keyfs(4)
and used by file servers.
There are two authentication databases,
one holding information about Plan 9 accounts
and one holding SecureNet keys.
A
user
need not be installed in both databases
but must be installed in the Plan 9 database to connect to a Plan 9 service.
Changeuser
installs or changes
user
in an authentication database.
It does not install a user on a Plan 9 file server; see
fs(8)
for that.
Option
-p
installs
user
in the Plan 9 database.
Changeuser
asks twice for a password for the new
user.
If the responses do not match
or the password is too easy to guess
the
user
is not installed.
Changeuser
also asks for an APOP secret.
This secret is used in the APOP (RFC1939),
CRAM (RFC2195), and
Microsoft challenge/response protocols used for
POP3, IMAP, and VPN access.
Option
-n
installs
user
in the SecureNet database and prints out a key for the SecureNet box.
The key is chosen by
changeuser.
If neither option
-p
or option
-n
is given,
changeuser
installs the
user
in the Plan 9 database.
Changeuser
prompts for
biographical information such as email address,
user name, sponsor and department number and
appends it to the file
/adm/netkeys.who
or
/adm/keys.who.
Convkeys
re-encrypts the key file
keyfile.
Re-encryption is performed in place.
Without the
-p
option
convkeys
uses the key stored in NVRAM
to decrypt the file, and encrypts it using the new key.
By default,
convkeys
prompts twice for the new password.
The
-p
forces
convkeys
to also prompt for the old password.
The
-a
option converts the file into AES format.
The format of
keyfile
is described in
keyfs(4).
Printnetkey
displays the network key as it should be entered into the
hand-held Securenet box.
Status
is a shell script that prints out everything known about
a user and the user’s key status.
Enable/disable
are shell scripts that enable/disable both the Plan 9 and
Netkey keys for individual users.
Authsrv
is the program, run only on the authentication server, that handles ticket requests
on TCP port 567.
It is started by an incoming call to the server
requesting a conversation ticket; its standard input and output
are the network connection.
Authsrv
executes the authentication server’s end of the appropriate protocol as
described in
authsrv(6).
The
-N
flag disables legacy bruteforceable DES-encrypted tickes as used by the
p9sk1
protocol, forcing the use of new
dp9ik
password authenticated key exchange.
Guard.srv
is similar. It is called whenever a foreign (e.g. Unix) system wants
to do a SecureNet challenge/response authentication.
Anywhere commands
The remaining commands need not be run on an authentication server.
Debug
attempts to authenticate using each
dp9ik
and
p9sk1
key found in
factotum
and prints progress reports.
Wrkey
prompts for a machine key, host owner, and host domain and stores them in
local non-volatile RAM.
Login
allows a user to change his authenticated id to
user.
Login
sets up a new namespace from
/lib/namespace,
starts a
factotum(4)
under the new id and
execs
rc(1)
under the new id.
Newns
sets up a new namespace from
namespace
(default
/lib/namespace)
and
execs
its arguments.
If there are no arguments, it
execs
/bin/rc.
Under
-a,
newns
adds to the current namespace instead of constructing a new one.
The
-d
option enables debugging output.
None
sets up a new namespace from
namespace
(default
/lib/namespace)
as the user
none
and
execs
its arguments under the new id.
If there are no arguments, it
execs
/bin/rc.
It’s an easy way to run a command as
none.
As
executes
command
as
user.
Command
is a single argument to
rc,
containing an arbitrary
rc
command.
This only works for the hostowner and only if
# /caphash
still exists.
FILES
/lib/ndb/auth
Speaksfor relationships and mappings for
RADIUS server id’s.
/adm/keys.who
List of users in the Plan 9 database.
/adm/netkeys.who
List of users in the SecureNet database.
SOURCE
/sys/src/cmd/auth
SEE ALSO
passwd(1),
readnvram
in
authsrv(2),
keyfs(4),
securenet(8)
BUGS
Only CPU kernels permit changing userid.