AUTH(8)                                                   AUTH(8)

     NAME
          changeuser, convkeys, convkeys2, printnetkey, status,
          enable, disable, authsrv, guard.srv, debug, wrkey, login,
          newns, none, as - maintain or query authentication databases

     SYNOPSIS
          auth/changeuser [-np] user

          auth/convkeys [-p] keyfile

          auth/convkeys2 [-p] keyfile

          auth/printnetkey user

          auth/status user

          auth/enable user

          auth/disable user

          auth/authsrv

          auth/guard.srv

          auth/debug

          auth/wrkey

          auth/login user

          auth/newns [ -ad ] [ -n namespace ] command arg ...

          auth/none [ -n namespace ] command arg ...

          auth/as user command

     DESCRIPTION
          These administrative commands run only on the authentication
          server.  Changeuser manipulates an authentication database
          file system served by keyfs(4) and used by file servers.
          There are two authentication databases, one holding informa-
          tion about Plan 9 accounts and one holding SecureNet keys.
          A user need not be installed in both databases but must be
          installed in the Plan 9 database to connect to a Plan 9 ser-
          vice.

          Changeuser installs or changes user in an authentication
          database.  It does not install a user on a Plan 9 file
          server; see fs(8) for that.

     Page 1                       Plan 9            (printed 12/22/24)

     AUTH(8)                                                   AUTH(8)

          Option -p installs user in the Plan 9 database.  Changeuser
          asks twice for a password for the new user. If the responses
          do not match or the password is too easy to guess the user
          is not installed.  Changeuser also asks for an APOP secret.
          This secret is used in the APOP (RFC1939), CRAM (RFC2195),
          and Microsoft challenge/response protocols used for POP3,
          IMAP, and VPN access.

          Option -n installs user in the SecureNet database and prints
          out a key for the SecureNet box.  The key is chosen by
          changeuser.

          If neither option -p or option -n is given, changeuser
          installs the user in the Plan 9 database.

          Changeuser prompts for biographical information such as
          email address, user name, sponsor and department number and
          appends it to the file /adm/netkeys.who or /adm/keys.who.

          Convkeys re-encrypts the key file keyfile. Re-encryption is
          performed in place.  Without the -p option convkeys uses the
          key stored in NVRAM to decrypt the file, and encrypts it
          using the new key.  By default, convkeys prompts twice for
          the new password.  The -p forces convkeys to also prompt for
          the old password.  The format of keyfile is described in
          keyfs(4).

          The format of the key file changed between Release 2 and 3
          of Plan 9.  Convkeys2 is like convkeys. However, in addition
          to rekeying, it converts from the previous format to the
          Release 3 format.

          Printnetkey displays the network key as it should be entered
          into the hand-held Securenet box.

          Status is a shell script that prints out everything known
          about a user and the user's key status.

          Enable/disable are shell scripts that enable/disable both
          the Plan 9 and Netkey keys for individual users.

          Authsrv is the program, run only on the authentication
          server, that handles ticket requests on TCP port 567.  It is
          started by an incoming call to the server requesting a con-
          versation ticket; its standard input and output are the net-
          work connection.  Authsrv executes the authentication
          server's end of the appropriate protocol as described in
          authsrv(6).

          Guard.srv is similar.  It is called whenever a foreign (e.g.
          Unix) system wants to do a SecureNet challenge/response
          authentication.

     Page 2                       Plan 9            (printed 12/22/24)

     AUTH(8)                                                   AUTH(8)

        Anywhere commands
          The remaining commands need not be run on an authentication
          server.

          Debug attempts to authenticate using each p9sk1 key found in
          factotum and prints progress reports.

          Wrkey prompts for a machine key, host owner, and host domain
          and stores them in local non-volatile RAM.

          Login allows a user to change his authenticated id to user.
          Login sets up a new namespace from /lib/namespace, starts a
          factotum(4) under the new id and execs rc(1) under the new
          id.

          Newns sets up a new namespace from namespace (default
          /lib/namespace) and execs its arguments.  If there are no
          arguments, it execs /bin/rc.  Under -a, newns adds to the
          current namespace instead of constructing a new one.  The -d
          option enables debugging output.

          None sets up a new namespace from namespace (default
          /lib/namespace) as the user none and execs its arguments
          under the new id.  If there are no arguments, it execs
          /bin/rc.  It's an easy way to run a command as none.

          As executes command as user. Command is a single argument to
          rc, containing an arbitrary rc command.  This only works for
          the hostowner and only if `#ยค/caphash' still exists.

     FILES
          /lib/ndb/auth           Speaksfor relationships and mappings
                                  for RADIUS server id's.
          /adm/keys.who           List of users in the Plan 9 data-
                                  base.
          /adm/netkeys.who        List of users in the SecureNet data-
                                  base.
          /sys/lib/httppasswords  List of realms and passwords for
                                  HTTP access.

     SOURCE
          /sys/src/cmd/auth

     SEE ALSO
          passwd(1), readnvram in authsrv(2), keyfs(4), securenet(8)

     BUGS
          Only CPU kernels permit changing userid.

     Page 3                       Plan 9            (printed 12/22/24)