AUTH(8) AUTH(8)
NAME
changeuser, convkeys, printnetkey, status, enable, disable,
authsrv, guard.srv, debug, wrkey, login, newns, none, box,
as - maintain or query authentication databases
SYNOPSIS
auth/changeuser [-np] user
auth/convkeys [-pa] keyfile
auth/printnetkey user
auth/status user
auth/enable user
auth/disable user
auth/authsrv [-N]
auth/guard.srv
auth/debug
auth/wrkey
auth/login [ -a authdom ] user
auth/newns [ -ad ] [ -n namespace ] command arg ...
auth/none [ -d ] [ -n namespace ] command arg ...
auth/box [ -s ] [ -rc file ] [ -e devs ] command arg ...
auth/as [ -d ] [ -n namespace ] user command arg ...
DESCRIPTION
These administrative commands run only on the authentication
server. Changeuser manipulates an authentication database
file system served by keyfs(4) and used by file servers.
There are two authentication databases, one holding informa-
tion about Plan 9 accounts and one holding SecureNet keys.
A user need not be installed in both databases but must be
installed in the Plan 9 database to connect to a Plan 9 ser-
vice.
Changeuser installs or changes user in an authentication
database. It does not install a user on a Plan 9 file
server; see fs(8) for that.
Page 1 Plan 9 (printed 11/18/24)
AUTH(8) AUTH(8)
Option -p installs user in the Plan 9 database. Changeuser
asks twice for a password for the new user. If the responses
do not match or the password is too easy to guess the user
is not installed. Changeuser also asks for an APOP secret.
This secret is used in the APOP (RFC1939), CRAM (RFC2195),
and Microsoft challenge/response protocols used for POP3,
IMAP, and VPN access.
Option -n installs user in the SecureNet database and prints
out a key for the SecureNet box. The key is chosen by
changeuser.
If neither option -p or option -n is given, changeuser
installs the user in the Plan 9 database.
Changeuser prompts for biographical information such as
email address, user name, sponsor and department number and
appends it to the file /adm/netkeys.who or /adm/keys.who.
Convkeys re-encrypts the key file keyfile. Re-encryption is
performed in place. Without the -p option convkeys uses the
key stored in NVRAM to decrypt the file, and encrypts it
using the new key. By default, convkeys prompts twice for
the new password. The -p forces convkeys to also prompt for
the old password. The -a option converts the file into AES
format. The format of keyfile is described in keyfs(4).
Printnetkey displays the network key as it should be entered
into the hand-held Securenet box.
Status is a shell script that prints out everything known
about a user and the user's key status.
Enable/disable are shell scripts that enable/disable both
the Plan 9 and Netkey keys for individual users.
Authsrv is the program, run only on the authentication
server, that handles ticket requests on TCP port 567. It is
started by an incoming call to the server requesting a con-
versation ticket; its standard input and output are the net-
work connection. Authsrv executes the authentication
server's end of the appropriate protocol as described in
authsrv(6). The -N flag disables legacy bruteforceable DES-
encrypted tickes as used by the p9sk1 protocol, forcing the
use of new dp9ik password authenticated key exchange.
Guard.srv is similar. It is called whenever a foreign (e.g.
Unix) system wants to do a SecureNet challenge/response
authentication.
Anywhere commands
The remaining commands need not be run on an authentication
Page 2 Plan 9 (printed 11/18/24)
AUTH(8) AUTH(8)
server.
Debug attempts to authenticate using each dp9ik and p9sk1
key found in factotum and prints progress reports.
Wrkey prompts for a machine key, host owner, and host domain
and stores them in local non-volatile RAM.
Login allows a user to change his authenticated id to user.
Login sets up a new namespace from /lib/namespace, starts a
factotum(4) under the new id and execs rc(1) under the new
id.
Newns sets up a new namespace from namespace (default
/lib/namespace) and execs its arguments. If there are no
arguments, it execs /bin/rc. Under -a, newns adds to the
current namespace instead of constructing a new one. The -d
option enables debugging output.
None sets up a new namespace from namespace (default
/lib/namespace) as the user none and execs its arguments
under the new id. If there are no arguments, it execs
/bin/rc. It's an easy way to run a command as none.
Box executes its arguments in a minimal namespace. This
namespace is derived by binding in the specified program to
the same name within a new hierarchy. The same is done with
the paths provided as arguments. Paths provided with the -r
flag are bound with MREPL, and those provided with the -c
flag are bound with MCREATE. Box removes access to all ker-
nel drivers from the child namespace; the -e flag specifies
a string of driver characters to keep. The -s flag initial-
izes the namespace to an environment which includes /bin,
/srv, /env, /rc, adds the |d devices, and execs /bin/rc,
passing all arguments as though rc was invoked directly.
As executes command as user. Command is a single argument to
rc, containing an arbitrary rc command. This only works for
the hostowner and only if `#ยค/caphash' still exists.
FILES
/lib/ndb/auth Speaksfor relationships and mappings for
RADIUS server id's.
/adm/keys.who List of users in the Plan 9 database.
/adm/netkeys.who List of users in the SecureNet database.
SOURCE
/sys/src/cmd/auth
SEE ALSO
passwd(1), readnvram in authsrv(2), keyfs(4), securenet(8)
Page 3 Plan 9 (printed 11/18/24)