KEYSRV(4)                                               KEYSRV(4)

     NAME
          keysrv - secret key server

     SYNOPSIS
          auth/keysrv

     DESCRIPTION
          Keysrv is a file service run on a connection to an authenti-
          cation server.  It allows a remote user to change a secret
          stored on the server by keyfs(4), which must have been
          started before keysrv, in a name space with the authentica-
          tion data available under /mnt/keys.

          Keysrv serves a single file, secret, on a connection
          accessed through file descriptor 0 (ie, the standard
          `input').  When invoked, it first authenticates the connec-
          tion using security-auth(2), requiring the client to use
          sha1 and rc4_256.  If authentication succeeds, keysrv
          exports a name space containing a file secret.  The authen-
          tication ensures that only a user that possesses a valid
          certificate can connect to the service.

          If the authenticated user (ie, the user name in the verified
          certificate) has an entry in /mnt/keys, as served by
          keyfs(4), and that user has a non-empty secret, then the
          file secret will accept reads and writes.  (Otherwise, every
          read or write returns an appropriate error.)  Every success-
          ful read returns 0 bytes; thus a read can be used to check
          that the user is known and has a secret key.  Each write
          contains data of the following form:

               oldhash [ newsecret ]

          Oldhash is the SHA1 hash (see keyring-sha1(2)) of the user's
          existing secret, as 20 hexadecimal digits.  If the value of
          oldhash does not match that of the stored secret, the write
          returns an error and suitable diagnostic.  Oldhash is
          optionally followed by a newsecret, in clear text as a
          sequence of bytes (typically the secret as utf(6)), sepa-
          rated from oldhash by a single space.  If the oldhash
          matches that of the secret currently stored, newsecret
          replaces it.  The write returns an error if oldhash does not
          match the stored value, or if something else goes wrong.

          Keysrv can be invoked via listen(1):

               listen -t -A 'tcp!*!infkey' {auth/keysrv}

          Normally that is done automatically when starting an authen-
          tication service using svc/auth (see svc(8)).

     Page 1                       Plan 9            (printed 12/21/24)

     KEYSRV(4)                                               KEYSRV(4)

          Passwd(1) dials the service, authenticates, and mounts the
          resulting connection on /mnt/keysrv, where it accesses the
          secret file to change the secret.

     FILES
          /mnt/keys    mount point for keyfs(4)
          /mnt/keysrv  exported mount point for keysrv

     SOURCE
          /appl/cmd/auth/keysrv.b

     SEE ALSO
          listen(1), passwd(1), keyfs(4), logind(8)

     Page 2                       Plan 9            (printed 12/21/24)