AUTH(8) AUTH(8)
NAME
adduser, changeuser, printnetkey, renameuser, removeuser,
enable, disable, expire, status, convkeys, wrkey - maintain
authentication databases
SYNOPSIS
auth/adduser [-hnp] user
auth/changeuser [-hnp] user
auth/printnetkey user
auth/renameuser [-np] user newname
auth/removeuser [-np] user
auth/enable [-np] user
auth/disable [-np] user
auth/expire [-np] user date
auth/status user
auth/convkeys [-k key] keyfile
auth/wrkey [-k key]
DESCRIPTION
These administrative commands run only on the authentication
server. Adduser, changeuser, renameuser, removeuser,
enable, disable, expire, and status manipulate an authenti-
cation database file system served by keyfs(4) and used by
file servers. There are two authentication databases, one
holding information about Plan 9 accounts and one holding
SecureNet keys. A user need not be installed in both data-
bases but must be installed in the Plan 9 database to con-
nect to a Plan 9 service.
Adduser installs user in an authentication database. User
must not already exist in the database. It does not install
a user on a Plan 9 file server.
Option -p installs user in the Plan 9 database. Adduser
asks twice for a password for the new user. If the responses
do not match or the password is too easy to guess the user
is not installed.
Option -n installs user in the SecureNet database and prints
out a key for the SecureNet box. The key is chosen by
Page 1 Plan 9 (printed 10/27/25)
AUTH(8) AUTH(8)
adduser.
If neither option -p or option -n is given, adduser installs
the user in the Plan 9 database.
Option -h makes user a host able to receive authenticated
incoming network calls. All Plan 9 CPU servers must be
installed as users with host permission in the Plan 9
authentication database. This option is significant only in
the Plan 9 database.
Changeuser modifies information for users already installed.
Its syntax is the same as adduser's.
Printnetkey prints user's SecureNet key without changing it.
Renameuser changes user's name to newname in both of the
authentication databases. If newname is already known in
either database, renameuser reports an error and makes no
change. The options are the same as for adduser, except
that if neither option -p nor option -n is given, the user
is renamed in both databases.
Removeuser deletes user from both of the authentication
databases. The options are the same as for renameuser.
Enable and disable change the status of user's accounts.
The options are the same as for renameuser.
Expire changes the expiration date for user to date, which
is either the string `never' or a date in the form yyyymmdd,
where yyyy is the year, mm is the month, and dd is the day
the account should expire.
Both enable and expire attempt to change both the Plan 9 and
SecureNet databases. The options are the same as for
renameuser.
Status prints the status and expiration date of user's Plan
9 and SecureNet accounts.
Convkeys re-encrypts the key file keyfile. Re-encryption is
performed in place. Any file or authentication server using
the key file must simultaneously have its key modified or it
will be unable to decrypt keyfile. Convkeys uses the key
stored in non-volatile RAM to decrypt the file, and encrypts
it using the new key. By default, convkeys prompts twice
for the new password. Option -k instead takes key, which
must be DESKEYLEN bytes long. Note that a key is not a
password. The format of keyfile is described in keyfs(4).
Wrkey sets the key used by the authentication server to
Page 2 Plan 9 (printed 10/27/25)
AUTH(8) AUTH(8)
decrypt key files. By default, it prompts twice for the
password. Option -k is as in convkeys. Once the key is set,
keyfs should be restarted so it serves the correct keys.
FILES
The non-
volatile RAM on the server, which stores the key used
to decrypt key files.
SEE ALSO
keyfs(4), securenet(8)
BUGS
After changing authentication information, it is necessary
to issue the auth command on file servers that are doing
their own authentication. See fs(8).
Page 3 Plan 9 (printed 10/27/25)