AUTH(8)                                                   AUTH(8)

     NAME
          adduser, changeuser, printnetkey, renameuser, removeuser,
          enable, disable, expire, status, convkeys, wrkey - maintain
          authentication databases

     SYNOPSIS
          auth/adduser [-hnp] user

          auth/changeuser [-hnp] user

          auth/printnetkey user

          auth/renameuser [-np] user newname

          auth/removeuser [-np] user

          auth/enable [-np] user

          auth/disable [-np] user

          auth/expire [-np] user date

          auth/status user

          auth/convkeys [-k key] keyfile

          auth/wrkey [-k key]

     DESCRIPTION
          These administrative commands run only on the authentication
          server.  Adduser, changeuser, renameuser, removeuser,
          enable, disable, expire, and status manipulate an authenti-
          cation database file system served by keyfs(4) and used by
          file servers.  There are two authentication databases, one
          holding information about Plan 9 accounts and one holding
          SecureNet keys.  A user need not be installed in both data-
          bases but must be installed in the Plan 9 database to con-
          nect to a Plan 9 service.

          Adduser installs user in an authentication database.  User
          must not already exist in the database.  It does not install
          a user on a Plan 9 file server.

          Option -p installs user in the Plan 9 database.  Adduser
          asks twice for a password for the new user. If the responses
          do not match or the password is too easy to guess the user
          is not installed.

          Option -n installs user in the SecureNet database and prints
          out a key for the SecureNet box.  The key is chosen by

     Page 1                       Plan 9            (printed 12/22/24)

     AUTH(8)                                                   AUTH(8)

          adduser.

          If neither option -p or option -n is given, adduser installs
          the user in the Plan 9 database.

          Option -h makes user a host able to receive authenticated
          incoming network calls.  All Plan 9 CPU servers must be
          installed as users with host permission in the Plan 9
          authentication database.  This option is significant only in
          the Plan 9 database.

          Changeuser modifies information for users already installed.
          Its syntax is the same as adduser's.

          Printnetkey prints user's SecureNet key without changing it.

          Renameuser changes user's name to newname in both of the
          authentication databases.  If newname is already known in
          either database, renameuser reports an error and makes no
          change.  The options are the same as for adduser, except
          that if neither option -p nor option -n is given, the user
          is renamed in both databases.

          Removeuser deletes user from both of the authentication
          databases.  The options are the same as for renameuser.

          Enable and disable change the status of user's accounts.
          The options are the same as for renameuser.

          Expire changes the expiration date for user to date, which
          is either the string `never' or a date in the form yyyymmdd,
          where yyyy is the year, mm is the month, and dd is the day
          the account should expire.

          Both enable and expire attempt to change both the Plan 9 and
          SecureNet databases.  The options are the same as for
          renameuser.

          Status prints the status and expiration date of user's Plan
          9 and SecureNet accounts.

          Convkeys re-encrypts the key file keyfile. Re-encryption is
          performed in place.  Any file or authentication server using
          the key file must simultaneously have its key modified or it
          will be unable to decrypt keyfile. Convkeys uses the key
          stored in non-volatile RAM to decrypt the file, and encrypts
          it using the new key.  By default, convkeys prompts twice
          for the new password.  Option -k instead takes key, which
          must be DESKEYLEN bytes long.  Note that a key is not a
          password.  The format of keyfile is described in keyfs(4).

          Wrkey sets the key used by the authentication server to

     Page 2                       Plan 9            (printed 12/22/24)

     AUTH(8)                                                   AUTH(8)

          decrypt key files.  By default, it prompts twice for the
          password.  Option -k is as in convkeys. Once the key is set,
          keyfs should be restarted so it serves the correct keys.

     FILES
          The non-
               volatile RAM on the server, which stores the key used
               to decrypt key files.

     SEE ALSO
          keyfs(4), securenet(8)

     BUGS
          After changing authentication information, it is necessary
          to issue the auth command on file servers that are doing
          their own authentication.  See fs(8).

     Page 3                       Plan 9            (printed 12/22/24)