Converts a string into a server encryption key and adds it to a keytab file
Synopsis
bos addkey -server machine -kvno +_or_version_number -password string
[-principal name] [-localonly]
[{-noauth | -localauth}] [-help]
Options
-server machine
Names the server machine whose keytab file is to have a new key added to it. The BOS Server on this machine executes the command. To run this command
using a privileged identity, specify the full DCE path name of the machine. To run this command using the unprivileged identity nobody (the equivalent of running the command with the
-noauth option), specify the machine's host name or IP address.
-kvno +_or_version_number
Defines the key version number of the new key. The version number must be one of the following:
· An integer in the range 1 to 255. The command uses the specified integer as the version number of the new key. The integer must be unique for the principal indicated by -principal in the keytab file on the server machine specified by -server.
· + or 0 (zero). The command chooses an integer to serve as the version number of the new key. The integer it chooses is unique for the principal indicated by -principal in the Registry Database. However, it may not be unique for the indicated principal in the keytab file on the specified machine, in which case it replaces the key currently associated with the principal/version number pair in the keytab file.
Unless the -localonly option is used, the new key and its version number replace the key and version number currently stored in the Registry Database for the indicated principal.
-password string
Defines a character string to be converted into an octal string for use as the key. The string serves as a password for the indicated principal. It
can include any characters; it can also include spaces if the entire string is enclosed in " " (double quotes).
-principal name
Provides the principal name with which the key is to be associated. The default is the DFS principal name of the machine specified by -server.
-localonly
Specifies that the key is to be added to the keytab file on the machine indicated by -server, but that the Registry Database is not to be updated. The
default is to add the key to the local keytab file and update the Registry Database accordingly.
-noauth
Directs bos to use the unprivileged identity nobody as the identity of the issuer of the command. The command fails if you use this option and DFS
authorization checking is not disabled on the machine specified by -server. If you use this option, do not use the -localauth option.
-localauth
Directs bos to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the
command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to
work. If you use this option, do not use the -noauth option.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The bos addkey command associates a new server encryption key with the principal name indicated by -principal in the /krb5/v5srvtab keytab
file on the server machine specified by -server and, by default, in the Registry Database. The key is derived from the string specified by -password and is given the version number
specified by -kvno. The issuer can either specify a version number or have the command choose one that is unique for the indicated principal in the Registry Database. If the
-localonly option is omitted, the server encryption key and version number for the indicated principal are automatically updated both in the keytab file on the specified server machine and
in the Registry Database; if the -localonly option is specified, the keytab file is updated, but the Registry Database is not.
The bos genkey command is a more secure way of adding a key to a keytab file because it generates a random key. It also always updates the Registry Database. The keytab file must already exist before the bos addkey or bos genkey command can be used to add a key to it. (Keytab files are created with the dcecp keytab create command.)
Privilege Required
You must be listed in the admin.bos file on the machine specified by -server, and, unless the -localonly option is used, the DFS
server principal of the machine specified by -server must have the permissions necessary to alter entries in the Registry Database.
Output
If the packet privacy protection level is not available to you, the command displays the following message reporting that the BOS Server is using the packet integrity
protection level instead:
Data encryption unsupported by RPC. Continuing without it.
Examples
The following command adds a new server encryption key with key version number 14 to the keytab file on fs1 without updating the Registry Database.
Because -principal is omitted, the key is associated with the DFS principal name of fs1 (the machine specified with -server). The password string fourteenth new
key is converted into an octal key before being placed in the keytab file.
$ bos addk /.../abc.com/hosts/fs1 14 "fourteenth new key" -localonly
Related Information
Commands: bos gckeys(8dfs)
keytab(8dce) (See OSF DCE Command Reference.)
Files: v5srvtab(5sec) (See OSF DCE Command Reference.)