Removes obsolete server encryption keys from a keytab file
Synopsis
bos gckeys -server machine [-principal name] [{-noauth | -localauth}] [-help]
Options
-server machine
Names the server machine whose keytab file is to have obsolete keys removed from it. The BOS Server on this machine executes the command. To run this
command using a privileged identity, specify the full DCE path name of the machine. To run this command using the unprivileged identity nobody (the equivalent of running the command with
the -noauth option), specify the machine's host name or IP address.
-principal name
Provides the principal name for which obsolete keys are to be removed from the keytab file. The default is the DFS principal name of the machine
specified by -server.
-noauth
Directs bos to use the unprivileged identity nobody as the identity of the issuer of the command. The command fails if you use this option and DFS
authorization checking is not disabled on the machine specified by -server. If you use this option, do not use the -localauth option.
-localauth
Directs bos to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the
command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to
work. If you use this option, do not use the -noauth option.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The bos gckeys command removes obsolete server encryption keys from the /krb5/v5srvtab keytab file on the server machine specified by
-server. Obsolete keys associated only with the principal name specified by -principal are removed from the keytab file; the DFS principal name of the server machine specified with
-server is used by default.
Keys are removed based on age and lack of use. The removal process, referred to as garbage collection, affects only the keytab file stored on the local disk of the machine indicated by -server; it has no effect on the Registry Database.
Privilege Required
You must be listed in the admin.bos file on the machine specified by -server.
Output
If the packet privacy protection level is not available to you, the command displays the following message reporting that the BOS Server is using the packet integrity
protection level instead:
Data encryption unsupported by RPC. Continuing without it.
Examples
The following command removes obsolete keys associated with the principal hosts/fs1/dfs-server from the keytab file on the server machine named
/.../abc.com/hosts/fs3. Note that the keys being removed are associated with the principal name of a machine different from the one whose BOS Server is executing the command.
$ bos gckeys /.../abc.com/hosts/fs3 hosts/fs1/dfs-server
Related Information
Commands: bos addkey(8dfs)
keytab(8dce) (See OSF DCE Command Reference.)
Files: v5srvtab(5sec) (See OSF DCE Command Reference.)