Generates a random key and adds it to a keytab file
Synopsis
bos genkey -server machine -kvno +_or_version_number [-principal name]
[{-noauth | -localauth}] [-help]
Options
-server machine
Names the server machine whose keytab file is to have a new key added to it. The BOS Server on this machine executes the command. To run this command
using a privileged identity, specify the full DCE path name of the machine. To run this command using the unprivileged identity nobody (the equivalent of running the command with the
-noauth option), specify the machine's host name or IP address.
-kvno +_or_version_number
Defines the key version number of the new key. The version number must be one of the following:
· An integer in the range 1 to 255. The command uses the specified integer as the version number of the new key. The integer must be unique for the principal indicated by -principal in the keytab file on the server machine specified by -server.
· + or 0 (zero). The command chooses an integer to serve as the version number of the new key. The integer it chooses is unique for the principal indicated by -principal in the Registry Database. However, it may not be unique for the indicated principal in the keytab file on the specified machine, in which case it replaces the key currently associated with the principal/version number pair in the keytab file.
The new key and its version number always replace the key and version number currently stored in the Registry Database for the indicated principal.
-principal name
Provides the principal name with which the key is to be associated. The default is the DFS principal name of the machine specified by -server.
-noauth
Directs bos to use the unprivileged identity nobody as the identity of the issuer of the command. The command fails if you use this option and DFS
authorization checking is not disabled on the machine specified by -server. If you use this option, do not use the -localauth option.
-localauth
Directs bos to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the
command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to
work. If you use this option, do not use the -noauth option.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The bos genkey command associates a new server encryption key with the principal name indicated by -principal in the /krb5/v5srvtab keytab
file on the server machine specified by -server and in the Registry Database. The command generates a random key and assigns it the version number indicated by -kvno. The issuer
can either specify a version number or have the command choose one that is unique for the indicated principal in the Registry Database. The server encryption key and version number for the specified
principal are automatically updated both in the keytab file on the specified server machine and in the Registry Database.
The bos addkey command can also be used to add a key to a keytab file with or without updating the Registry Database. However, it is less secure because the issuer must specify a string to be converted into the server encryption key. The keytab file must already exist before the bos genkey or bos addkey command can be used to add a key to it. (Keytab files are created with the dcecp keytab create command.)
Privilege Required
You must be listed in the admin.bos file on the machine specified by -server, and the DFS server principal of the machine specified by
-server must have the permissions necessary to alter entries in the Registry Database.
Output
If the packet privacy protection level is not available to you, the command displays the following message reporting that the BOS Server is using the packet integrity
protection level instead:
Data encryption unsupported by RPC. Continuing without it.
Examples
The following command generates a new server encryption key with key version number 14 and adds it to the keytab file on fs1. Because
-principal is omitted, the key is associated with the DFS principal name of fs1 (the machine specified with -server). The Registry Database is updated automatically.
$ bos genkey /.../abc.com/hosts/fs1 14
Related Information
Commands: bos addkey(8dfs)
keytab(8dce) (See OSF DCE Command Reference.)
Files: v5srvtab(5sec) (See OSF DCE Command Reference.)