bos lskeys(8dfs)

Displays server encryption key information from a keytab file

Synopsis

bos lskeys -server machine [-principal name] [{-noauth | -localauth}] [-help]

Options

-server machine
Names the server machine whose keytab file is to have keys listed. The BOS Server on this machine executes the command. To run this command using a privileged identity, specify the full DCE path name of the machine. To run this command using the unprivileged identity nobody (the equivalent of running the command with the -noauth option), specify the machine's host name or IP address.

-principal name
Provides the principal name for which associated keys are to be listed. The default is the DFS principal name of the machine specified by -server.

-noauth
Directs bos to use the unprivileged identity nobody as the identity of the issuer of the command. The command fails if you use this option and DFS authorization checking is not disabled on the machine specified by -server. If you use this option, do not use the -localauth option.

-localauth
Directs bos to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to work. If you use this option, do not use the -noauth option.

-help
Prints the online help for this command. All other valid options specified with this option are ignored.

Description
The bos lskeys command formats and displays information about server encryption keys kept in the /krb5/v5srvtab keytab file on the server machine specified by -server. It displays information for keys associated with the principal name indicated by -principal; the DFS principal name of the server machine specified with -server is used by default.

DFS authorization checking must be disabled on the machine specified with -server to display the string of octal numbers that compose the key (use the bos setauth command to disable DFS authorization checking). Disabling DFS authorization checking is required for two reasons. First, it implies that only someone authorized to issue the bos setauth command or someone with root access to -server's local disk (presumably a system administrator) is able to see actual encryption keys. Second, it makes it clear that the system is in a compromised state of security while server encryption keys are being examined (both turning off DFS authorization checking and displaying keys on a screen are serious security risks).

If DFS authorization checking is enabled on -server (the normal case), a checksum appears in place of the octal numbers. A checksum is a decimal number derived by encrypting a constant with each key.

Privilege Required
If DFS authorization checking is enabled, you must be listed in the admin.bos file on the machine specified by -server; checksums are displayed instead of the actual keys. Because DFS authorization checking must be disabled with the bos setauth command before the actual keys (rather than just checksums) can be displayed, no privilege is required to see the keys. However, you must be listed in the admin.bos file on a machine to use the bos setauth command to disable DFS authorization checking on it.

Output
The bos lskeys command displays one line for each server encryption key associated with -principal in the keytab file on the machine specified by -server. Each key is identified by its key version number. If DFS authorization checking is enabled on the machine, a checksum is displayed with each version number; if checking is disabled, the octal numbers that comprise the key are displayed.

A line specifying when the key in the Registry Database (at the Registry Server) was last changed follows the list of keys or checksums. The words All done indicate the end of the output.

If the packet privacy protection level is not available to you, the command displays the following message reporting that the BOS Server is using the packet integrity protection level instead:

Data encryption unsupported by RPC. Continuing without it.

Examples
The following command shows the checksums for the keys associated with the principal name of fs3 in the keytab file on that machine. The checksums appear instead of the actual keys because DFS authorization checking is not disabled.

$ bos lsk /.../abc.com/hosts/fs3

key 1 has cksum 972037177

key 3 has cksum 282517022

key 4 has cksum 260617746

Keys last changed (at the registry server) on Thu Jun 6 11:24:46 1991.

All done.

The following command lists the keys associated with fs3 after DFS authorization checking is disabled with the bos setauth command:

$ bos setauth /.../abc.com/hosts/fs3 off

$ bos lsk /.../abc.com/hosts/fs3

key 1 is `\040\205\211\241\345\002\023\211'

key 2 is `\343\315\307\227\255\320\135\244'

key 3 is `\310\310\255\253\265\236\261\211'