Removes server encryption keys from a keytab file
Synopsis
bos rmkey -server machine -kvno version_number... [-principal name]
[{-noauth | -localauth}]
[-help]
Options
-server machine
Names the server machine whose keytab file is to have keys removed from it. The BOS Server on this machine executes the command. To run this command
using a privileged identity, specify the full DCE path name of the machine. To run this command using the unprivileged identity nobody (the equivalent of running the command with the
-noauth option), specify the machine's host name or IP address.
-kvno version_number
Specifies the key version number of each key to be removed from the keytab file. The command removes each key that is associated with a specified
key version number and the principal indicated by -principal. Each version number must be an integer in the range 1 to 255.
-principal name
Provides the principal name associated with the keys to be removed from the keytab file. The default is the DFS principal name of the machine specified
by -server.
-noauth
Directs bos to use the unprivileged identity nobody as the identity of the issuer of the command. The command fails if you use this option and DFS
authorization checking is not disabled on the machine specified by -server. If you use this option, do not use the -localauth option.
-localauth
Directs bos to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the
command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to
work. If you use this option, do not use the -noauth option.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The bos rmkey command removes server encryption keys from the /krb5/v5srvtab keytab file on the server machine specified by -server. It
removes each key associated with a key version number indicated by -kvno and the principal indicated by -principal. The command has no effect on the Registry Database. Once a key
is removed from the keytab file, it can no longer be used to establish communication between clients and the server to which it applied.
Privilege Required
The issuer must be listed in the admin.bos file on the machine specified by -server.
Output
If the packet privacy protection level is not available to you, the command displays the following message reporting that the BOS Server is using the packet integrity
protection level instead:
Data encryption unsupported by RPC. Continuing without it.
Examples
The following command removes two keys from the keytab file on fs1: the keys with key version numbers 5 and 6 that are associated with the
DFS principal name of fs1.
$ bos rmk /.../abc.com/hosts/fs1 -kvno 5 6
Related Information
Commands: bos addkey(8dfs)
keytab(8dce) (See OSF DCE Command Reference.)
Files: v5srvtab(5sec) (See OSF DCE Command Reference.)