glenda.party
term% ls -F
term% pwd
$home/manuals/9front/8/auth
term% cat index.txt
AUTH(8)                     System Manager's Manual                    AUTH(8)



NAME
       changeuser,  convkeys, convkeys2, printnetkey, status, enable, disable,
       authsrv, guard.srv, debug, wrkey, login, newns, none, as - maintain  or
       query authentication databases

SYNOPSIS
       auth/changeuser [-np] user

       auth/convkeys [-p] keyfile

       auth/convkeys2 [-p] keyfile

       auth/printnetkey user

       auth/status user

       auth/enable user

       auth/disable user

       auth/authsrv

       auth/guard.srv

       auth/debug

       auth/wrkey

       auth/login [ -a authdom ] user

       auth/newns [ -ad ] [ -n namespace ] command arg ...

       auth/none [ -n namespace ] command arg ...

       auth/as user command

DESCRIPTION
       These  administrative  commands  run only on the authentication server.
       Changeuser manipulates an authentication database file system served by
       keyfs(4)  and used by file servers.  There are two authentication data‐
       bases, one holding information about Plan 9 accounts  and  one  holding
       SecureNet  keys.   A  user  need not be installed in both databases but
       must be installed in the Plan 9 database to connect to a  Plan  9  ser‐
       vice.

       Changeuser  installs or changes user in an authentication database.  It
       does not install a user on a Plan 9 file server; see fs(8) for that.

       Option -p installs user in the Plan 9 database.  Changeuser asks  twice
       for  a password for the new user.  If the responses do not match or the
       password is too easy to guess the user is  not  installed.   Changeuser
       also  asks  for  an  APOP  secret.   This  secret  is  used in the APOP
       (RFC1939), CRAM (RFC2195), and Microsoft  challenge/response  protocols
       used for POP3, IMAP, and VPN access.

       Option  -n installs user in the SecureNet database and prints out a key
       for the SecureNet box.  The key is chosen by changeuser.

       If neither option -p or option -n is  given,  changeuser  installs  the
       user in the Plan 9 database.

       Changeuser  prompts for biographical information such as email address,
       user name, sponsor and department number and appends  it  to  the  file
       /adm/netkeys.who or /adm/keys.who.

       Convkeys  re-encrypts the key file keyfile.  Re-encryption is performed
       in place.  Without the -p option convkeys uses the key stored in  NVRAM
       to  decrypt  the  file, and encrypts it using the new key.  By default,
       convkeys prompts twice for the new password.  The -p forces convkeys to
       also  prompt  for the old password.  The format of keyfile is described
       in keyfs(4).

       The format of the key file changed between Release 2 and 3 of  Plan  9.
       Convkeys2  is like convkeys.  However, in addition to rekeying, it con‐
       verts from the previous format to the Release 3 format.

       Printnetkey displays the network key as it should be entered  into  the
       hand-held Securenet box.

       Status  is a shell script that prints out everything known about a user
       and the user's key status.

       Enable/disable are shell scripts that enable/disable both  the  Plan  9
       and Netkey keys for individual users.

       Authsrv  is  the  program,  run only on the authentication server, that
       handles ticket requests on TCP port 567.  It is started by an  incoming
       call to the server requesting a conversation ticket; its standard input
       and output are the network connection.  Authsrv executes the  authenti‐
       cation  server's  end of the appropriate protocol as described in auth‐
       srv(6).

       Guard.srv is similar.  It is called whenever a foreign (e.g. Unix) sys‐
       tem wants to do a SecureNet challenge/response authentication.

   Anywhere commands
       The remaining commands need not be run on an authentication server.

       Debug  attempts  to authenticate using each p9sk1 key found in factotum
       and prints progress reports.

       Wrkey prompts for a machine key, host owner, and host domain and stores
       them in local non-volatile RAM.

       Login allows a user to change his authenticated id to user.  Login sets
       up a new namespace from /lib/namespace, starts a factotum(4) under  the
       new id and execs rc(1) under the new id.

       Newns  sets  up a new namespace from namespace (default /lib/namespace)
       and execs its arguments.  If there are no arguments, it execs  /bin/rc.
       Under -a, newns adds to the current namespace instead of constructing a
       new one.  The -d option enables debugging output.

       None sets up a new namespace from namespace (default /lib/namespace) as
       the  user  none and execs its arguments under the new id.  If there are
       no arguments, it execs /bin/rc.  It's an easy way to run a  command  as
       none.

       As  executes command as user.  Command is a single argument to rc, con‐
       taining an arbitrary rc command.  This only works for the hostowner and
       only if still exists.

FILES
       /lib/ndb/auth
              Speaksfor relationships and mappings for RADIUS server id's.

       /adm/keys.who
              List of users in the Plan 9 database.

       /adm/netkeys.who
              List of users in the SecureNet database.

       /sys/lib/httppasswords
              List of realms and passwords for HTTP access.

SOURCE
       /sys/src/cmd/auth

SEE ALSO
       passwd(1), readnvram in authsrv(2), keyfs(4), securenet(8)

BUGS
       Only CPU kernels permit changing userid.



                                                                       AUTH(8)