glenda.party
term% ls -F
term% cat index.txt
AUTH(8)                     System Manager's Manual                    AUTH(8)



NAME
       changeuser,  convkeys, convkeys2, printnetkey, status, enable, disable,
       authsrv, guard.srv, debug, wrkey, login, newns, none, as - maintain  or
       query authentication databases

SYNOPSIS
       auth/changeuser [-np] user

       auth/convkeys [-p] keyfile

       auth/convkeys2 [-p] keyfile

       auth/printnetkey user

       auth/status user

       auth/enable user

       auth/disable user

       auth/authsrv

       auth/guard.srv

       auth/debug

       auth/wrkey

       auth/login user

       auth/newns [ -ad ] [ -n namespace ] command arg ...

       auth/none [ -n namespace ] command arg ...

       auth/as user command

DESCRIPTION
       These  administrative  commands  run only on the authentication server.
       Changeuser manipulates an authentication database file system served by
       keyfs(4)  and used by file servers.  There are two authentication data‐
       bases, one holding information about Plan 9 accounts  and  one  holding
       SecureNet  keys.   A  user  need not be installed in both databases but
       must be installed in the Plan 9 database to connect to a  Plan  9  ser‐
       vice.

       Changeuser  installs or changes user in an authentication database.  It
       does not install a user on a Plan 9 file server; see fossilcons(8)  for
       that.

       Option  -p installs user in the Plan 9 database.  Changeuser asks twice
       for a password for the new user.  If the responses do not match or  the
       password  is  too  easy to guess the user is not installed.  Changeuser
       also asks for an  APOP  secret.   This  secret  is  used  in  the  APOP
       (RFC1939),  CRAM  (RFC2195), and Microsoft challenge/response protocols
       used for POP3, IMAP, and VPN access.

       Option -n installs user in the SecureNet database and prints out a  key
       for the SecureNet box.  The key is chosen by changeuser.

       If  neither  option  -p  or option -n is given, changeuser installs the
       user in the Plan 9 database.

       Changeuser prompts for biographical information such as email  address,
       user  name,  sponsor  and  department number and appends it to the file
       /adm/netkeys.who or /adm/keys.who.

       Convkeys re-encrypts the key file keyfile.  Re-encryption is  performed
       in  place.  Without the -p option convkeys uses the key stored in NVRAM
       to decrypt the file, and encrypts it using the new  key.   By  default,
       convkeys prompts twice for the new password.  The -p forces convkeys to
       also prompt for the old password.  The format of keyfile  is  described
       in keyfs(4).

       The  format  of the key file changed between Release 2 and 3 of Plan 9.
       Convkeys2 is like convkeys.  However, in addition to rekeying, it  con‐
       verts from the previous format to the Release 3 format.

       Printnetkey  displays  the network key as it should be entered into the
       hand-held Securenet box.

       Status is a shell script that prints out everything known about a  user
       and the user's key status.

       Enable/disable  are  shell  scripts that enable/disable both the Plan 9
       and Netkey keys for individual users.

       Authsrv is the program, run only on  the  authentication  server,  that
       handles  ticket requests on TCP port 567.  It is started by an incoming
       call to the server requesting a conversation ticket; its standard input
       and  output are the network connection.  Authsrv executes the authenti‐
       cation server's end of the appropriate protocol as described  in  auth‐
       srv(6).

       Guard.srv is similar.  It is called whenever a foreign (e.g. Unix) sys‐
       tem wants to do a SecureNet challenge/response authentication.

   Anywhere commands
       The remaining commands need not be run on an authentication server.

       Debug attempts to authenticate using each p9sk1 key found  in  factotum
       and prints progress reports.

       Wrkey prompts for a machine key, host owner, and host domain and stores
       them in local non-volatile RAM.

       Login allows a user to change his authenticated id to user.  Login sets
       up  a new namespace from /lib/namespace, starts a factotum(4) under the
       new id and execs rc(1) under the new id.

       Newns sets up a new namespace from namespace  (default  /lib/namespace)
       and  execs its arguments.  If there are no arguments, it execs /bin/rc.
       Under -a, newns adds to the current namespace instead of constructing a
       new one.  The -d option enables debugging output.

       None sets up a new namespace from namespace (default /lib/namespace) as
       the user none and execs its arguments under the new id.  If  there  are
       no  arguments,  it execs /bin/rc.  It's an easy way to run a command as
       none.

       As executes command as user.  Command is a single argument to rc,  con‐
       taining an arbitrary rc command.  This only works for the hostowner and
       only if still exists.

FILES
       /lib/ndb/auth
              Speaksfor relationships and mappings for RADIUS server id's.

       /adm/keys.who
              List of users in the Plan 9 database.

       /adm/netkeys.who
              List of users in the SecureNet database.

       /sys/lib/httppasswords
              List of realms and passwords for HTTP access.

SOURCE
       /sys/src/cmd/auth

SEE ALSO
       passwd(1), readnvram in authsrv(2), keyfs(4), securenet(8)

BUGS
       Only CPU kernels permit changing userid.

       Ensure that keyfs is not running when you run convkeys or convkeys2.

       Login has the string embedded in it.  You'll want  to  change  that  to
       your local domain (or fix login).



                                                                       AUTH(8)