Displaying Server Encryption Keys

To display the server encryption keys in the /usr/afs/etc/KeyFile file on any file server machine, use the bos listkeys command. Use the kas examine command to display the key in the Authentication Database's afs entry.

By default the commands do not display the actual string of octal digits that constitute a key, but rather a checksum, a decimal number derived by encrypting a constant with the key. This prevents unauthorized users from easily accessing the actual key, which they can then use to falsify or eavesdrop on protected communications. The bos listkeys and kas examine commands generate the same checksum for a given key, so displaying checksums rather than actual keys is generally sufficient. If you suspect that the keys differ in a way that the checksums are not revealing, then you are probably experiencing authentication problems throughout your cell. The easiest solution is to create a new server encryption key following the instructions in Adding Server Encryption Keys or Handling Server Encryption Key Emergencies. Another common reason to issue the bos listkeys command is to display the key version numbers currently in use, in preparation for choosing the next one; here, the checksum is sufficient because the key itself is irrelevant.

If it is important to display the actual octal digits, include the -showkey argument to both the bos listkeys and kas examine commands.

To display the KeyFile file

  1. Verify that you are authenticated as a user listed in the /usr/afs/etc/UserList file. If necessary, issue the bos listusers command, which is fully described in To display the users in the UserList file.

       % bos listusers <machine name>
    
  2. Issue the bos listkeys command to display the contents of one machine's /usr/afs/etc/KeyFile file.

       % bos listkeys <machine name> [-showkey]
    

    where

    listk

    Is the shortest acceptable abbreviation of listkeys.

    machine name

    Names a file server machine. In the normal case, it is acceptable to name any machine, because correct cell functioning requires that the KeyFile file be the same on all of them.

    -showkey

    Displays the octal digits that constitute each key.

In the following example, the output displays a checksum for each server encryption key rather than the actual octal digits. The penultimate line indicates when an administrator last changed the file, and the final line confirms that the output is complete.

   % bos listkeys fs1.example.com
   key 0 has cksum 972037177
   key 1 has cksum 2825165022
   Keys last changed on Wed Jan 13 11:20:29 1999. 
   All done.

To display the afs key from the Authentication Database

  1. Issue the kas examine command to display the afs entry in the Authentication Database.

    The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default, it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator. Include the -admin argument to name an identity that has the ADMIN flag on its Authentication Database entry. To verify that an entry has the flag, issue the kas examine command as described in To check if the ADMIN flag is set.

       % kas examine afs [-showkey]  \
                     -admin  <admin principal to use for authentication>  
       Administrator's (admin_user) password: <admin_password>
    

    where

    e

    Is the shortest acceptable abbreviation of examine.

    afs

    Designates the afs entry.

    -showkey

    Displays the octal digits that constitute the key.

    -admin

    Names an administrative account with the ADMIN flag on its Authentication Database entry, such as admin. The password prompt echoes it as admin_user. Enter the appropriate password as admin_password.

In the following example, the admin user displays the afs entry without using the -showkey flag. The second line shows the key version number in parentheses and the key's checksum. The line that begins with the string last mod reports the date on which the indicated administrator changed the key. There is no necessary relationship between this date and the date reported by the bos listkeys command, because the latter date changes for any type of change to the KeyFile file, not just a key addition. For a description of the other lines in the output from the kas examine command, see its reference page in the OpenAFS Administration Reference.

   % kas examine afs  -admin admin
   Administrator's (admin) password: <admin_password>
   User data for afs
    key (1) cksum is 2825165022, last cpw: no date
    password will never expire.
    An unlimited number of unsuccessful authentications is permitted.
    entry expires on never. Max ticket lifetime 100.00 hours.
    last mod on Wed Jan 13 11:21:36 1999 by admin
    permit password reuse