The KeyFile file defines the server encryption keys that the AFS server
processes running on the machine use to decrypt the tickets presented by
clients during the mutual authentication process. AFS server processes
perform privileged actions only for clients that possess a ticket
encrypted with one of the keys from the file. The file must reside in the
/etc/openafs/server directory on every server machine. For more detailed
information on mutual authentication and server encryption keys, see the
IBMAFS Administration Guide.
Each key has a corresponding a key version number that distinguishes it
from the other keys. The tickets that clients present are also marked with
a key version number to tell the server process which key to use to
decrypt it. The KeyFile file must always include a key with the same
key version number and contents as the key currently listed for the "afs"
entry in the Authentication Database.
The KeyFile file is in binary format, so always use the appropriate
commands from the bos command suite to administer it:
The bos addkey command to define a new key.
The bos listkeys command to display the keys.
The bos removekey command to remove a key from the file.
In cells that use the Update Server to distribute the contents of the
/etc/openafs/server directory, it is customary to edit only the copy of the
file stored on the system control machine. Otherwise, edit the file on
each server machine individually.
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.