[hcoop/debian/openafs.git] / doc / man-pages / pod8 / bos_removekey.pod

=head1 NAME

bos_removekey - Removes a server encryption key from the KeyFile file

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<bos removekey> S<<< B<-server> <I<machine name>> >>>
    S<<< B<-kvno> <I<key version number>>+ >>> S<<< [B<-cell> <I<cell name>>] >>>
    [B<-noauth>] [B<-localauth>] [B<-help>]

B<bos removek> S<<< B<-s> <I<machine name>> >>> S<<< B<-k> <I<key version number>>+ >>>
    S<<< [B<-c> <I<cell name>>] >>> [B<-n>] [B<-l>] [B<-h>]

=for html
</div>

=head1 DESCRIPTION

The B<bos removekey> command removes each specified encryption key from
the F</usr/afs/etc/KeyFile> file on the machine named by the B<-server>
argument. Use the B<-kvno> argument to identify each key by its key
version number; use the B<bos listkeys> command to display the key version
numbers.

=head1 CAUTIONS

Before removing a obsolete key, verify that the cell's maximum ticket
lifetime has passed since the current key was defined using the B<kas
setpassword> and B<bos addkey> commands. This ensures that no clients
still possess tickets encrypted with the obsolete key.

This command can only remove keys from the F</usr/afs/etc/KeyFile> file;
the F</usr/afs/etc/KeyFileExt> cannot be modified by this command.

=head1 OPTIONS

=over 4

=item B<-server> <I<machine name>>

Indicates the server machine on which to change the
F</usr/afs/etc/KeyFile> file. Identify the machine by IP address or its
host name (either fully-qualified or abbreviated unambiguously). For
details, see L<bos(8)>.

In cells that use the Update Server to distribute the contents of the
F</usr/afs/etc> directory, it is conventional to specify only the system
control machine as a value for the B<-server> argument. Otherwise, repeat
the command for each file server machine. For further discussion, see
L<bos(8)>.

=item B<-kvno> <I<key version number>>+

Specifies the key version number of each key to remove.

=item B<-cell> <I<cell name>>

Names the cell in which to run the command. Do not combine this argument
with the B<-localauth> flag. For more details, see L<bos(8)>.

=item B<-noauth>

Assigns the unprivileged identity C<anonymous> to the issuer. Do not
combine this flag with the B<-localauth> flag. For more details, see
L<bos(8)>.

=item B<-localauth>

Constructs a server ticket using a key from the local
F</usr/afs/etc/KeyFile> or F</usr/afs/etc/KeyFileExt> file.
The B<bos> command interpreter presents the
ticket to the BOS Server during mutual authentication. Do not combine this
flag with the B<-cell> or B<-noauth> options. For more details, see
L<bos(8)>.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 EXAMPLES

The following command removes the keys with key version numbers 5 and 6
from the F<KeyFile> file on the system control machine C<fs1.example.com>.

   % bos removekey -server fs1.example.com -kvno 5 6

=head1 PRIVILEGE REQUIRED

The issuer must be listed in the F</usr/afs/etc/UserList> file on the
machine named by the B<-server> argument, or must be logged onto a server
machine as the local superuser C<root> if the B<-localauth> flag is
included.

=head1 SEE ALSO

L<KeyFile(5)>,
L<KeyFileExt(5)>,
L<UserList(5)>,
L<bos(8)>,
L<bos_addkey(8)>,
L<bos_listkeys(8)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
Commit	Line	Data
805e021f CE	1	=head1 NAME
	2
	3	bos_removekey - Removes a server encryption key from the KeyFile file
	4
	5	=head1 SYNOPSIS
	6
	7	=for html
	8	<div class="synopsis">
	9
	10	B<bos removekey> S<<< B<-server> <I<machine name>> >>>
	11	S<<< B<-kvno> <I<key version number>>+ >>> S<<< [B<-cell> <I<cell name>>] >>>
	12	[B<-noauth>] [B<-localauth>] [B<-help>]
	13
	14	B<bos removek> S<<< B<-s> <I<machine name>> >>> S<<< B<-k> <I<key version number>>+ >>>
	15	S<<< [B<-c> <I<cell name>>] >>> [B<-n>] [B<-l>] [B<-h>]
	16
	17	=for html
	18	</div>
	19
	20	=head1 DESCRIPTION
	21
	22	The B<bos removekey> command removes each specified encryption key from
	23	the F</usr/afs/etc/KeyFile> file on the machine named by the B<-server>
	24	argument. Use the B<-kvno> argument to identify each key by its key
	25	version number; use the B<bos listkeys> command to display the key version
	26	numbers.
	27
	28	=head1 CAUTIONS
	29
	30	Before removing a obsolete key, verify that the cell's maximum ticket
	31	lifetime has passed since the current key was defined using the B<kas
	32	setpassword> and B<bos addkey> commands. This ensures that no clients
	33	still possess tickets encrypted with the obsolete key.
	34
	35	This command can only remove keys from the F</usr/afs/etc/KeyFile> file;
	36	the F</usr/afs/etc/KeyFileExt> cannot be modified by this command.
	37
	38	=head1 OPTIONS
	39
	40	=over 4
	41
	42	=item B<-server> <I<machine name>>
	43
	44	Indicates the server machine on which to change the
	45	F</usr/afs/etc/KeyFile> file. Identify the machine by IP address or its
	46	host name (either fully-qualified or abbreviated unambiguously). For
	47	details, see L<bos(8)>.
	48
	49	In cells that use the Update Server to distribute the contents of the
	50	F</usr/afs/etc> directory, it is conventional to specify only the system
	51	control machine as a value for the B<-server> argument. Otherwise, repeat
	52	the command for each file server machine. For further discussion, see
	53	L<bos(8)>.
	54
	55	=item B<-kvno> <I<key version number>>+
	56
	57	Specifies the key version number of each key to remove.
	58
	59	=item B<-cell> <I<cell name>>
	60
	61	Names the cell in which to run the command. Do not combine this argument
	62	with the B<-localauth> flag. For more details, see L<bos(8)>.
	63
	64	=item B<-noauth>
65
66	Assigns the unprivileged identity C<anonymous> to the issuer. Do not
67	combine this flag with the B<-localauth> flag. For more details, see
68	L<bos(8)>.
69
70	=item B<-localauth>
71
72	Constructs a server ticket using a key from the local
73	F</usr/afs/etc/KeyFile> or F</usr/afs/etc/KeyFileExt> file.
74	The B<bos> command interpreter presents the
75	ticket to the BOS Server during mutual authentication. Do not combine this
76	flag with the B<-cell> or B<-noauth> options. For more details, see
77	L<bos(8)>.
78
79	=item B<-help>
80
81	Prints the online help for this command. All other valid options are
82	ignored.
83
84	=back
85
86	=head1 EXAMPLES
87
88	The following command removes the keys with key version numbers 5 and 6
89	from the F<KeyFile> file on the system control machine C<fs1.example.com>.
90
91	% bos removekey -server fs1.example.com -kvno 5 6
92
93	=head1 PRIVILEGE REQUIRED
94
95	The issuer must be listed in the F</usr/afs/etc/UserList> file on the
96	machine named by the B<-server> argument, or must be logged onto a server
97	machine as the local superuser C<root> if the B<-localauth> flag is
98	included.
99
100	=head1 SEE ALSO
101
102	L<KeyFile(5)>,
103	L<KeyFileExt(5)>,
104	L<UserList(5)>,
105	L<bos(8)>,
106	L<bos_addkey(8)>,
107	L<bos_listkeys(8)>
108
109	=head1 COPYRIGHT
110
111	IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
112
113	This documentation is covered by the IBM Public License Version 1.0. It was
114	converted from HTML to POD by software written by Chas Williams and Russ
115	Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.