bos_removekey - Removes a server encryption key from the KeyFile file
bos removekey -server
<key version number
< cell name
bos removek -s
< key version number
The bos removekey
command removes each specified encryption key from the
file on the machine named by the
argument. Use the -kvno
argument to identify each key by
its key version number; use the bos listkeys
command to display the key
Before removing a obsolete key, verify that the cell's maximum ticket lifetime
has passed since the current key was defined using the kas
and bos addkey
commands. This ensures that no
clients still possess tickets encrypted with the obsolete key.
- -server <machine name>
- Indicates the server machine on which to change the
/etc/openafs/server/KeyFile file. Identify the machine by IP
address or its host name (either fully-qualified or abbreviated
unambiguously). For details, see bos(8).
In cells that use the Update Server to distribute the contents of the
/etc/openafs/server directory, it is conventional to specify only
the system control machine as a value for the -server argument.
Otherwise, repeat the command for each file server machine. For further
discussion, see bos(8).
- -kvno <key version number>+
- Specifies the key version number of each key to
- -cell <cell name>
- Names the cell in which to run the command. Do not combine
this argument with the -localauth flag. For more details, see
- Assigns the unprivileged identity "anonymous" to
the issuer. Do not combine this flag with the -localauth flag. For
more details, see bos(8).
- Constructs a server ticket using a key from the local
/etc/openafs/server/KeyFile file. The bos command
interpreter presents the ticket to the BOS Server during mutual
authentication. Do not combine this flag with the -cell or
-noauth options. For more details, see bos(8).
- Prints the online help for this command. All other valid
options are ignored.
The following command removes the keys with key version numbers 5 and 6 from the
file on the system control machine "fs1.abc.com".
% bos removekey -server fs1.abc.com -kvno 5 6
The issuer must be listed in the /etc/openafs/server/UserList
file on the
machine named by the -server
argument, or must be logged onto a server
machine as the local superuser "root" if the -localauth
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.