bos_listkeys - Displays the server encryption keys from the KeyFile file


bos listkeys -server <machine name> [-showkey] [-cell <cell name>] [-noauth] [-localauth] [-principal <authentication principal> [-encrypt [<yes|no>]] [-config <configuration file>] [-help]


The bos listkeys command formats and displays the list of server encryption keys from the /etc/yfs/server/KeyFileExt file on the server machine named by the -server argument. It is equivalent to asetkey list, but can be run remotely.

To edit the list of keys, use the asetkey command; see asetkey(8) for more information. You can also remove keys remotely using the bos removekey command.


Displaying actual keys on the standard output stream (by including the -showkey flag) is a security exposure. Displaying a checksum is sufficient for most purposes.


-server <machine name>

Indicates the server machine from which to display the KeyFileExt file. Identify the machine by IP address or its host name (either fully-qualified or abbreviated unambiguously). For details, see bos(8).

For consistent performance in the cell, the output must be the same on every server machine. asetkey(8) explains how to keep the machines synchronized.


Displays the octal digits that constitute each key. Anyone who has access to the resulting output will have complete access to the AFS cell and will be able to impersonate the AFS cell to any client, so be very careful when using this option.

-cell <cell name>

Names the cell in which to run the command. Do not combine this argument with the -localauth flag. For more details, see bos(8).


Assigns the unprivileged identity anonymous to the issuer. Do not combine this flag with the -localauth flag. For more details, see bos(8).


Constructs a server ticket using a key from the local /etc/yfs/server/KeyFileExt file. The bos command interpreter presents the ticket to the BOS Server during mutual authentication. Do not combine this flag with the -cell or -noauth options. For more details, see bos(8).

-principal <authentication principal>

Indicates the principal to be used for authentication. This option can be useful when several credentials caches are available for different principals.

-encrypt [<yes|no>]

Enables or disables encryption for the command so that the operation's results are not transmitted across the network in clear text.


Produces on the standard output stream a detailed trace of the command's execution. If this argument is omitted, only warnings and error messages appear.

-config <configuration file>

Sets the location of the configuration file to be used. The default file is /etc/yfs/yfs-client.conf.


Prints the online help for this command. All other valid options are ignored.


The output includes one line for each server encryption key listed in the KeyFileExt file, identified by its key version number.

If the -showkey flag is included, the output displays the actual string of eight octal numbers that constitute the key. Each octal number is a backslash and three decimal digits.

If the -showkey flag is not included, the output represents each key as a checksum, which is a decimal number derived by encrypting a constant with the key.

Following the list of keys or checksums, the string Keys last changed indicates when a key was last added to the KeyFileExt file. The words All done indicate the end of the output.


The following example shows the checksums for the keys stored in the KeyFileExt file on the machine

   % bos listkeys
   key 1 has cksum 972037177
   key 3 has cksum 2825175022
   key 4 has cksum 260617746
   key 6 has cksum 4178774593
   Keys last changed on Mon Apr 12 11:24:46 1999.
   All done.

The following example shows the actual keys from the KeyFileExt file on the machine

   % bos listkeys -showkey
   key 0 is '\040\205\211\241\345\002\023\211'
   key 1 is '\343\315\307\227\255\320\135\244'
   key 2 is '\310\310\255\253\326\236\261\211'
   Keys last changed on Wed Mar 31 11:24:46 1999.
   All done.


The issuer must be listed in the /etc/yfs/server/UserListExt file on the machine named by the -server argument, or must be logged onto a server with an account capable of reading the /etc/yfs/server/KeyFileExt file if the -localauth flag is included.


KeyFileExt(5), UserListExt(5), asetkey(8), bos_addkey(8), bos_removekey(8), bos_setauth(8),


IBM Corporation 2000. <> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.


"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.