changeuser, convkeys, convkeys2, printnetkey, status, enable, disable,
authsrv, guard.srv, debug, wrkey, login, newns, none, as - maintain or
query authentication databases
auth/changeuser [-np] user
auth/convkeys [-p] keyfile
auth/convkeys2 [-p] keyfile
auth/newns [ -ad ] [ -n namespace ] command arg ...
auth/none [ -n namespace ] command arg ...
auth/as user command
These administrative commands run only on the authentication server.
Changeuser manipulates an authentication database file system served by
keyfs(4) and used by file servers. There are two authentication data‐
bases, one holding information about Plan 9 accounts and one holding
SecureNet keys. A user need not be installed in both databases but
must be installed in the Plan 9 database to connect to a Plan 9 ser‐
Changeuser installs or changes user in an authentication database. It
does not install a user on a Plan 9 file server; see fossilcons(8) for
Option -p installs user in the Plan 9 database. Changeuser asks twice
for a password for the new user. If the responses do not match or the
password is too easy to guess the user is not installed. Changeuser
also asks for an APOP secret. This secret is used in the APOP
(RFC1939), CRAM (RFC2195), and Microsoft challenge/response protocols
used for POP3, IMAP, and VPN access.
Option -n installs user in the SecureNet database and prints out a key
for the SecureNet box. The key is chosen by changeuser.
If neither option -p or option -n is given, changeuser installs the
user in the Plan 9 database.
Changeuser prompts for biographical information such as email address,
user name, sponsor and department number and appends it to the file
/adm/netkeys.who or /adm/keys.who.
Convkeys re-encrypts the key file keyfile. Re-encryption is performed
in place. Without the -p option convkeys uses the key stored in NVRAM
to decrypt the file, and encrypts it using the new key. By default,
convkeys prompts twice for the new password. The -p forces convkeys to
also prompt for the old password. The format of keyfile is described
The format of the key file changed between Release 2 and 3 of Plan 9.
Convkeys2 is like convkeys. However, in addition to rekeying, it con‐
verts from the previous format to the Release 3 format.
Printnetkey displays the network key as it should be entered into the
hand-held Securenet box.
Status is a shell script that prints out everything known about a user
and the user's key status.
Enable/disable are shell scripts that enable/disable both the Plan 9
and Netkey keys for individual users.
Authsrv is the program, run only on the authentication server, that
handles ticket requests on TCP port 567. It is started by an incoming
call to the server requesting a conversation ticket; its standard input
and output are the network connection. Authsrv executes the authenti‐
cation server's end of the appropriate protocol as described in auth‐
Guard.srv is similar. It is called whenever a foreign (e.g. Unix) sys‐
tem wants to do a SecureNet challenge/response authentication.
The remaining commands need not be run on an authentication server.
Debug attempts to authenticate using each p9sk1 key found in factotum
and prints progress reports.
Wrkey prompts for a machine key, host owner, and host domain and stores
them in local non-volatile RAM.
Login allows a user to change his authenticated id to user. Login sets
up a new namespace from /lib/namespace, starts a factotum(4) under the
new id and execs rc(1) under the new id.
Newns sets up a new namespace from namespace (default /lib/namespace)
and execs its arguments. If there are no arguments, it execs /bin/rc.
Under -a, newns adds to the current namespace instead of constructing a
new one. The -d option enables debugging output.
None sets up a new namespace from namespace (default /lib/namespace) as
the user none and execs its arguments under the new id. If there are
no arguments, it execs /bin/rc. It's an easy way to run a command as
As executes command as user. Command is a single argument to rc, con‐
taining an arbitrary rc command. This only works for the hostowner and
only if still exists.
Speaksfor relationships and mappings for RADIUS server id's.
List of users in the Plan 9 database.
List of users in the SecureNet database.
List of realms and passwords for HTTP access.
SEE ALSOpasswd(1), readnvram in authsrv(2), keyfs(4), securenet(8)BUGS
Only CPU kernels permit changing userid.