Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   579 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

KEYFS(4)							      KEYFS(4)

NAME
       keyfs - encrypted key storage

SYNOPSIS
       auth/keyfs [ -D ] [ -m mountpoint ] [ -n nvram ] [ keyfile ]

DESCRIPTION
       Keyfs  serves  a	 two-level name space for storing authentication data,
       specifically the status and secrets of each user to whom logind(8)  can
       issue   a  certificate.	 The  data  is	stored	in  keyfile  (default:
       /keydb/keys), encrypted	by  a  master  key  using  AES	(see  keyring-
       crypt(2)).   Keyfs  should  be  started	only  on the machine acting as
       authentication server  (signer),	 before	 a  listener  is  started  for
       signer(8).  Note that signer and keyfs must share the name space.  Fur‐
       thermore, no other application except the console should see that  name
       space.

       Keyfs  prompts  for  the	 master	 key,  reads and decrypts keyfile, and
       serves files representing the contents at mountpoint in the name	 space
       (default: /mnt/keys).

       Each  user  in  keyfile	is represented by a directory mountpoint/user.
       Each such directory has the following files:

       log    A count of the number of failed authentications.	Writing bad to
	      the  file	 increments  the  count;  writing good resets it to 0.
	      When the count reaches some  implementation-defined  limit,  the
	      account status is set to disabled (see the status file below).

       expire The  time	 in  seconds  since  the  epoch	 when the account will
	      expire, or the text never if it has  no  expiration  time.   The
	      string never or a number can be written to the file to set a new
	      expiry time.

       secret The secret (supposedly) known only to the user and the authenti‐
	      cation service.  A secret is any sequence of bytes between 0 and
	      255 bytes long; it is initially empty.  The length of  the  file
	      returned	by  sys-stat(2)	 is  the length of the secret.	If the
	      account has expired or is disabled, an attempt to read the  file
	      will give an error.

       status The current status of the user's account, either ok or disabled.
	      Either string can be written to the file	to  change  the	 state
	      accordingly.

       To  add	a  new account, make a directory with that name in mountpoint.
       It must not already exist.  To remove an	 account,  remove  the	corre‐
       sponding directory; to rename an account, rename the directory.

       All  changes  made  via	file system operations in mountpoint result in
       appropriate changes to keyfile.

       If the -n option is given, instead of prompting	for  the  master  key,
       keyfs  will read it from the file nvram.	 Obviously that file should be
       well-protected from ordinary observers.

       The -D option enables tracing of the file service protocol, for	debug‐
       ging.

SOURCE
       /appl/cmd/auth/keyfs.b

SEE ALSO
       changelogin(8), logind(8), signer(8)

								      KEYFS(4)

Vote for polarhome