Man Linux: Main Page and Category List


       bos_util - Manipulate the AFS server Keyfile


       bos_util add <kvno>

       bos_util adddes <kvno>

       bos_util delete <kvno>

       bos_util list


       The bos_util command manipulates the AFS server Keyfile. It can take a
       password from standard input, convert it to a key, and add it to the
       KeyFile; list the keys in the KeyFile; or remove a key from thet
       KeyFile. It is very similar in function to asetkey, but asetkey works
       with keytab files wheras bos_util works with passwords directly.

       bos_util expects one of the following subcommands:

       add <kvno>
           Add a key with key version <kvno> to the KeyFile using a password
           from standard input. This command uses the normal AFS password salt
           algorithm to generate the key (equivalent to the des-cbc-crc:afs3
           enctype in Kerberos v5). This command is basically equivalent to
           bos addkey.

       adddes <kvno>
           Add a key with key version <kvno> to the KeyFile using a password
           from standard input.  This command does not salt the password when
           generating the key (equivalent to the des-cbc-crc:v4 enctype in
           Kerberos v5).

           Since this command applies no salt to the password, it can be used
           as a last resort for generating a DES key with a salt algorithm
           that other utilities don’t know how to use by giving this command
           the pre-salted password. This can be useful when, for example,
           using Microsoft Active Directory as the Kerberos KDC, since Active
           Directory uses a different salt algorithm for service principals
           than most Unix Kerberos implementations. The best approach,
           however, is to find a way to generate a keytab and then use

       delete <kvno>
           Delete the key with the specified key version from the KeyFile.
           This command is equivalent to asetkey delete or bos removekey.

           List the keys in the KeyFile. This command is equivalent to asetkey
           list or bos listkeys.

       The bos_util command does not use the normal AFS option parsing library
       and its subcommands cannot be abbreviated.


       bos_util is intended for use with a Kerberos v4 environment and
       therefore is mostly obsolete. Normally, rather than using this command,
       you will want to use ktutil to create a keytab (perhaps with its
       add_entry command) and then use asetkey as normal. bos_util only
       supports the AFS password salt algorithm and no password salt algorithm
       and therefore may not produce the same key from a given password as
       Kerberos v5 utilities unless one is careful to use that same salt
       algorithm when creating the key in the KDC.

       Creating an AFS key with a known password and then using bos_util or
       bos addkey to add that key to the KeyFile is not recommended.  Human-
       created passwords are usually not as strong as a random key generated
       using a good entropy source, such as with the -randkey option to the
       MIT Kerberos v5 kadmin ktadd command or the equivalent in other
       Kerberos v5 implementations. The security of AFS depends on the
       strength of the AFS service key; it should therefore be as random as

       It is imperative that the key version number (kvno) given matches the
       kvno on the Kerberos server. If it doesn’t, users won’t be able to
       authenticate. The key generated by bos_util must also match the
       internal representation on the Kerberos server including the salt.


       bos_util takes no options.


       The issuer must be logged onto a file server machine as the local
       superuser "root".


       asetkey(8), bos_addkey(8), bos_listkeys(8), bos_removekey(8),
       kadmin(8), ktutil(8)


       Copyright 2007 Jason Edgecombe <>

       This documentation is covered by the BSD License as written in the
       doc/LICENSE file. This man page was written by Jason Edgecombe for