xref: /illumos-gate/usr/src/man/man8/keyserv.8 (revision 6446bd46ed1b4e9f69da153665f82181ccaedad5)
te
Copyright 1989 AT&T
Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
KEYSERV 8 "Feb 25, 2017"
NAME
keyserv - server for storing private encryption keys
SYNOPSIS

keyserv [-c] [-d | -e] [-D] [-n] [-s sizespec]
DESCRIPTION

keyserv is a daemon that is used for storing the private encryption keys of each user logged into the system. These encryption keys are used for accessing secure network services such as secure NFS.

Normally, root's key is read from the file /etc/.rootkey when the daemon is started. This is useful during power-fail reboots when no one is around to type a password.

keyserv does not start up if the system does not have a secure rpc domain configured. Set up the domain name by using the /usr/bin/domainname command. Usually the svc:/system/identity:domain service reads the domain from /etc/defaultdomain. Invoking the domainname command without arguments tells you if you have a domain set up.

The /etc/default/keyserv file contains the following default parameter settings. See . ENABLE_NOBODY_KEYS

Specifies whether default keys for nobody are used. ENABLE_NOBODY_KEYS=NO is equivalent to the -d command-line option. The default value for ENABLE_NOBODY_KEYS is YES.

OPTIONS

The following options are supported: -c

Do not use disk caches. This option overrides any -s option.

-D

Run in debugging mode and log all requests to keyserv.

-d

Disable the use of default keys for nobody. See .

-e

Enable the use of default keys for nobody. This is the default behavior. See .

-n

Root's secret key is not read from /etc/.rootkey. Instead, keyserv prompts the user for the password to decrypt root's key stored in the publickey database and then stores the decrypted key in /etc/.rootkey for future use. This option is useful if the /etc/.rootkey file ever gets out of date or corrupted.

-s sizespec

Specify the size of the extended Diffie-Hellman common key disk caches. The sizespec can be one of the following forms: mechtype=size

size is an integer specifying the maximum number of entries in the cache, or an integer immediately followed by the letter M, denoting the maximum size in MB.

size

This form of sizespec applies to all caches.

FILES
/etc/.rootkey

/etc/default/keyserv

Contains default settings. You can use command-line options to override these settings.

SEE ALSO

keylogin (1), keylogout (1), svcs (1), publickey (5), attributes (7), smf (7), svcadm (8)

NOTES

The keyserv service is managed by the service management facility, smf(7), under the service identifier:

svc:/network/rpc/keyserv:default

Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(8). The service's status can be queried using the svcs(1) command.