KEYS(6)KEYS(6)NAMEkeys - secrets shared with signer
DESCRIPTION
The file /keydb/keys exists only on a host acting as a `signer'
(authentication server, Certifying Authority). It holds a password
entry for each user registered with an Inferno server. Each entry con‐
tains a user name, a password, the time at which the entry expires, and
the entry's status. The password is the secret shared between the user
and signer (authentication server), allowing the signer to sign a cer‐
tificate to authenticate a user's public key to others, using the
secret to check the user's identity. The actual secret is not stored,
but rather its SHA-1 hash.
The file is encrypted with a secret provided by the signer's adminis‐
trator; normally that secret is entered once when authentication ser‐
vices are started by svc/auth on the host acting as signer (see
svc(8)). The file should also be readable and writable only by the
user identity that runs the signing service (ie, mode 600, see
chmod(1)). Entries are usually accessed only through the name space
provided by keyfs(4), which decrypts the file into internal data struc‐
tures given the administrative key, and makes each entry visible as a
separate directory. Using that name space, entries are added and
updated by an administrator using changelogin(8), a user can change a
secret using passwd(1) via keysrv(4), and it is accessed for signing by
logind(8) to obtain the secret used to verify the identity of a client
requesting a certificate (typically via security-login(2)).
FILES
/keydb/keys
KEYS(6)