Keysrv serves a single file, secret, on a connection accessed through file descriptor 0 (ie, the standard `input'). When invoked, it first authenticates the connection using security-auth(2), requiring the client to use sha1 and rc4_256. If authentication succeeds, keysrv exports a name space containing a file secret. The authentication ensures that only a user that possesses a valid certificate can connect to the service.
If the authenticated user (ie, the user name in the verified certificate) has an entry in /mnt/keys, as served by keyfs(4), and that user has a non-empty secret, then the file secret will accept reads and writes. (Otherwise, every read or write returns an appropriate error.) Every successful read returns 0 bytes; thus a read can be used to check that the user is known and has a secret key. Each write contains data of the following form:
oldhash [ newsecret ]
Oldhash is the SHA1 hash (see keyring-sha1(2)) of the user's existing secret, as 20 hexadecimal digits. If the value of oldhash does not match that of the stored secret, the write returns an error and suitable diagnostic. Oldhash is optionally followed by a newsecret, in clear text as a sequence of bytes (typically the secret as utf(6)), separated from oldhash by a single space. If the oldhash matches that of the secret currently stored, newsecret replaces it. The write returns an error if oldhash does not match the stored value, or if something else goes wrong.
Keysrv can be invoked via listen(1):
listen -t -A 'tcp!*!infkey' {auth/keysrv}
Normally that is done automatically when starting an authentication service using svc/auth (see svc(8)).
Passwd(1) dials the service, authenticates, and mounts the resulting connection on /mnt/keysrv, where it accesses the secret file to change the secret.
| KEYSRV(4 ) | Rev: Tue Mar 31 02:42:39 GMT 2015 |