|
Packit |
fd8b60 |
.. _k5srvutil(1):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
k5srvutil
|
|
Packit |
fd8b60 |
=========
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SYNOPSIS
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**k5srvutil** *operation*
|
|
Packit |
fd8b60 |
[**-i**]
|
|
Packit |
fd8b60 |
[**-f** *filename*]
|
|
Packit |
fd8b60 |
[**-e** *keysalts*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DESCRIPTION
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
k5srvutil allows an administrator to list keys currently in
|
|
Packit |
fd8b60 |
a keytab, to obtain new keys for a principal currently in a keytab,
|
|
Packit |
fd8b60 |
or to delete non-current keys from a keytab.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*operation* must be one of the following:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**list**
|
|
Packit |
fd8b60 |
Lists the keys in a keytab, showing version number and principal
|
|
Packit |
fd8b60 |
name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**change**
|
|
Packit |
fd8b60 |
Uses the kadmin protocol to update the keys in the Kerberos
|
|
Packit |
fd8b60 |
database to new randomly-generated keys, and updates the keys in
|
|
Packit |
fd8b60 |
the keytab to match. If a key's version number doesn't match the
|
|
Packit |
fd8b60 |
version number stored in the Kerberos server's database, then the
|
|
Packit |
fd8b60 |
operation will fail. If the **-i** flag is given, k5srvutil will
|
|
Packit |
fd8b60 |
prompt for confirmation before changing each key. If the **-k**
|
|
Packit |
fd8b60 |
option is given, the old and new keys will be displayed.
|
|
Packit |
fd8b60 |
Ordinarily, keys will be generated with the default encryption
|
|
Packit |
fd8b60 |
types and key salts. This can be overridden with the **-e**
|
|
Packit |
fd8b60 |
option. Old keys are retained in the keytab so that existing
|
|
Packit |
fd8b60 |
tickets continue to work, but **delold** should be used after
|
|
Packit |
fd8b60 |
such tickets expire, to prevent attacks against the old keys.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**delold**
|
|
Packit |
fd8b60 |
Deletes keys that are not the most recent version from the keytab.
|
|
Packit |
fd8b60 |
This operation should be used some time after a change operation
|
|
Packit |
fd8b60 |
to remove old keys, after existing tickets issued for the service
|
|
Packit |
fd8b60 |
have expired. If the **-i** flag is given, then k5srvutil will
|
|
Packit |
fd8b60 |
prompt for confirmation for each principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**delete**
|
|
Packit |
fd8b60 |
Deletes particular keys in the keytab, interactively prompting for
|
|
Packit |
fd8b60 |
each key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In all cases, the default keytab is used unless this is overridden by
|
|
Packit |
fd8b60 |
the **-f** option.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in
|
|
Packit |
fd8b60 |
place.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ENVIRONMENT
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
See :ref:`kerberos(7)` for a description of Kerberos environment
|
|
Packit |
fd8b60 |
variables.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SEE ALSO
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
:ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)`
|