1999-09-19 21:56:09 +00:00
|
|
|
.\" $Id: ksrvutil.8,v 1.3 1996/06/12 21:29:27 bg Exp $
|
|
|
|
.\" $FreeBSD$
|
1997-09-04 06:04:33 +00:00
|
|
|
.\" Copyright 1989 by the Massachusetts Institute of Technology.
|
|
|
|
.\"
|
|
|
|
.\" For copying and distribution information,
|
|
|
|
.\" please see the file <mit-copyright.h>.
|
|
|
|
.\"
|
|
|
|
.Dd May 4, 1996
|
|
|
|
.Dt KSRVUTIL 8
|
|
|
|
.Os KTH-KRB
|
|
|
|
.Sh NAME
|
|
|
|
.Nm ksrvutil
|
2001-05-11 00:14:02 +00:00
|
|
|
.Nd "host kerberos keyfile (srvtab) manipulation utility"
|
1997-09-04 06:04:33 +00:00
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Nm
|
|
|
|
.Op Fl f Pa keyfile
|
|
|
|
.Op Fl i
|
|
|
|
.Op Fl k
|
|
|
|
.Op Fl p Ar principal
|
|
|
|
.Op Fl r Ar realm
|
|
|
|
.Ar operation
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
.Nm
|
|
|
|
allows a system manager to list or change keys currently in his
|
|
|
|
keyfile or to add new keys to the keyfile.
|
|
|
|
.Pp
|
|
|
|
Operation must be one of the following:
|
|
|
|
.Bl -tag -width indent
|
|
|
|
.It list
|
|
|
|
lists the keys in a keyfile showing version number and principal name.
|
|
|
|
If the
|
|
|
|
.Fl k
|
|
|
|
option is given, keys will also be shown.
|
|
|
|
.It change
|
|
|
|
changes all the keys in the keyfile by using the regular admin
|
|
|
|
protocol. If the
|
|
|
|
.Fl i
|
|
|
|
flag is given,
|
|
|
|
.Nm ksrvutil
|
|
|
|
will prompt for yes or no before changing each key. If the
|
|
|
|
.Fl k
|
|
|
|
option is used, the old and new keys will be displayed.
|
|
|
|
.It add
|
|
|
|
allows the user to add a key.
|
|
|
|
add
|
|
|
|
prompts for name, instance, realm, and key version number, asks
|
|
|
|
for confirmation, and then asks for a password.
|
|
|
|
.Nm
|
|
|
|
then converts the password to a key and appends the keyfile with the
|
|
|
|
new information. If the
|
|
|
|
.Fl k
|
|
|
|
option is used, the key is displayed.
|
|
|
|
.It get
|
|
|
|
gets a service from the Kerberos server, possibly creating the
|
|
|
|
principal. Names, instances and realms for the service keys to get are
|
|
|
|
prompted for. The default principal used in the kadmin transcation is
|
|
|
|
your root instance. This can be changed with the
|
|
|
|
.Fl p
|
|
|
|
option.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
In all cases, the default file used is KEY_FILE as defined in krb.h
|
|
|
|
unless this is overridden by the
|
|
|
|
.Fl f
|
|
|
|
option.
|
|
|
|
.Pp
|
|
|
|
A good use for
|
|
|
|
.Nm
|
|
|
|
would be for adding keys to a keyfile. A system manager could
|
|
|
|
ask a kerberos administrator to create a new service key with
|
|
|
|
.Xr kadmin 8
|
|
|
|
and could supply an initial password. Then, he could use
|
|
|
|
.Nm
|
|
|
|
to add the key to the keyfile and then to change the key so that it
|
|
|
|
will be random and unknown to either the system manager or the
|
|
|
|
kerberos administrator.
|
2001-05-11 00:14:02 +00:00
|
|
|
.Pp
|
1997-09-04 06:04:33 +00:00
|
|
|
.Nm
|
|
|
|
always makes a backup copy of the keyfile before making any changes.
|
|
|
|
.Sh DIAGNOSTICS
|
|
|
|
If
|
|
|
|
.Nm
|
|
|
|
should exit on an error condition at any time during a change or add,
|
|
|
|
a copy of the original keyfile can be found in
|
|
|
|
.Pa filename Ns .old
|
|
|
|
where
|
|
|
|
.Pa filename
|
|
|
|
is the name of the keyfile, and a copy of the file with all new
|
|
|
|
keys changed or added so far can be found in
|
2001-05-11 00:14:02 +00:00
|
|
|
.Pa filename Ns .work .
|
1997-09-04 06:04:33 +00:00
|
|
|
The original keyfile is left unmodified until the program exits at
|
|
|
|
which point it is removed and replaced it with the workfile.
|
|
|
|
Appending the workfile to the backup copy and replacing the keyfile
|
|
|
|
with the result should always give a usable keyfile, although the
|
|
|
|
resulting keyfile will have some out of date keys in it.
|
|
|
|
.Sh SEE ALSO
|
1999-09-19 21:56:09 +00:00
|
|
|
.Xr kadmin 8 ,
|
|
|
|
.Xr ksrvtgt 1
|
1997-09-04 06:04:33 +00:00
|
|
|
.Sh AUTHOR
|
|
|
|
Emanuel Jay Berkenbilt, MIT Project Athena
|