412 lines
9.6 KiB
Groff
412 lines
9.6 KiB
Groff
.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan
|
|
.\" (Royal Institute of Technology, Stockholm, Sweden).
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\"
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" 3. Neither the name of the Institute nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $Id: krb5_keytab.3,v 1.9 2003/04/16 13:58:16 lha Exp $
|
|
.\"
|
|
.Dd February 5, 2001
|
|
.Dt KRB5_KEYTAB 3
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm krb5_kt_ops ,
|
|
.Nm krb5_keytab_entry ,
|
|
.Nm krb5_kt_cursor ,
|
|
.Nm krb5_kt_add_entry ,
|
|
.Nm krb5_kt_close ,
|
|
.Nm krb5_kt_compare ,
|
|
.Nm krb5_kt_copy_entry_contents ,
|
|
.Nm krb5_kt_default ,
|
|
.Nm krb5_kt_default_name ,
|
|
.Nm krb5_kt_end_seq_get ,
|
|
.Nm krb5_kt_free_entry ,
|
|
.Nm krb5_kt_get_entry ,
|
|
.Nm krb5_kt_get_name ,
|
|
.Nm krb5_kt_get_type ,
|
|
.Nm krb5_kt_next_entry ,
|
|
.Nm krb5_kt_read_service_key ,
|
|
.Nm krb5_kt_register ,
|
|
.Nm krb5_kt_remove_entry ,
|
|
.Nm krb5_kt_resolve ,
|
|
.Nm krb5_kt_start_seq_get
|
|
.Nd manage keytab (key storage) files
|
|
.Sh LIBRARY
|
|
Kerberos 5 Library (libkrb5, -lkrb5)
|
|
.Sh SYNOPSIS
|
|
.In krb5.h
|
|
.Pp
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_add_entry
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fa "krb5_keytab_entry *entry"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_close
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fc
|
|
.Ft krb5_boolean
|
|
.Fo krb5_kt_compare
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab_entry *entry"
|
|
.Fa "krb5_const_principal principal"
|
|
.Fa "krb5_kvno vno"
|
|
.Fa "krb5_enctype enctype"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_copy_entry_contents
|
|
.Fa "krb5_context context"
|
|
.Fa "const krb5_keytab_entry *in"
|
|
.Fa "krb5_keytab_entry *out"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_default
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab *id"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_default_name
|
|
.Fa "krb5_context context"
|
|
.Fa "char *name"
|
|
.Fa "size_t namesize"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_end_seq_get
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fa "krb5_kt_cursor *cursor"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_free_entry
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab_entry *entry"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_get_entry
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fa "krb5_const_principal principal"
|
|
.Fa "krb5_kvno kvno"
|
|
.Fa "krb5_enctype enctype"
|
|
.Fa "krb5_keytab_entry *entry"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_get_name
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab keytab"
|
|
.Fa "char *name"
|
|
.Fa "size_t namesize"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_get_type
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab keytab"
|
|
.Fa "char *prefix"
|
|
.Fa "size_t prefixsize"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_next_entry
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fa "krb5_keytab_entry *entry"
|
|
.Fa "krb5_kt_cursor *cursor"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_read_service_key
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_pointer keyprocarg"
|
|
.Fa "krb5_principal principal"
|
|
.Fa "krb5_kvno vno"
|
|
.Fa "krb5_enctype enctype"
|
|
.Fa "krb5_keyblock **key"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_register
|
|
.Fa "krb5_context context"
|
|
.Fa "const krb5_kt_ops *ops"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_remove_entry
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fa "krb5_keytab_entry *entry"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_resolve
|
|
.Fa "krb5_context context"
|
|
.Fa "const char *name"
|
|
.Fa "krb5_keytab *id"
|
|
.Fc
|
|
.Ft krb5_error_code
|
|
.Fo krb5_kt_start_seq_get
|
|
.Fa "krb5_context context"
|
|
.Fa "krb5_keytab id"
|
|
.Fa "krb5_kt_cursor *cursor"
|
|
.Fc
|
|
.Sh DESCRIPTION
|
|
A keytab name is on the form
|
|
.Li type:residual .
|
|
The
|
|
.Li residual
|
|
part is specific to each keytab-type.
|
|
.Pp
|
|
When a keytab-name is resolved, the type is matched with an internal
|
|
list of keytab types. If there is no matching keytab type,
|
|
the default keytab is used. The current default type is
|
|
.Nm file .
|
|
The default value can be changed in the configuration file
|
|
.Pa /etc/krb5.conf
|
|
by setting the variable
|
|
.Li [defaults]default_keytab_name .
|
|
.Pp
|
|
The keytab types that are implemented in Heimdal
|
|
are:
|
|
.Bl -tag -width Ds
|
|
.It Nm file
|
|
store the keytab in a file, the type's name is
|
|
.Li KEYFILE .
|
|
The residual part is a filename.
|
|
.It Nm keyfile
|
|
store the keytab in a
|
|
.Li AFS
|
|
keyfile (usually
|
|
.Pa /usr/afs/etc/KeyFile ) ,
|
|
the type's name is
|
|
.Li AFSKEYFILE .
|
|
The residual part is a filename.
|
|
.It Nm krb4
|
|
the keytab is a Kerberos 4
|
|
.Pa srvtab
|
|
that is on-the-fly converted to a keytab. The type's name is
|
|
.Li krb4 .
|
|
The residual part is a filename.
|
|
.It Nm memory
|
|
The keytab is stored in a memory segment. This allows sensitive and/or
|
|
temporary data not to be stored on disk. The type's name is
|
|
.Li MEMORY .
|
|
There are no residual part, the only pointer back to the keytab is the
|
|
.Fa id
|
|
returned by
|
|
.Fn krb5_kt_resolve .
|
|
.El
|
|
.Pp
|
|
.Nm krb5_keytab_entry
|
|
holds all data for an entry in a keytab file, like principal name,
|
|
key-type, key, key-version number, etc.
|
|
.Nm krb5_kt_cursor
|
|
holds the current position that is used when iterating through a
|
|
keytab entry with
|
|
.Fn krb5_kt_start_seq_get ,
|
|
.Fn krb5_kt_next_entry ,
|
|
and
|
|
.Fn krb5_kt_end_seq_get .
|
|
.Pp
|
|
.Nm krb5_kt_ops
|
|
contains the different operations that can be done to a keytab. This
|
|
structure is normally only used when doing a new keytab-type
|
|
implementation.
|
|
.Pp
|
|
.Fn krb5_kt_resolve
|
|
is the equivalent of an
|
|
.Xr open 2
|
|
on keytab. Resolve the keytab name in
|
|
.Fa name
|
|
into a keytab in
|
|
.Fa id .
|
|
Returns 0 or an error. The opposite of
|
|
.Fn krb5_kt_resolve
|
|
is
|
|
.Fn krb5_kt_close .
|
|
.Fn krb5_kt_close
|
|
frees all resources allocated to the keytab.
|
|
.Pp
|
|
.Fn krb5_kt_default
|
|
sets the argument
|
|
.Fa id
|
|
to the default keytab.
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_default_name
|
|
copy the name of the default keytab into
|
|
.Fa name .
|
|
Return 0 or KRB5_CONFIG_NOTENUFSPACE if
|
|
.Fa namesize
|
|
is too short.
|
|
.Pp
|
|
.Fn krb5_kt_add_entry
|
|
Add a new
|
|
.Fa entry
|
|
to the keytab
|
|
.Fa id .
|
|
.Li KRB5_KT_NOWRITE
|
|
is returned if the keytab is a readonly keytab.
|
|
.Pp
|
|
.Fn krb5_kt_compare
|
|
compares the passed in
|
|
.Fa entry
|
|
against
|
|
.Fa principal ,
|
|
.Fa vno ,
|
|
and
|
|
.Fa enctype .
|
|
Any of
|
|
.Fa principal ,
|
|
.Fa vno
|
|
or
|
|
.Fa enctype
|
|
might be 0 which acts as a wildcard. Return TRUE if they compare the
|
|
same, FALSE otherwise.
|
|
.Pp
|
|
.Fn krb5_kt_copy_entry_contents
|
|
copies the contents of
|
|
.Fa in
|
|
into
|
|
.Fa out .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_get_name
|
|
retrieves the name of the keytab
|
|
.Fa keytab
|
|
into
|
|
.Fa name ,
|
|
.Fa namesize .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_get_type
|
|
retrieves the type of the keytab
|
|
.Fa keytab
|
|
and store the prefix/name for type of the keytab into
|
|
.Fa prefix ,
|
|
.Fa prefixsize .
|
|
The prefix will have the maximum length of
|
|
.Dv KRB5_KT_PREFIX_MAX_LEN
|
|
(including terminating
|
|
.Dv NUL ) .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_free_entry
|
|
frees the contents of
|
|
.Fa entry .
|
|
.Pp
|
|
.Fn krb5_kt_start_seq_get
|
|
sets
|
|
.Fa cursor
|
|
to point at the beginning of
|
|
.Fa id .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_next_entry
|
|
gets the next entry from
|
|
.Fa id
|
|
pointed to by
|
|
.Fa cursor
|
|
and advance the
|
|
.Fa cursor .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_end_seq_get
|
|
releases all resources associated with
|
|
.Fa cursor .
|
|
.Pp
|
|
.Fn krb5_kt_get_entry
|
|
retrieves the keytab entry for
|
|
.Fa principal ,
|
|
.Fa kvno,
|
|
.Fa enctype
|
|
into
|
|
.Fa entry
|
|
from the keytab
|
|
.Fa id .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_read_service_key
|
|
reads the key identified by
|
|
.Ns ( Fa principal ,
|
|
.Fa vno ,
|
|
.Fa enctype )
|
|
from the keytab in
|
|
.Fa keyprocarg
|
|
(the default if == NULL) into
|
|
.Fa *key .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_remove_entry
|
|
removes the entry
|
|
.Fa entry
|
|
from the keytab
|
|
.Fa id .
|
|
Returns 0 or an error.
|
|
.Pp
|
|
.Fn krb5_kt_register
|
|
registers a new keytab type
|
|
.Fa ops .
|
|
Returns 0 or an error.
|
|
.Sh EXAMPLE
|
|
This is a minimalistic version of
|
|
.Nm ktutil .
|
|
.Pp
|
|
.Bd -literal
|
|
int
|
|
main (int argc, char **argv)
|
|
{
|
|
krb5_context context;
|
|
krb5_keytab keytab;
|
|
krb5_kt_cursor cursor;
|
|
krb5_keytab_entry entry;
|
|
krb5_error_code ret;
|
|
char *principal;
|
|
|
|
if (krb5_init_context (&context) != 0)
|
|
errx(1, "krb5_context");
|
|
|
|
ret = krb5_kt_default (context, &keytab);
|
|
if (ret)
|
|
krb5_err(context, 1, ret, "krb5_kt_default");
|
|
|
|
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
|
|
if (ret)
|
|
krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
|
|
while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
|
|
krb5_unparse_name_short(context, entry.principal, &principal);
|
|
printf("principal: %s\\n", principal);
|
|
free(principal);
|
|
krb5_kt_free_entry(context, &entry);
|
|
}
|
|
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
|
|
if (ret)
|
|
krb5_err(context, 1, ret, "krb5_kt_end_seq_get");
|
|
krb5_free_context(context);
|
|
return 0;
|
|
}
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr krb5.conf 5 ,
|
|
.Xr kerberos 8
|