System Administration Guide: Security Services

ProcedureHow to Temporarily Disable Authentication for a Service on a Host

At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.

Note –

By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service still works, even if you disable authentication for the service.

  1. Become superuser on the host with the keytab file.

    Note –

    Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.

  2. Save the current keytab file to a temporary file.

  3. Start the ktutil command.

    # /usr/bin/ktutil
  4. Read the keytab file into the keylist buffer by using the read_kt command.

    ktutil: read_kt keytab
  5. Display the keylist buffer by using the list command.

    ktutil: list

    The current keylist buffer is displayed. Note the slot number for the service that you want to disable.

  6. To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.

    ktutil: delete_entry slot-number

    Where slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.

  7. Write the keylist buffer to a new keytab file by using the write_kt command.

    ktutil: write_kt new-keytab
  8. Quit the ktutil command.

    ktutil: quit
  9. Move the new keytab file.

    # mv new-keytab keytab
  10. When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.

Example 25–19 Temporarily Disabling a Service on a Host

In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/denver@EXAMPLE.COM
   2    5 host/denver@EXAMPLE.COM
    ktutil:delete_entry 2
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/denver@EXAMPLE.COM
    ktutil:write_kt /etc/krb5/new.krb5.keytab
    ktutil: quit
denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab