test

Sun Enterprise Authentication Mechanism Guide

How to Temporarily Disable Authentication for a Service on a Host

You may find instances when you need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you may want to stop users from logging into a system while performing maintenance procedures. The ktutil command enables you to do this by removing the service principal from the server's keytab, without requiring kadmin privileges. To enable authentication again, all you need to do is copy the original keytab that you saved back to its original location.

Note -

Most services are set up by default to require authentication to work. If this is not the case, the service will still work even if you disable authentication for the service.

  1. Become superuser on the host with the keytab.

    Note -

    Although you can create keytabs owned by other users, the default location for the keytab requires root ownership.

  2. Save the current keytab to a temporary file.

  3. Start the ktutil command.


    # /usr/krb5/bin/ktutil

  4. Read the keytab into the keylist buffer by using the read_kt command.


    ktutil: read_kt keytab

  5. Display the keylist buffer by using the list command.


    ktutil: list

    The current keylist buffer is displayed. Note the slot number for the service you want to disable.

  6. To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.


    ktutil: delete_entry slot_number

    slot_number

    The slot number of the service principal to be deleted, which is displayed by the list command.

  7. Write the keylist buffer to the keytab by using the write_kt command.


    ktutil: write_kt keytab

  8. Quit the ktutil command.


    ktutil: quit

  9. When you want to enable the service again, copy the temporary (original) keytab back to its original location.

Example--Temporarily Disabling a Service on a Host

The following example temporarily disables the host service on the denver host. To enable the host service back on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.


denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/krb5/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
    ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/denver@ACME.COM
   2    5 host/denver@ACME.COM
    ktutil:delete_entry 2
    ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/denver@ACME.COM
    ktutil:write_kt /etc/krb5/krb5.keytab
    ktutil: quit