Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Temporarily Disable Authentication for a Kerberos Service on a Host

The ktutil command enables a user without kadmin privileges to disable a service. This user can also restore the service. For more information, see the ktutil(1) man page.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Save the current keytab file to a temporary file.

    You use this temporary file to re-enable authentication in Step 9.

  2. On the host with the keytab file, start the ktutil command.

    Note -  Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.
    # /usr/bin/ktutil
  3. Read the keytab file into the keylist buffer.
    ktutil: read_kt keytab
  4. Display the keylist buffer.
    ktutil: list

    The current keylist buffer is displayed. Note the slot number for the service that you want to disable.

  5. Temporarily disable a host's service by removing the specific service principal from the keylist buffer.
    ktutil: delete_entry slot-number

    Where slot-number specifies the slot number of the service principal to be deleted in the list output.

  6. Write the keylist buffer to a new keytab file.
    ktutil: write_kt new-keytab
  7. Quit the ktutil command.
    ktutil: quit
  8. Use the new keytab file to disable the principal's authentication.
    # mv new-keytab keytab
  9. (Optional) To re-enable the service, copy the temporary keytab file back to its original location.
    # cp original-keytab keytab
Example 5-18  Temporarily Disabling a Kerberos Host

In this example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, the administrator copies the saved keytab file to its original location.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/
denver # /usr/bin/ktutil
ktutil:read_kt /etc/krb5/krb5.keytab
slot KVNO Principal
---- ---- ---------------------------------------
1    8 root/denver@EXAMPLE.COM
2    5 host/denver@EXAMPLE.COM
ktutil:delete_entry 2
slot KVNO Principal
---- ---- --------------------------------------
1    8 root/denver@EXAMPLE.COM
ktutil:write_kt /etc/krb5/nodenverhost.krb5.keytab
ktutil: quit
denver # cp /etc/krb5/nodenverhost.krb5.keytab /etc/krb5/krb5.keytab

The host is unavailable until the user copies the saved file back to its original location.

denver # cp /etc/krb5/ /etc/krb5/krb5.keytab