开始之前
您必须承担 root 角色。有关更多信息,请参见在 Oracle Solaris 11.2 中确保用户和进程的安全 中的使用所指定的管理权限。
此命令将添加一个新的随机生成的主密钥。–s 选项要求将新的主密钥存储在缺省的密钥表中。
# kdb5_util add_mkey -s Creating new master key for master key principal 'K/M@EXAMPLE.COM' You will be prompted for a new database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:/** Type strong password **/ Re-enter KDC database master key to verify: xxxxxxxx
# kdb5_util list_mkeys Master keys for Principal: K/M@EXAMPLE.COM KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, No activate time set KNVO: 1, Enctype: AES-128 CTS mode with 96-bit SHA-1 HMAC, Active on: Fri Dec 31 18:00:00 CST 2011 *
此输出中的星号标识当前处于活动状态的主密钥。
# date Fri Jul 11 17:57:00 CDT 2014 # kdb5_util use_mkey 2 'now+2days' # kdb5_util list_mkeys Master keys for Principal: K/M@EXAMPLE.COM KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, Active on: Sun Jul 13 17:57:15 CDT 2014 KNVO: 1, Enctype: AES-128 CTS mode with 96-bit SHA-1 HMAC, Active on: Fri Dec 31 18:00:00 CST 2011 *
在下面的示例中,日期设置为未来的两天,这样新的主密钥便有时间传播到所有 KDC。调整日期,使其适合您的环境。
# kadmin.local -q 'getprinc tamiko' |egrep 'Principal|MKey' Authenticating as principal root/admin@EXAMPLE.COM with password. Principal: tamiko@EXAMPLE.COM MKey: vno 2
在下面的示例中,MKey: vno 2 指示主体的密钥受新创建的主密钥 (2) 的保护。
如果将模式参数添加到命令的末尾,将会更新与此模式相匹配的主体。向此命令语法添加 –n 选项,以标识将要更新的主体。
# kdb5_util update_princ_encryption -f -v Principals whose keys WOULD BE re-encrypted to master key vno 2: updating: host/kdc1.example.com@EXAMPLE.COM skipping: tamiko@EXAMPLE.COM updating: kadmin/changepw@EXAMPLE.COM updating: kadmin/history@EXAMPLE.COM updating: kdc/admin@EXAMPLE.COM updating: host/kdc2.example.com@EXAMPLE.COM 6 principals processed: 5 updated, 1 already current
当某个主密钥不再用于保护任何主体密钥时,可将其从主密钥主体中清除。此命令不会清除那些仍被主体使用的密钥。向此命令添加 –n 选项,以确保将清除正确的主密钥。
# kdb5_util purge_mkeys -f -v Purging the follwing master key(s) from K/M@EXAMPLE.COM: KNVO: 1 1 key(s) purged.
# kdb5_util list_mkeys Master keys for Principal: K/M@EXAMPLE.COM KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, Active on: Sun Jul 13 17:57:15 CDT 2014 *
# kdb5_util stash Using existing stashed keys to update stash file.
# klist -kt /var/krb5/.k5.EXAMPLE.COM Keytab name: FILE:.k5.EXAMPLE.COM KVNO Timestamp Principal ---- ---------------- --------------------------------------------------------- 2 05/11/2014 18:03 K/M@EXAMPLE.COM