Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Wednesday, February 9, 2022

k5srvutil (1)


k5srvutil - host key table (keytab) manipulation utility


k5srvutil operation [-i] [-f filename] [-e keysalts]


K5SRVUTIL(1)                     MIT Kerberos                     K5SRVUTIL(1)

       k5srvutil - host key table (keytab) manipulation utility

       k5srvutil operation [-i] [-f filename] [-e keysalts]

       k5srvutil  allows  an administrator to list keys currently in a keytab,
       to obtain new keys for a principal currently in a keytab, or to  delete
       non-current keys from a keytab.

       operation must be one of the following:

       list   Lists the keys in a keytab, showing version number and principal

       change Uses the kadmin protocol to update  the  keys  in  the  Kerberos
              database to new randomly-generated keys, and updates the keys in
              the keytab to match.  If a key's version  number  doesn't  match
              the  version  number  stored  in the Kerberos server's database,
              then the operation will fail.  If the -i flag is given,  k5srvu-
              til  will  prompt for confirmation before changing each key.  If
              the -k option is given, the old and new keys will be  displayed.
              Ordinarily,  keys  will be generated with the default encryption
              types and key salts.  This can be overridden with the -e option.
              Old  keys  are  retained  in the keytab so that existing tickets
              continue to work, but delold should be used after  such  tickets
              expire, to prevent attacks against the old keys.

       delold Deletes  keys  that  are  not  the  most recent version from the
              keytab.  This operation should be used some time after a  change
              operation  to remove old keys, after existing tickets issued for
              the service have expired.  If the -i flag is given, then k5srvu-
              til will prompt for confirmation for each principal.

       delete Deletes  particular  keys in the keytab, interactively prompting
              for each key.

       In all cases, the default keytab is used unless this is  overridden  by
       the -f option.

       k5srvutil uses the kadmin(1) program to edit the keytab in place.

       See kerberos(7) for a description of Kerberos environment variables.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5    |
       |Stability      | Pass-through committed |

       kadmin(1), ktutil(1), kerberos(7)


       1985-2021, MIT

       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source      was      downloaded      from       http://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at http://web.mit.edu/kerberos/.

1.18.4                                                            K5SRVUTIL(1)