Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

k5srvutil (1)

Name

k5srvutil - host key table (keytab) manipulation utility

Synopsis

k5srvutil operation [-i] [-f filename] [-e keysalts]

Description

K5SRVUTIL(1)                     MIT Kerberos                     K5SRVUTIL(1)



NAME
       k5srvutil - host key table (keytab) manipulation utility

SYNOPSIS
       k5srvutil operation [-i] [-f filename] [-e keysalts]

DESCRIPTION
       k5srvutil  allows  an administrator to list keys currently in a keytab,
       to obtain new keys for a principal currently in a keytab, or to  delete
       non-current keys from a keytab.

       operation must be one of the following:

       list   Lists the keys in a keytab, showing version number and principal
              name.

       change Uses the kadmin protocol to update  the  keys  in  the  Kerberos
              database to new randomly-generated keys, and updates the keys in
              the keytab to match.  If a key's version  number  doesn't  match
              the  version  number  stored  in the Kerberos server's database,
              then the operation will fail.  If the -i flag is given,  k5srvu-
              til  will  prompt for confirmation before changing each key.  If
              the -k option is given, the old and new keys will be  displayed.
              Ordinarily,  keys  will be generated with the default encryption
              types and key salts.  This can be overridden with the -e option.
              Old  keys  are  retained  in the keytab so that existing tickets
              continue to work, but delold should be used after  such  tickets
              expire, to prevent attacks against the old keys.

       delold Deletes  keys  that  are  not  the  most recent version from the
              keytab.  This operation should be used some time after a  change
              operation  to remove old keys, after existing tickets issued for
              the service have expired.  If the -i flag is given, then k5srvu-
              til will prompt for confirmation for each principal.

       delete Deletes  particular  keys in the keytab, interactively prompting
              for each key.

       In all cases, the default keytab is used unless this is  overridden  by
       the -f option.

       k5srvutil uses the kadmin(1) program to edit the keytab in place.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+------------------------+
       |ATTRIBUTE TYPE |    ATTRIBUTE VALUE     |
       +---------------+------------------------+
       |Availability   | security/kerberos-5    |
       +---------------+------------------------+
       |Stability      | Pass-through committed |
       +---------------+------------------------+
SEE ALSO
       kadmin(1), ktutil(1)

AUTHOR
       MIT

COPYRIGHT
       1985-2018, MIT



NOTES
       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source      was      downloaded      from      https://web.mit.edu/ker-
       beros/dist/krb5/1.16/krb5-1.16.1.tar.gz

       Further information about this software can be found on the open source
       community website at https://web.mit.edu/kerberos/.



1.16.1                                                            K5SRVUTIL(1)