1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 |
- .\" Man page generated from reStructuredText.
- .
- .TH "K5SRVUTIL" "1" " " "1.20.1" "MIT Kerberos"
- .SH NAME
- k5srvutil \- host key table (keytab) manipulation utility
- .
- .nr rst2man-indent-level 0
- .
- .de1 rstReportMargin
- \\$1 \\n[an-margin]
- level \\n[rst2man-indent-level]
- level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
- -
- \\n[rst2man-indent0]
- \\n[rst2man-indent1]
- \\n[rst2man-indent2]
- ..
- .de1 INDENT
- .\" .rstReportMargin pre:
- . RS \\$1
- . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
- . nr rst2man-indent-level +1
- .\" .rstReportMargin post:
- ..
- .de UNINDENT
- . RE
- .\" indent \\n[an-margin]
- .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .nr rst2man-indent-level -1
- .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
- ..
- .SH SYNOPSIS
- .sp
- \fBk5srvutil\fP \fIoperation\fP
- [\fB\-i\fP]
- [\fB\-f\fP \fIfilename\fP]
- [\fB\-e\fP \fIkeysalts\fP]
- .SH DESCRIPTION
- .sp
- k5srvutil allows an administrator to list keys currently in
- a keytab, to obtain new keys for a principal currently in a keytab,
- or to delete non\-current keys from a keytab.
- .sp
- \fIoperation\fP must be one of the following:
- .INDENT 0.0
- .TP
- \fBlist\fP
- Lists the keys in a keytab, showing version number and principal
- name.
- .TP
- \fBchange\fP
- Uses the kadmin protocol to update the keys in the Kerberos
- database to new randomly\-generated keys, and updates the keys in
- the keytab to match. If a key\(aqs version number doesn\(aqt match the
- version number stored in the Kerberos server\(aqs database, then the
- operation will fail. If the \fB\-i\fP flag is given, k5srvutil will
- prompt for confirmation before changing each key. If the \fB\-k\fP
- option is given, the old and new keys will be displayed.
- Ordinarily, keys will be generated with the default encryption
- types and key salts. This can be overridden with the \fB\-e\fP
- option. Old keys are retained in the keytab so that existing
- tickets continue to work, but \fBdelold\fP should be used after
- such tickets expire, to prevent attacks against the old keys.
- .TP
- \fBdelold\fP
- Deletes keys that are not the most recent version from the keytab.
- This operation should be used some time after a change operation
- to remove old keys, after existing tickets issued for the service
- have expired. If the \fB\-i\fP flag is given, then k5srvutil will
- prompt for confirmation for each principal.
- .TP
- \fBdelete\fP
- Deletes particular keys in the keytab, interactively prompting for
- each key.
- .UNINDENT
- .sp
- In all cases, the default keytab is used unless this is overridden by
- the \fB\-f\fP option.
- .sp
- k5srvutil uses the kadmin(1) program to edit the keytab in
- place.
- .SH ENVIRONMENT
- .sp
- See kerberos(7) for a description of Kerberos environment
- variables.
- .SH SEE ALSO
- .sp
- kadmin(1), ktutil(1), kerberos(7)
- .SH AUTHOR
- MIT
- .SH COPYRIGHT
- 1985-2022, MIT
- .\" Generated by docutils manpage writer.
- .
|