k5srvutil − host key table (keytab) manipulation utility
k5srvutil operation [−i] [−f filename] [−e keysalts]
k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non−current keys from a keytab.
operation must be one of the following:
list |
Lists the keys in a keytab, showing version number and principal name. | ||
change |
Uses the kadmin protocol to update the keys in the Kerberos database to new randomly−generated keys, and updates the keys in the keytab to match. If a key's version number doesn't match the version number stored in the Kerberos server's database, then the operation will fail. If the −i flag is given, k5srvutil will prompt for confirmation before changing each key. If the −k option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the −e option. Old keys are retained in the keytab so that existing tickets continue to work, but delold should be used after such tickets expire, to prevent attacks against the old keys. | ||
delold |
Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the −i flag is given, then k5srvutil will prompt for confirmation for each principal. | ||
delete |
Deletes particular keys in the keytab, interactively prompting for each key. |
In all cases, the default keytab is used unless this is overridden by the −f option.
k5srvutil uses the kadmin(1) program to edit the keytab in place.
See kerberos(7) for a description of Kerberos environment variables.
kadmin(1), ktutil(1), kerberos(7)
MIT
1985-2023, MIT