1 | .\" Copyright 1989 by the Massachusetts Institute of Technology. |
---|
2 | .\" |
---|
3 | .\" For copying and distribution information, |
---|
4 | .\" please see the file <mit-copyright.h>. |
---|
5 | .\" |
---|
6 | .TH KSRVUTIL 8 "Kerberos Version 4.0" "MIT Project Athena" |
---|
7 | .SH NAME |
---|
8 | ksrvutil \- host kerberos keyfile (srvtab) manipulation utility |
---|
9 | .SH SYNOPSIS |
---|
10 | ksrvutil |
---|
11 | .B operation |
---|
12 | [ |
---|
13 | .B \-k |
---|
14 | ] [ |
---|
15 | .B \-i |
---|
16 | ] [ |
---|
17 | .B \-f filename |
---|
18 | ] |
---|
19 | .SH DESCRIPTION |
---|
20 | .I ksrvutil |
---|
21 | allows a system manager to list or change keys currently in his |
---|
22 | keyfile or to add new keys to the keyfile. |
---|
23 | .PP |
---|
24 | |
---|
25 | Operation must be one of the following: |
---|
26 | .TP 10n |
---|
27 | .I list |
---|
28 | lists the keys in a keyfile showing version number and principal |
---|
29 | name. If the \-k option is given, keys will also be shown. |
---|
30 | .TP 10n |
---|
31 | .I change |
---|
32 | changes all the keys in the keyfile to new randomly-generated keys, |
---|
33 | updating the keys in the Kerberos server's database to match by using the |
---|
34 | kadmin protocol. If a key's version number doesn't match the |
---|
35 | version number stored in the Kerberos server's database, it will ask |
---|
36 | whether to correct the version number in the keyfile to match (they |
---|
37 | must match for Kerberos to work properly). |
---|
38 | If the \-i flag is given, |
---|
39 | .I ksrvutil |
---|
40 | will prompt for yes or no before changing each key. If the \-k |
---|
41 | option is used, the old and new keys will be displayed. |
---|
42 | .TP 10n |
---|
43 | .I add |
---|
44 | allows the user to add a key. |
---|
45 | .I add |
---|
46 | prompts for name, instance, realm, and key version number, asks |
---|
47 | for confirmation, and then asks for a password. |
---|
48 | .I ksrvutil |
---|
49 | then converts the password to a key and appends the keyfile with |
---|
50 | the new information. If the \-k option is used, the key is |
---|
51 | displayed. |
---|
52 | .TP 10n |
---|
53 | .I delete |
---|
54 | deletes particular keys in the keyfile, interactively prompting for |
---|
55 | each key. |
---|
56 | |
---|
57 | .PP |
---|
58 | In all cases, the default file used is KEYFILE as defined in |
---|
59 | krb.h unless this is overridden by the \-f option. |
---|
60 | |
---|
61 | .PP |
---|
62 | A good use for |
---|
63 | .I ksrvutil |
---|
64 | would be for adding keys to a keyfile. A system manager could |
---|
65 | ask a kerberos administrator to create a new service key with |
---|
66 | .IR kadmin (8) |
---|
67 | and could supply an initial password. Then, he could use |
---|
68 | .I ksrvutil |
---|
69 | to add the key to the keyfile and then to change the key so that |
---|
70 | it will be random and unknown to either the system manager or |
---|
71 | the kerberos administrator. |
---|
72 | |
---|
73 | .I ksrvutil |
---|
74 | always makes a backup copy of the keyfile before making any |
---|
75 | changes. |
---|
76 | |
---|
77 | .SH DIAGNOSTICS |
---|
78 | If |
---|
79 | .I ksrvutil |
---|
80 | should exit on an error condition at any time during a change or |
---|
81 | add, a copy of the |
---|
82 | original keyfile can be found in |
---|
83 | .IR filename .old |
---|
84 | where |
---|
85 | .I filename |
---|
86 | is the name of the keyfile, and a copy of the file with all new |
---|
87 | keys changed or added so far can be found in |
---|
88 | .IR filename .work. |
---|
89 | The original keyfile is left unmodified until the program exits |
---|
90 | at which point it is removed and replaced it with the workfile. |
---|
91 | Appending the workfile to the backup copy and replacing the |
---|
92 | keyfile with the result should always give a usable keyfile, |
---|
93 | although the resulting keyfile will have some out of date keys |
---|
94 | in it. |
---|
95 | |
---|
96 | .SH SEE ALSO |
---|
97 | kadmin(8), ksrvtgt(1) |
---|
98 | |
---|
99 | .SH AUTHOR |
---|
100 | Emanuel Jay Berkenbilt, MIT Project Athena |
---|