1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
.\"
.\" This source code is no longer held under any constraint of USA
.\" `cryptographic laws' since it was exported legally. The cryptographic
.\" functions were removed from the code and a "Bones" distribution was
.\" made. A Commodity Jurisdiction Request #012-94 was filed with the
.\" USA State Department, who handed it to the Commerce department. The
.\" code was determined to fall under General License GTDA under ECCN 5D96G,
.\" and hence exportable. The cryptographic interfaces were re-added by Eric
.\" Young, and then KTH proceeded to maintain the code in the free world.
.\"
.\"Copyright (C) 1989 by the Massachusetts Institute of Technology
.\"
.\"Export of this software from the United States of America is assumed
.\"to require a specific license from the United States Government.
.\"It is the responsibility of any person or organization contemplating
.\"export to obtain such a license before exporting.
.\"
.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
.\"distribute this software and its documentation for any purpose and
.\"without fee is hereby granted, provided that the above copyright
.\"notice appear in all copies and that both that copyright notice and
.\"this permission notice appear in supporting documentation, and that
.\"the name of M.I.T. not be used in advertising or publicity pertaining
.\"to distribution of the software without specific, written prior
.\"permission. M.I.T. makes no representations about the suitability of
.\"this software for any purpose. It is provided "as is" without express
.\"or implied warranty.
.\"
.\" $OpenBSD: ksrvutil.8,v 1.5 1998/02/25 15:51:51 art Exp $
.TH KSRVUTIL 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
ksrvutil \- host kerberos keyfile (srvtab) manipulation utility
.SH SYNOPSIS
ksrvutil
.B operation
[
.B \-k
] [
.B \-i
] [
.B \-a
] [
.B \-f filename
]
.SH DESCRIPTION
.I ksrvutil
allows a system manager to list or change keys currently in his
keyfile or to add new keys to the keyfile.
.PP
Operation must be one of the following:
.TP 10n
.I list
lists the keys in a keyfile showing version number and principal
name. If the \-k option is given, keys will also be shown.
.TP 10n
.I change
changes all the keys in the keyfile by using the regular admin
protocol. If the \-i flag is given,
.I ksrvutil
will prompt for yes or no before changing each key. If the \-k
option is used, the old and new keys will be displayed.
.TP 10n
.I add
allows the user to add a key.
.I add
prompts for name, instance, realm, and key version number, asks
for confirmation, and then asks for a password.
.I ksrvutil
then converts the password to a key and appends the keyfile with
the new information. If the \-k option is used, the key is
displayed.
.PP
In all cases, the default file used is KEY_FILE as defined in
krb.h unless this is overridden by the \-f option.
.PP
A good use for
.I ksrvutil
would be for adding keys to a keyfile. A system manager could
ask a kerberos administrator to create a new service key with
.IR kadmin (8)
and could supply an initial password. Then, he could use
.I ksrvutil
to add the key to the keyfile and then to change the key so that
it will be random and unknown to either the system manager or
the kerberos administrator.
.PP
If the \-a option is given,
.I ksrvutil
uses the AFS string-to-key function. Use this if you are running
an AFS kaserver.
.PP
.I ksrvutil
always makes a backup copy of the keyfile before making any
changes.
.SH DIAGNOSTICS
If
.I ksrvutil
should exit on an error condition at any time during a change or
add, a copy of the
original keyfile can be found in
.IR filename .old
where
.I filename
is the name of the keyfile, and a copy of the file with all new
keys changed or added so far can be found in
.IR filename .work.
The original keyfile is left unmodified until the program exits
at which point it is removed and replaced it with the workfile.
Appending the workfile to the backup copy and replacing the
keyfile with the result should always give a usable keyfile,
although the resulting keyfile will have some out of date keys
in it.
.SH SEE ALSO
kadmin(8), ksrvtgt(1)
.SH AUTHOR
Emanuel Jay Berkenbilt, MIT Project Athena
|
