ktutil - Manages entries in service key table file
/krb5/sbin/ktutil [-D] [-l] [-t [TYPE:] keytable] [-d | -p
-X -x] [-c keytable] [principal]
Appends the specified service key table file to the service
key table file specified by the -t option. Destroys
the entire service key table file by first zeroing out
each entry and then deleting the file. Prints each entry
in the service key table file and prompts you to delete or
retain the entry. Type yes to delete an entry. The default
is no, so pressing the return key retains the entry and
advances to the next entry. To stop at any time, type
quit, exit, or done. All answers can be abbreviated to as
few as one character.
Use the optional principal argument to identify a
specific principal ID, which indicates that only
entries for that principal should be deleted from
the service key table file. The command deletes the
entries without prompting you. Lists the contents
of a service key table file. This is the default
action if you execute ktutil with no options other
than the -t option.
You must specify the file type WFILE for all
options other than the -l option. That is, ktutil
requires WFILE if the service key table file must
be modified or destroyed. Purges older entries
from the service key table file, which means that
all entries but the most recent entry for each
principal are deleted. The relative age of the
entries is determined by comparing the entry key
version numbers.
Use the optional principal argument to identify a
specific principal ID, which indicates that only
the older keys for that principal should be deleted
from the key table file. Specifies the name of a
service key table file other than the default
/krb5/v5srvtab, unless the CSFC5KTNAME environment
variable is set to an alternate key table type or
file name.
The supported types are FILE and WFILE (writable
file). The default key table type is FILE. You can
specify both the type and service key table file
name, or you can accept the default type and only
specify the service key table name.
You must specify the file type WFILE for all
options other than the -l option. That is, ktutil
requires WFILE if the service key table file must
be modified or destroyed. Extracts from the security
server a key for the host service principal
(the account for the computer where the administrator
is logged in) and adds the key to the service
key table file designated by the -t option. Use the
optional principal argument to identify a specific
principal ID, which indicates that the key for that
principal should be extracted from the security
server and added to the service key table file.
Use the -x and -p options together to first add the
extracted key and then purge all older entries for
the designated principal from the service key table
file.
If the principal argument is not used with the -x
-p combination, the older keys for only the host
principal are purged from the file after the new
key is added. Requests that the security server
generate a new random key for the host service
principal (the account for the computer where the
administrator is logged in). The command then
extracts that key from the security server and adds
it to the service key table file designated by the
-t option.
Use the optional principal argument to identify a
specific principal ID, which indicates that the key
for that principal should be regenerated and
extracted from the security server and added to the
service key table file.
Use the -X and -p options together to first add the
extracted key and then purge all older entries for
the designated principal from the service key table
file.
If the [principal] argument is not used with the -X
-p combination, the older keys for only the host
principal are purged from the file after the new
key is added.
The ktutil command manages entries in service key table
files. Note that the service key table file is owned by
root, so you must log on as root to access it.
All options other than the -l option attempt to modify the
service key table file. Therefore, when you execute those
commands, you must include the -t TYPE:WFILE option to
specify that the service key table file is a writable
file. To specify that the service key table file should
not be modified, use the default -t TYPE:FILE option
instead.
Before you can extract a key from the service key table
file using the -x or -X options, you must authenticate
yourself to the Kerberos server and have the appropriate
permissions.
To view all entries in the default service key table file,
enter:
# ktutil
or # ktutil -t keytable -l To destroy the service
key table file called /krb5/mytable, enter:
# ktutil -D -t WFILE:/krb5/mytable To add all the
entries in a service key table called
/krb5/srvtable to the default service key table
file, enter:
# ktutil -c /krb5/srvtable -t WFILE:/krb5/v5srvtab
If the -t option is not used to specify the WFILE
type, this operation fails; the type must be
defined as WFILE rather than the default FILE: for
this operation to succeed. To add a new entry to
the default service key table file for the principal
host/[email protected] and then purge all
older entries from the service key table file,
enter:
# ktutil -t WFILE:/krb5/v5srvtab -x -p
host/[email protected]
ENVIRONMENT VARIABLES [Toc] [Back] CSFC5KTNAME
Controls the service key table file.
/krb5/v5svrtab
Default service key table file.
Commands: kdestroy(1), kinit(1) klist(1)
ktutil(1)
[ Back ] |
