diff options
Diffstat (limited to 'crypto/heimdal/kadmin/kadmin.8')
-rw-r--r-- | crypto/heimdal/kadmin/kadmin.8 | 252 |
1 files changed, 190 insertions, 62 deletions
diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8 index cf7ebe8..06fe3d0 100644 --- a/crypto/heimdal/kadmin/kadmin.8 +++ b/crypto/heimdal/kadmin/kadmin.8 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $ +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.Dd September 10, 2000 +.\" $Id: kadmin.8 21739 2007-07-31 15:55:32Z lha $ +.\" +.Dd Feb 22, 2007 .Dt KADMIN 8 .Os HEIMDAL .Sh NAME @@ -39,6 +39,7 @@ .Nd Kerberos administration utility .Sh SYNOPSIS .Nm +.Bk -words .Oo Fl p Ar string \*(Ba Xo .Fl -principal= Ns Ar string .Xc @@ -71,6 +72,7 @@ .Op Fl h | Fl -help .Op Fl v | Fl -version .Op Ar command +.Ek .Sh DESCRIPTION The .Nm @@ -128,7 +130,18 @@ If no .Ar command is given on the command line, .Nm -will prompt for commands to process. Commands include: +will prompt for commands to process. Some of the commands that take +one or more principals as argument +.Ns ( Nm delete , +.Nm ext_keytab , +.Nm get , +.Nm modify , +and +.Nm passwd ) +will accept a glob style wildcard, and perform the operation on all +matching principals. +.Pp +Commands include: .\" not using a list here, since groff apparently gets confused .\" with nested Xo/Xc .Bd -ragged -offset indent @@ -148,36 +161,33 @@ will prompt for commands to process. Commands include: .Ar principal... .Pp .Bd -ragged -offset indent -creates a new principal +Adds a new principal to the database. The options not passed on the +command line will be promped for. .Ed .Pp -.Nm passwd +.Nm add_enctype .Op Fl r | Fl -random-key -.Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc -.Op Fl -key= Ns Ar string -.Ar principal... +.Ar principal enctypes... .Pp .Bd -ragged -offset indent -changes the password of an existing principal +Adds a new encryption type to the principal, only random key are +supported. .Ed .Pp .Nm delete .Ar principal... .Pp .Bd -ragged -offset indent -removes a principal +Removes a principal. .Ed .Pp .Nm del_enctype .Ar principal enctypes... .Pp .Bd -ragged -offset indent -removes some enctypes from a principal. This can be useful the service -belonging to the principal is known to not handle certain enctypes +Removes some enctypes from a principal; this can be useful if the +service belonging to the principal is known to not handle certain +enctypes. .Ed .Pp .Nm ext_keytab @@ -188,26 +198,49 @@ belonging to the principal is known to not handle certain enctypes .Ar principal... .Pp .Bd -ragged -offset indent -creates a keytab with the keys of the specified principals +Creates a keytab with the keys of the specified principals. .Ed .Pp .Nm get .Op Fl l | Fl -long .Op Fl s | Fl -short .Op Fl t | Fl -terse -.Ar expression... +.Op Fl o Ar string | Fl -column-info= Ns Ar string +.Ar principal... .Pp .Bd -ragged -offset indent -lists the principals that match the expressions (which are shell glob -like), long format gives more information, and terse just prints the -names -.Ed +Lists the matching principals, short prints the result as a table, +while long format produces a more verbose output. Which columns to +print can be selected with the +.Fl o +option. The argument is a comma separated list of column names +optionally appended with an equal sign +.Pq Sq = +and a column header. Which columns are printed by default differ +slightly between short and long output. .Pp -.Nm rename -.Ar from to +The default terse output format is similar to +.Fl s o Ar principal= , +just printing the names of matched principals. .Pp -.Bd -ragged -offset indent -renames a principal +Possible column names include: +.Li principal , +.Li princ_expire_time , +.Li pw_expiration , +.Li last_pwd_change , +.Li max_life , +.Li max_rlife , +.Li mod_time , +.Li mod_name , +.Li attributes , +.Li kvno , +.Li mkvno , +.Li last_success , +.Li last_failed , +.Li fail_auth_count , +.Li policy , +and +.Li keytypes . .Ed .Pp .Nm modify @@ -220,16 +253,91 @@ renames a principal .Op Fl -expiration-time= Ns Ar time .Op Fl -pw-expiration-time= Ns Ar time .Op Fl -kvno= Ns Ar number +.Ar principal... +.Pp +.Bd -ragged -offset indent +Modifies certain attributes of a principal. If run without command +line options, you will be prompted. With command line options, it will +only change the ones specified. +.Pp +Possible attributes are: +.Li new-princ , +.Li support-desmd5 , +.Li pwchange-service , +.Li disallow-svr , +.Li requires-pw-change , +.Li requires-hw-auth , +.Li requires-pre-auth , +.Li disallow-all-tix , +.Li disallow-dup-skey , +.Li disallow-proxiable , +.Li disallow-renewable , +.Li disallow-tgt-based , +.Li disallow-forwardable , +.Li disallow-postdated +.Pp +Attributes may be negated with a "-", e.g., +.Pp +kadmin -l modify -a -disallow-proxiable user +.Ed +.Pp +.Nm passwd +.Op Fl r | Fl -random-key +.Op Fl -random-password +.Oo Fl p Ar string \*(Ba Xo +.Fl -password= Ns Ar string +.Xc +.Oc +.Op Fl -key= Ns Ar string +.Ar principal... +.Pp +.Bd -ragged -offset indent +Changes the password of an existing principal. +.Ed +.Pp +.Nm password-quality .Ar principal +.Ar password .Pp .Bd -ragged -offset indent -modifies certain attributes of a principal +Run the password quality check function locally. +You can run this on the host that is configured to run the kadmind +process to verify that your configuration file is correct. +The verification is done locally, if kadmin is run in remote mode, +no rpc call is done to the server. .Ed .Pp .Nm privileges .Pp .Bd -ragged -offset indent -lists the operations you are allowed to perform +Lists the operations you are allowed to perform. These include +.Li add , +.Li add_enctype , +.Li change-password , +.Li delete , +.Li del_enctype , +.Li get , +.Li list , +and +.Li modify . +.Ed +.Pp +.Nm rename +.Ar from to +.Pp +.Bd -ragged -offset indent +Renames a principal. This is normally transparent, but since keys are +salted with the principal name, they will have a non-standard salt, +and clients which are unable to cope with this will fail. Kerberos 4 +suffers from this. +.Ed +.Pp +.Nm check +.Op Ar realm +.Pp +.Bd -ragged -offset indent +Check database for strange configurations on important principals. If +no realm is given, the default realm is used. .Ed .Pp .Ed @@ -241,9 +349,12 @@ When running in local mode, the following commands can also be used: .Op Ar dump-file .Pp .Bd -ragged -offset indent -writes the database in +Writes the database in .Dq human readable -form to the specified file, or standard out +form to the specified file, or standard out. If the database is +encrypted, the dump will also have encrypted keys, unless +.Fl -decrypt +is used. .Ed .Pp .Nm init @@ -252,24 +363,41 @@ form to the specified file, or standard out .Ar realm .Pp .Bd -ragged -offset indent -initializes the Kerberos database with entries for a new realm. It's -possible to have more than one realm served by one server +Initializes the Kerberos database with entries for a new realm. It's +possible to have more than one realm served by one server. .Ed .Pp .Nm load .Ar file .Pp .Bd -ragged -offset indent -reads a previously dumped database, and re-creates that database from scratch +Reads a previously dumped database, and re-creates that database from +scratch. .Ed .Pp .Nm merge .Ar file .Pp .Bd -ragged -offset indent -similar to -.Nm list -but just modifies the database with the entries in the dump file +Similar to +.Nm load +but just modifies the database with the entries in the dump file. +.Ed +.Pp +.Nm stash +.Oo Fl e Ar enctype \*(Ba Xo +.Fl -enctype= Ns Ar enctype +.Xc +.Oc +.Oo Fl k Ar keyfile \*(Ba Xo +.Fl -key-file= Ns Ar keyfile +.Xc +.Oc +.Op Fl -convert-file +.Op Fl -master-key-fd= Ns Ar fd +.Pp +.Bd -ragged -offset indent +Writes the Kerberos master key to a file used by the KDC. .Ed .Pp .Ed |