From 4b7517731a0bf1026ff5a9a6eb1cc16b52f6debb Mon Sep 17 00:00:00 2001
From: Alex Dehnert <adehnert@mit.edu>
Date: Fri, 8 Mar 2013 23:48:33 -0500
Subject: Add support for k5srvutil -e keysalts

k5srvutil is a little more convenient to use for rolling keys than
kadmin is.  When migrating off 1DES, though, it may be desirable to
explicitly specify the desired keysalts.  This adds an option, -e, to
k5srvutil to specify desired keysalts.

[ghudson@mit.edu: style fix; make whitespace in keysalt list work]

ticket: 7589 (new)
---
 doc/admin/admin_commands/k5srvutil.rst |  5 ++++-
 src/kadmin/cli/k5srvutil.sh            | 10 ++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/doc/admin/admin_commands/k5srvutil.rst b/doc/admin/admin_commands/k5srvutil.rst
index 493c176531..0e30a8ea2a 100644
--- a/doc/admin/admin_commands/k5srvutil.rst
+++ b/doc/admin/admin_commands/k5srvutil.rst
@@ -9,6 +9,7 @@ SYNOPSIS
 **k5srvutil** *operation*
 [**-i**]
 [**-f** *filename*]
+[**-e** *keysalts*]
 
 DESCRIPTION
 -----------
@@ -31,7 +32,9 @@ a keytab or to add new keys to the keytab.
     existing tickets continue to work.  If the **-i** flag is given,
     k5srvutil will prompt for confirmation before changing each key.
     If the **-k** option is given, the old and new keys will be
-    displayed.
+    displayed.  Ordinarily, keys will be generated with the default
+    encryption types and key salts.  This can be overridden with the
+    **-e** option.
 
 **delold**
     Deletes keys that are not the most recent version from the keytab.
diff --git a/src/kadmin/cli/k5srvutil.sh b/src/kadmin/cli/k5srvutil.sh
index e1284e6af4..050fa8776f 100755
--- a/src/kadmin/cli/k5srvutil.sh
+++ b/src/kadmin/cli/k5srvutil.sh
@@ -38,7 +38,7 @@ cmd_error() {
     }
 
 usage() {
-    echo "Usage: $0 [-i] [-f file] list|change|delete|delold"
+    echo "Usage: $0 [-i] [-f file] [-e keysalts] list|change|delete|delold"
 }
 
 
@@ -47,7 +47,8 @@ change_key() {
     princs=`list_princs `
     for princ in $princs; do
 	if interactive_prompt "Change key " $princ; then
-	    kadmin -k -t $keytab -p $princ -q "ktadd -k $keytab $princ"
+	    kadmin -k -t $keytab -p $princ -q \
+		"ktadd -k $keytab $keysalts $princ"
 	fi
     done
     }
@@ -74,6 +75,7 @@ delete_keys() {
 
 keytab=/etc/krb5.keytab
 interactive=0
+keysalts=""
 
 while [ $# -gt 0 ] ; do
     opt=$1
@@ -86,6 +88,10 @@ while [ $# -gt 0 ] ; do
 	"-i")
 	interactive=1
 	;;
+	"-e")
+	keysalts="$keysalts -e \"$1\""
+	shift
+	;;
 	change|delold|delete|list)
 	set_command $opt
 	;;
-- 
cgit