diff options
Diffstat (limited to 'src/kadmin/cli/kadmin.1')
| -rw-r--r-- | src/kadmin/cli/kadmin.1 | 473 |
1 files changed, 473 insertions, 0 deletions
diff --git a/src/kadmin/cli/kadmin.1 b/src/kadmin/cli/kadmin.1 new file mode 100644 index 0000000000..a8db58334a --- /dev/null +++ b/src/kadmin/cli/kadmin.1 @@ -0,0 +1,473 @@ +KADMIN(8) USER_COMMANDS KADMIN(8) + +NAME + kadmin - a command line interface to the Kerberos KADM5 + administration system + +SYNOPSIS + kadmin [-r realm] [-p principal] [-q query] [clnt|local args] + clnt args: [-p principal] [[-c ccache]|[-k [-t keytab]]] + [-w] [-s admin_server[:port]] + local args: [-d dbname] [-e \"enc:salt ...\"] [-m] + +DESCRIPTION + kadmin is a command-line interface to the Kerberos KADM5 + administration system. It provides for the maintainance of + Kerberos principals, KADM5 policies, and service key tables + (keytabs). It exists as both a remote client, using Kerberos + authentication and an encrypted RPC to operate securely from + anywhere on the network, and as a local client intended to run + directly on the KDC without Kerberos authentication. The + local version provides all of the functionality of the now + obsolete kdb5_edit(8) except for database dump and load, which + is now provided by the kdb5_util(8) utility. + +COMMAND LINE ARGUMENTS + If -r is specified, then kadmin will use the specified realm + as the default database realm rather than the default realm + for the local machine. + + The -q option allows the passing of a request directly to + kadmin, which will then exit. This can be useful for writing + scripts. + + The remote version authenticates to the KADM5 server using the + service kadmin/admin, and therefore needs a client Kerberos + principal name as which to authenticate. The -p, -c, and -k + are designed to work together to specify which principal as + which to authenticate and where the service ticket or + password/key for that principal should be obtained. If given + the -p option, kadmin will use the specified principal to + authenticate. Otherwise, if given -c option then the primary + principal name of the ccache is used. Otherwise, if given the + -k option, the principal name host/<hostname> is used. + Otherwise, kadmin will append "/admin" to the primary + principal name of the default ccache, the value of the USER + environment variable, or the username as obtained with + getpwuid, in order of preference. + + Once kadmin knows the principal name as which to authenticate, + it needs to acquire a Kerberos service ticket for the KADM5 + server. If the -c ccache argument is specified, the ccache + should contain a service ticket for the kadmin/admin service; + it can be acquired with the kinit(1) program. Otherwise, + kadmin requests a new service ticket from the KDC and stores + it in its own temporary ccache. If the -k keytab argument is + specified, the keytab is used to decrypt the KDC response; + otherwise, a password is required. By default, the user is + prompted for the password on the TTY. However, if given the + -w option, kadmin will use the password provided on the + command line instead of prompting for one on the TTY. + WARNING! Placing the password for a Kerberos principal with + administration access into a shell script is EXTREMELY + DANGEROUS and should only be done if you are highly sure that + the script will not fall into the wrong hands. + + If given the -d argument, kadmin will use the specified + database name instead of the default defined in kdc.conf. + Note that specifying a different KDC database name also + specifies a different name for the KADM5 policy database and + lock file. + + If given the -e argument, kadmin will use the specified list + of encryption and salt type tuples instead of the values + specified in kdc.conf. This is useful, for example, if you + want to create a single principal with a particular key/salt + type without affecting any other principals. + + If given the -m argument, kadmin will prompt for the Kerberos + master password on the command line instead of attempting to + use the stash file. + +DATE FORMAT + Various commands in kadmin can take a variety of + date formats, specifying durations or absolute times. + Examples of valid formats are: + + 1 month ago + 2 hours ago + 400000 seconds ago + last year + last Monday + yesterday + a fortnight ago + 3/31/92 10:00:07 PST + January 23, 1987 10:05pm + 22:00 GMT + + Dates which do not have the "ago" specifier default to being + absolute dates, unless they appear in a field where a duration + is expected. In that case the time specifier will be + interpreted as relative. Specifying "ago" on a duration may + result in unexpected behaviour. + +COMMAND DESCRIPTIONS + +add_principal [options] _newprinc_ + creates the principal _newprinc_, prompting twice for a + password. This command requires the "add" privilege. This + command has the aliases "addprinc", "ank". + + OPTIONS + -salt _salttype_ + uses the specified salt instead of the default V5 salt + for generating the key. Valid values for _salttype_ + are: + full_name (aliases "v5_salt", "normal") + name_only + realm_only + no_salt (alias "v4_salt") + + -expire _expdate_ + expiration date of the principal + + -pwexpire _pwexpdate_ + password expiration date + + -maxlife _maxlife_ + maximum ticket life of the principal + + -kvno _kvno_ + explicity set the key version number. This is not + recommended. + + -policy _policy_ + policy used by this principal. If no policy is + supplied, the principal will default to having no + policy, and a warning message will be printed. + + {-|+}allow_tgs_req + "-allow_tgs_req" specifies that a TGS request for a + ticket for a service ticket for this principal is not + permitted. This option is useless for most things. + "+allow_tgs_req" clears this flag. The default is + "+allow_tgs_req". In effect, "-allow_tgs_req" sets + the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal + in the database. + + {-|+}allow_tix + "-allow_tix" forbids the issuance of any tickets for + this principal. "+allow_tix" clears this flag. The + default is "+allow_tix". In effect, "-allow_tix" sets + the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in + the database. + + {-|+}needchange + "+needchange" sets a flag in attributes field to force + a password change; "-needchange" clears it. The + default is "-needchange". In effect, "+needchange" + sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the + principal in the database. + + {-|+}password_changing_service + "+password_changing_service" sets a flag in the + attributes field marking this as a password change + service principal (useless for most things). + "-password_changing_service" clears the flag. This + flag intentionally has a long name. The default is + "-password_changing_service". In effect, + "+password_changing_service" sets the + KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the + database. + + -randpass + sets the key of the principal to a random value + + -pw _password_ + sets the key of the principal to the specified string + and does not prompt for a password. This is not + recommended. + + EXAMPLE + kadmin: addprinc tlyu/deity + WARNING: no policy specified for "tlyu/deity@ATHENA.MIT.EDU"; + defaulting to no policy. + Enter password for principal tlyu/deity@ATHENA.MIT.EDU: + Re-enter password for principal tlyu/deity@ATHENA.MIT.EDU: + Principal "tlyu/deity@ATHENA.MIT.EDU" created. + kadmin: + + ERRORS + KADM5_AUTH_ADD (requires "add" privilege) + KADM5_BAD_MASK (shouldn't happen) + KADM5_DUP (principal exists already) + KADM5_UNK_POLICY (policy does not exist) + KADM5_PASS_Q_* (password quality violations) + +delete_principal [-force] _principal_ + deletes the specified principal from the database. This + command prompts for deletion, unless the "-force" option is + given. This command requires the "delete" privilege. Aliased + to "delprinc". + + EXAMPLE + kadmin: delprinc mwm_user + Are you sure you want to delete the principal + "mwm_user@ATHENA.MIT.EDU"? (yes/no): yes + Principal "mwm_user@ATHENA.MIT.EDU" deleted. + Make sure that you have removed this principal from + all ACLs before reusing. + kadmin: + + ERRORS + KADM5_AUTH_DELETE (reequires "delete" privilege) + KADM5_UNK_PRINC (principal does not exist) + +modify_principal [options] _principal_ + modifies the specified principal, changing the fields as + specified. The options are as above for "add_principal", + except that password changing is forbidden by this command. + In addition, the option "-clearpolicy" will remove clear the + current policy of a principal. This command requires the + "modify" privilege. Aliased to "modprinc". + + ERRORS + KADM5_AUTH_MODIFY (requires "modify" privilege) + KADM5_UNK_PRINC (principal does not exist) + KADM5_UNK_POLICY (policy does not exist) + KADM5_BAD_MASK (shouldn't happen) + +rename_principal [-force] _old_ _new_ + rename the principal _old_ to _new_. Prompts for + confirmation, unless the "-force" option is given. Requires + both the "add" and "delete" privileges. Aliased to + "renprinc". + + EXAMPLE + kadmin: renprinc tlyutest test0 + Are you sure you want to rename the principal + "tlyutest@ATHENA.MIT.EDU" to + "test0@ATHENA.MIT.EDU"? (yes/no): yes + Principal "tlyutest@ATHENA.MIT.EDU" renamed to + "test0@ATHENA.MIT.EDU". + Make sure that you have removed "tlyutest@ATHENA.MIT.EDU" from + all ACLs before reusing. + kadmin: + + ERRORS + KADM5_AUTH_ADD (requires "add" privilege) + KADM5_AUTH_DELETE (requires "delete" privilege) + KADM5_UNK_PRINC (source principal does not exist) + KADM5_DUP (target principal already exists) + +change_password [options] _principal_ + changes the password of _principal_. Prompts for a new + password if neither -randpass or -pw is specified. Requires + the "modify" privilege, or that the principal that is running + the program to be the same as the one changed. Aliased to + "cpw". + + OPTIONS + -salt _salttype_ + uses the specified salt instead of the default V5 salt + for generating the key. Options are the same as for + add_principal. + + -randpass + sets the key of the principal to a random value + + -pw _password_ + set the password to the specified string. Not + recommended. + + EXAMPLE + kadmin: cpw systest + Enter password for principal systest@ATHENA.MIT.EDU: + Re-enter password for principal systest@ATHENA.MIT.EDU: + Password for systest@ATHENA.MIT.EDU changed. + kadmin: + + ERRORS + KADM5_AUTH_MODIFY (requires the modify privilege) + KADM5_UNK_PRINC (principal does not exist) + KADM5_PASS_Q_* (password policy violation errors) + KADM5_PADD_REUSE (password is in principal's password istory) + KADM5_PASS_TOOSOON (current password minimum life not xpired) + +get_principal [-terse] _principal_ + gets the attributes of _principal_. Requires the "get" + privilege, or that the principal that is running the the + program to be the same as the one being listed. With the + "-terse" option, outputs fields as a quoted tab-separated + strings. Alias "getprinc". + + EXAMPLES + kadmin: getprinc tlyu/deity + Principal: tlyu/deity@ATHENA.MIT.EDU + Key version: 3 + Maximum life: 1 day 00:00:00 + Maximum renewable life: 7 days 00:00:00 + Master key version: 1 + Expires: Mon Jan 18 22:14:07 EDT 2038 + Password expires: Mon Sep 19 14:40:00 EDT 1994 + Password last changed: Mon Jan 31 02:06:40 EDT 1994 + Last modified: by tlyu/admin@ATHENA.MIT.EDU + on Wed Jul 13 18:27:08 EDT 1994 + Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, + REQUIRES_HW_AUTH + Salt type: DEFAULT + kadmin: getprinc systest + systest@ATHENA.MIT.EDU 3 86400 604800 1 + 785926535 753241234 785900000 + tlyu/admin@ATHENA.MIT.EDU 786100034 0 + 0 + kadmin: + + ERRORS + KADM5_AUTH_GET (requires the get privilege) + KADM5_UNK_PRINC (principal does not exist) + +get_principals [expression] + Retrieves all or some principal names. _expression_ is a + shell-style glob expression that can contain the wild-card + characters ?, *, and []'s. All principal names matching the + expression are printed. If no expression is provided, the + expression "*" is assumed. If the expression does not contain + an "@" character, an "@" character followed by the local realm + is appended to the expression. Requires the "list" priviledge. + Alias "getprincs". + + EXAMPLES + kadmin: getprincs test* + test3@SECURE-TEST.OV.COM + test2@SECURE-TEST.OV.COM + test1@SECURE-TEST.OV.COM + testuser@SECURE-TEST.OV.COM + kadmin: + +add_policy [options] _policy_ + adds the named policy to the policy database. Requires the + "add" privilege. Aliased to "addpol". + + OPTIONS + -maxlife _time_ + sets the maximum lifetime of a password + + -minlife _time_ + sets the minimum lifetime of a password + + -minlength _length_ + sets the minimum length of a password + + -minclasses _number_ + sets the minimum number of character classes allowed + in a password + + -history _number_ + sets the number of past keys kept for a principal + + ERRORS + KADM5_AUTH_ADD (requires the add privilege) + KADM5_DUP (policy already exists) + +delete_policy _policy_ + deletes the named policy. Prompts for confirmation before + deletion. The command will fail if the policy is in use by + any principals. Requires the "delete" privilege. Alias + "delpol". + + EXAMPLE + kadmin: del_policy guests + Are you sure you want to delete the policy "guests"? + (yes/no): yes + Policy "guests" deleted. + kadmin: + + ERRORS + KADM5_AUTH_DELETE (requires the delete privilege) + KADM5_UNK_POLICY (policy does not exist) + KADM5_POLICY_REF (reference count on policy is not zero) + +modify_policy [options] _policy_ + modifies the named policy. Options are as above for + "add_policy". Requires the "modify" privilege". Alias + "modpol". + + ERRORS + KADM5_AUTH_MODIFY (requires the modify privilege) + KADM5_UNK_POLICY (policy does not exist) + +get_policy [-terse] _policy_ + displays the values of the named policy. Requires the "get" + privilege. With the "-terse" flag, outputs the fields as + quoted strings separated by tabs. Alias "getpol". + + EXAMPLES + kadmin: get_policy admin + Policy: admin + Maximum password life: 180 days 00:00:00 + Minimum password life: 00:00:00 + Minimum password length: 6 + Minimum number of password character classes: 2 + Number of old keys kept: 5 + Reference count: 17 + kadmin: get_policy -terse admin + admin 15552000 0 6 2 5 17 + kadmin: + + ERRORS + KADM5_AUTH_GET (requires the get privilege) + KADM5_UNK_POLICY (policy does not exist) + +get_policies [expression] + Retrieves all or some policy names. _expression_ is a + shell-style glob expression that can contain the wild-card + characters ?, *, and []'s. All policy names matching the + expression are printed. If no expression is provided, the + expression "*" is assumed. Requires the "list" priviledge. + Alias "getpols". + + EXAMPLES + kadmin: getpols + test-pol + dict-only + once-a-min + test-pol-nopw + kadmin: getpols t* + test-pol + test-pol-nopw + kadmin: + +ktadd [-k keytab] [-q] [principal | -glob princ-exp] [...] + Adds principal or all principals matching princ-exp to a + keytab. princ-exp follows the same rules described for the + get_principals command. An entry for each of the principal's + unique encryption types is added, ignoring multiple keys with + the same encryption type but different salt types. If the -k + argument is not specified, the default keytab /etc/v5srvtab is + used. If the -q option is specified, less verbose status + information is displayed. + + The -glob option requires the "list" privilege. + + EXAMPLES + kadmin% ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw + kadmin: Entry for principal kadmin/admin@ATHENA.MIT.EDU with + kvno 3, encryption type DES-CBC-CRC added to keytab + WRFILE:/krb5/kadmind.keytab. + kadmin: Entry for principal kadmin/changepw@ATHENA.MIT.EDU + with kvno 3, encryption type DES-CBC-CRC added to keytab + WRFILE:/krb5/kadmind.keytab. + kadmin: + +ktremove [-k keytab] [-q] principal [kvno|"all"|"old"] + Removes entries for the specified principal from a keytab. If + the string "all" is specified, all entries for that principal + are removed; if the string "old" is specified, all entries for + that principal except those with the highest kvno are removed. + Otherwise, the value specified is parsed as an integer, and + all entries whose kvno match that integer are removed. If the + -k argument is not specifeid, the default keytab /etc/v5srvtab + is used. If the -q is specified, less verbose status + information is displayed. + + EXAMPLES + kadmin: ktremove -k /krb5/kadmind.keytab kadmin/admin + kadmin: Entry for principal kadmin/admin with kvno 3 removed + from keytab WRFILE:/krb5/kadmind.keytab. + kadmin: + +SEE ALSO + kerberos(1), kdb5_util(8) + + |