diff options
Diffstat (limited to 'src/kadmin/cli/kadmin.1')
-rw-r--r-- | src/kadmin/cli/kadmin.1 | 453 |
1 files changed, 0 insertions, 453 deletions
diff --git a/src/kadmin/cli/kadmin.1 b/src/kadmin/cli/kadmin.1 deleted file mode 100644 index dbd4d77ff0..0000000000 --- a/src/kadmin/cli/kadmin.1 +++ /dev/null @@ -1,453 +0,0 @@ -KADMIN(8) USER_COMMANDS KADMIN(8) - -NAME - kadmin - a command line interface to the Kerberos KADM5 - administration system - -SYNOPSIS - kadmin [-r realm] [-p principal] [-q query] [clnt|local args] - clnt args: [-p principal] [[-c ccache]|[-k [-t keytab]]] - [-w] [-s admin_server[:port]] - local args: [-d dbname] [-e \"enc:salt ...\"] [-m] - -DESCRIPTION - kadmin is a command-line interface to the Kerberos KADM5 - administration system. It provides for the maintainance of - Kerberos principals, KADM5 policies, and service key tables - (keytabs). It exists as both a remote client, using Kerberos - authentication and an encrypted RPC to operate securely from - anywhere on the network, and as a local client intended to run - directly on the KDC without Kerberos authentication. The - local version provides all of the functionality of the now - obsolete kdb5_edit(8) except for database dump and load, which - is now provided by the kdb5_util(8) utility. - -COMMAND LINE ARGUMENTS - If -r is specified, then kadmin will use the specified realm - as the default database realm rather than the default realm - for the local machine. - - The -q option allows the passing of a request directly to - kadmin, which will then exit. This can be useful for writing - scripts. - - The remote version authenticates to the KADM5 server using the - service kadmin/admin, and therefore needs a client Kerberos - principal name as which to authenticate. The -p, -c, and -k - are designed to work together to specify which principal as - which to authenticate and where the service ticket or - password/key for that principal should be obtained. If given - the -p option, kadmin will use the specified principal to - authenticate. Otherwise, if given -c option then the primary - principal name of the ccache is used. Otherwise, if given the - -k option, the principal name host/<hostname> is used. - Otherwise, kadmin will append "/admin" to the primary - principal name of the default ccache, the value of the USER - environment variable, or the username as obtained with - getpwuid, in order of preference. - - Once kadmin knows the principal name as which to authenticate, - it needs to acquire a Kerberos service ticket for the KADM5 - server. If the -c ccache argument is specified, the ccache - should contain a service ticket for the kadmin/admin service; - it can be acquired with the kinit(1) program. Otherwise, - kadmin requests a new service ticket from the KDC and stores - it in its own temporary ccache. If the -k keytab argument is - specified, the keytab is used to decrypt the KDC response; - otherwise, a password is required. By default, the user is - prompted for the password on the TTY. However, if given the - -w option, kadmin will use the password provided on the - command line instead of prompting for one on the TTY. - WARNING! Placing the password for a Kerberos principal with - administration access into a shell script is EXTREMELY - DANGEROUS and should only be done if you are highly sure that - the script will not fall into the wrong hands. - - If given the -d argument, kadmin will use the specified - database name instead of the default defined in kdc.conf. - Note that specifying a different KDC database name also - specifies a different name for the KADM5 policy database and - lock file. - - If given the -e argument, kadmin will use the specified list - of encryption and salt type tuples instead of the values - specified in kdc.conf. This is useful, for example, if you - want to create a single principal with a particular key/salt - type without affecting any other principals. - - If given the -m argument, kadmin will prompt for the Kerberos - master password on the command line instead of attempting to - use the stash file. - -DATE FORMAT - Various commands in kadmin can take a variety of - date formats, specifying durations or absolute times. - Examples of valid formats are: - - 1 month ago - 2 hours ago - 400000 seconds ago - last year - last Monday - yesterday - a fortnight ago - 3/31/92 10:00:07 PST - January 23, 1987 10:05pm - 22:00 GMT - - Dates which do not have the "ago" specifier default to being - absolute dates, unless they appear in a field where a duration - is expected. In that case the time specifier will be - interpreted as relative. Specifying "ago" on a duration may - result in unexpected behaviour. - -COMMAND DESCRIPTIONS - -add_principal [options] _newprinc_ - creates the principal _newprinc_, prompting twice for a - password. This command requires the "add" privilege. This - command has the aliases "addprinc", "ank". - - OPTIONS - -salt _salttype_ - uses the specified salt instead of the default V5 salt - for generating the key. Valid values for _salttype_ - are: - full_name (aliases "v5_salt", "normal") - name_only - realm_only - no_salt (alias "v4_salt") - - -expire _expdate_ - expiration date of the principal - - -pwexpire _pwexpdate_ - password expiration date - - -maxlife _maxlife_ - maximum ticket life of the principal - - -maxrenewlife _maxrenewlife_ - maximum renewable ticket lifetime of the principal - - -kvno _kvno_ - explicity set the key version number. This is not - recommended. - - -policy _policy_ - policy used by this principal. If no policy is - supplied, the principal will default to having no - policy, and a warning message will be printed. - - {-|+}allow_tgs_req - "-allow_tgs_req" specifies that a TGS request for a - ticket for a service ticket for this principal is not - permitted. This option is useless for most things. - "+allow_tgs_req" clears this flag. The default is - "+allow_tgs_req". In effect, "-allow_tgs_req" sets - the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal - in the database. - - {-|+}allow_tix - "-allow_tix" forbids the issuance of any tickets for - this principal. "+allow_tix" clears this flag. The - default is "+allow_tix". In effect, "-allow_tix" sets - the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in - the database. - - {-|+}needchange - "+needchange" sets a flag in attributes field to force - a password change; "-needchange" clears it. The - default is "-needchange". In effect, "+needchange" - sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the - principal in the database. - - {-|+}password_changing_service - "+password_changing_service" sets a flag in the - attributes field marking this as a password change - service principal (useless for most things). - "-password_changing_service" clears the flag. This - flag intentionally has a long name. The default is - "-password_changing_service". In effect, - "+password_changing_service" sets the - KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the - database. - - -randpass - sets the key of the principal to a random value - - -pw _password_ - sets the key of the principal to the specified string - and does not prompt for a password. This is not - recommended. - - EXAMPLE - kadmin: addprinc tlyu/deity - WARNING: no policy specified for "tlyu/deity@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal tlyu/deity@ATHENA.MIT.EDU: - Re-enter password for principal tlyu/deity@ATHENA.MIT.EDU: - Principal "tlyu/deity@ATHENA.MIT.EDU" created. - kadmin: - - ERRORS - KADM5_AUTH_ADD (requires "add" privilege) - KADM5_BAD_MASK (shouldn't happen) - KADM5_DUP (principal exists already) - KADM5_UNK_POLICY (policy does not exist) - KADM5_PASS_Q_* (password quality violations) - -delete_principal [-force] _principal_ - deletes the specified principal from the database. This - command prompts for deletion, unless the "-force" option is - given. This command requires the "delete" privilege. Aliased - to "delprinc". - - EXAMPLE - kadmin: delprinc mwm_user - Are you sure you want to delete the principal - "mwm_user@ATHENA.MIT.EDU"? (yes/no): yes - Principal "mwm_user@ATHENA.MIT.EDU" deleted. - Make sure that you have removed this principal from - all ACLs before reusing. - kadmin: - - ERRORS - KADM5_AUTH_DELETE (reequires "delete" privilege) - KADM5_UNK_PRINC (principal does not exist) - -modify_principal [options] _principal_ - modifies the specified principal, changing the fields as - specified. The options are as above for "add_principal", - except that password changing is forbidden by this command. - In addition, the option "-clearpolicy" will remove clear the - current policy of a principal. This command requires the - "modify" privilege. Aliased to "modprinc". - - ERRORS - KADM5_AUTH_MODIFY (requires "modify" privilege) - KADM5_UNK_PRINC (principal does not exist) - KADM5_UNK_POLICY (policy does not exist) - KADM5_BAD_MASK (shouldn't happen) - -change_password [options] _principal_ - changes the password of _principal_. Prompts for a new - password if neither -randpass or -pw is specified. Requires - the "modify" privilege, or that the principal that is running - the program to be the same as the one changed. Aliased to - "cpw". - - OPTIONS - -salt _salttype_ - uses the specified salt instead of the default V5 salt - for generating the key. Options are the same as for - add_principal. - - -randpass - sets the key of the principal to a random value - - -pw _password_ - set the password to the specified string. Not - recommended. - - EXAMPLE - kadmin: cpw systest - Enter password for principal systest@ATHENA.MIT.EDU: - Re-enter password for principal systest@ATHENA.MIT.EDU: - Password for systest@ATHENA.MIT.EDU changed. - kadmin: - - ERRORS - KADM5_AUTH_MODIFY (requires the modify privilege) - KADM5_UNK_PRINC (principal does not exist) - KADM5_PASS_Q_* (password policy violation errors) - KADM5_PADD_REUSE (password is in principal's password istory) - KADM5_PASS_TOOSOON (current password minimum life not xpired) - -get_principal [-terse] _principal_ - gets the attributes of _principal_. Requires the "get" - privilege, or that the principal that is running the the - program to be the same as the one being listed. With the - "-terse" option, outputs fields as a quoted tab-separated - strings. Alias "getprinc". - - EXAMPLES - kadmin: getprinc tlyu/deity - Principal: tlyu/deity@ATHENA.MIT.EDU - Key version: 3 - Maximum life: 1 day 00:00:00 - Maximum renewable life: 7 days 00:00:00 - Master key version: 1 - Expires: Mon Jan 18 22:14:07 EDT 2038 - Password expires: Mon Sep 19 14:40:00 EDT 1994 - Password last changed: Mon Jan 31 02:06:40 EDT 1994 - Last modified: by tlyu/admin@ATHENA.MIT.EDU - on Wed Jul 13 18:27:08 EDT 1994 - Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, - REQUIRES_HW_AUTH - Salt type: DEFAULT - kadmin: getprinc systest - systest@ATHENA.MIT.EDU 3 86400 604800 1 - 785926535 753241234 785900000 - tlyu/admin@ATHENA.MIT.EDU 786100034 0 - 0 - kadmin: - - ERRORS - KADM5_AUTH_GET (requires the get privilege) - KADM5_UNK_PRINC (principal does not exist) - -get_principals [expression] - Retrieves all or some principal names. _expression_ is a - shell-style glob expression that can contain the wild-card - characters ?, *, and []'s. All principal names matching the - expression are printed. If no expression is provided, the - expression "*" is assumed. If the expression does not contain - an "@" character, an "@" character followed by the local realm - is appended to the expression. Requires the "list" priviledge. - Alias "getprincs". - - EXAMPLES - kadmin: getprincs test* - test3@SECURE-TEST.OV.COM - test2@SECURE-TEST.OV.COM - test1@SECURE-TEST.OV.COM - testuser@SECURE-TEST.OV.COM - kadmin: - -add_policy [options] _policy_ - adds the named policy to the policy database. Requires the - "add" privilege. Aliased to "addpol". - - OPTIONS - -maxlife _time_ - sets the maximum lifetime of a password - - -minlife _time_ - sets the minimum lifetime of a password - - -minlength _length_ - sets the minimum length of a password - - -minclasses _number_ - sets the minimum number of character classes allowed - in a password - - -history _number_ - sets the number of past keys kept for a principal - - ERRORS - KADM5_AUTH_ADD (requires the add privilege) - KADM5_DUP (policy already exists) - -delete_policy _policy_ - deletes the named policy. Prompts for confirmation before - deletion. The command will fail if the policy is in use by - any principals. Requires the "delete" privilege. Alias - "delpol". - - EXAMPLE - kadmin: del_policy guests - Are you sure you want to delete the policy "guests"? - (yes/no): yes - Policy "guests" deleted. - kadmin: - - ERRORS - KADM5_AUTH_DELETE (requires the delete privilege) - KADM5_UNK_POLICY (policy does not exist) - KADM5_POLICY_REF (reference count on policy is not zero) - -modify_policy [options] _policy_ - modifies the named policy. Options are as above for - "add_policy". Requires the "modify" privilege". Alias - "modpol". - - ERRORS - KADM5_AUTH_MODIFY (requires the modify privilege) - KADM5_UNK_POLICY (policy does not exist) - -get_policy [-terse] _policy_ - displays the values of the named policy. Requires the "get" - privilege. With the "-terse" flag, outputs the fields as - quoted strings separated by tabs. Alias "getpol". - - EXAMPLES - kadmin: get_policy admin - Policy: admin - Maximum password life: 180 days 00:00:00 - Minimum password life: 00:00:00 - Minimum password length: 6 - Minimum number of password character classes: 2 - Number of old keys kept: 5 - Reference count: 17 - kadmin: get_policy -terse admin - admin 15552000 0 6 2 5 17 - kadmin: - - ERRORS - KADM5_AUTH_GET (requires the get privilege) - KADM5_UNK_POLICY (policy does not exist) - -get_policies [expression] - Retrieves all or some policy names. _expression_ is a - shell-style glob expression that can contain the wild-card - characters ?, *, and []'s. All policy names matching the - expression are printed. If no expression is provided, the - expression "*" is assumed. Requires the "list" priviledge. - Alias "getpols". - - EXAMPLES - kadmin: getpols - test-pol - dict-only - once-a-min - test-pol-nopw - kadmin: getpols t* - test-pol - test-pol-nopw - kadmin: - -ktadd [-k keytab] [-q] [principal | -glob princ-exp] [...] - Adds principal or all principals matching princ-exp to a - keytab. princ-exp follows the same rules described for the - get_principals command. An entry for each of the principal's - unique encryption types is added, ignoring multiple keys with - the same encryption type but different salt types. If the -k - argument is not specified, the default keytab /etc/v5srvtab is - used. If the -q option is specified, less verbose status - information is displayed. - - The -glob option requires the "list" privilege. - - EXAMPLES - kadmin% ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw - kadmin: Entry for principal kadmin/admin@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. - kadmin: Entry for principal kadmin/changepw@ATHENA.MIT.EDU - with kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. - kadmin: - -ktremove [-k keytab] [-q] principal [kvno|"all"|"old"] - Removes entries for the specified principal from a keytab. If - the string "all" is specified, all entries for that principal - are removed; if the string "old" is specified, all entries for - that principal except those with the highest kvno are removed. - Otherwise, the value specified is parsed as an integer, and - all entries whose kvno match that integer are removed. If the - -k argument is not specifeid, the default keytab /etc/v5srvtab - is used. If the -q is specified, less verbose status - information is displayed. - - EXAMPLES - kadmin: ktremove -k /krb5/kadmind.keytab kadmin/admin - kadmin: Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/krb5/kadmind.keytab. - kadmin: - -SEE ALSO - kerberos(1), kdb5_util(8) - - |