Add support for extracting existing keys from the KDC with kadmin.local.

Adds a -norandkey option to the ktadd command only in kadmin.local, and
adds a new function to the libkadm5srv library that kadmin.local can
call.  There is no protocol or network access to this function.

Ticket: 914

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19474 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 20 insertions, 2 deletions

diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index 20958e88e..7739bbbbe 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -749,11 +749,29 @@ kadmin:
 .TP
 \fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
 .br
-[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
+[\fB\-norandkey\fP] [[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
 .br
 Adds a principal or all principals matching
 .I princ-exp
-to a keytab, randomizing each principal's key in the process.  Requires the
+to a keytab.
+It randomizes each principal's key in the process, to prevent a
+compromised admin account from reading out all of the keys from the
+database.  However,
+.B kadmin.local
+has the
+.B \-norandkey
+option, which leaves the keys and their version numbers unchanged,
+similar to the Kerberos V4
+.B ext_srvtab
+command.
+That allows users to continue to use the passwords they know
+to login normally, while simultaneously allowing scripts
+to login to the same account using a keytab.
+There is no significant security risk added since
+.B kadmin.local
+must be run by root on the KDC anyway.
+.sp
+Requires the
 .I inquire
 and 
 .I changepw