2 files changed, 47 insertions, 2 deletions

diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index 20958e88e..7739bbbbe 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -749,11 +749,29 @@ kadmin:
 .TP
 \fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
 .br
-[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
+[\fB\-norandkey\fP] [[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
 .br
 Adds a principal or all principals matching
 .I princ-exp
-to a keytab, randomizing each principal's key in the process.  Requires the
+to a keytab.
+It randomizes each principal's key in the process, to prevent a
+compromised admin account from reading out all of the keys from the
+database.  However,
+.B kadmin.local
+has the
+.B \-norandkey
+option, which leaves the keys and their version numbers unchanged,
+similar to the Kerberos V4
+.B ext_srvtab
+command.
+That allows users to continue to use the passwords they know
+to login normally, while simultaneously allowing scripts
+to login to the same account using a keytab.
+There is no significant security risk added since
+.B kadmin.local
+must be run by root on the KDC anyway.
+.sp
+Requires the
 .I inquire
 and 
 .I changepw
diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
index d0fca77d5..297b7994e 100644
--- a/src/kadmin/cli/keytab.c
+++ b/src/kadmin/cli/keytab.c
@@ -55,9 +55,17 @@ static char *etype_string(krb5_enctype enctype);
 
 static int quiet;
 
+#ifdef KADMIN_LOCAL
+static int norandkey;
+#endif
+
 static void add_usage()
 {
+#ifdef KADMIN_LOCAL
+     fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n");
+#else
      fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n");
+#endif
 }
      
 static void rem_usage()
@@ -126,6 +134,9 @@ void kadmin_keytab_add(int argc, char **argv)
 
      argc--; argv++;
      quiet = 0;
+#ifdef KADMIN_LOCAL
+     norandkey = 0;
+#endif
      while (argc) {
 	  if (strncmp(*argv, "-k", 2) == 0) {
 	       argc--; argv++;
@@ -136,6 +147,10 @@ void kadmin_keytab_add(int argc, char **argv)
 	       keytab_str = *argv;
 	  } else if (strcmp(*argv, "-q") == 0) {
 	       quiet++;
+#ifdef KADMIN_LOCAL
+        } else if (strcmp(*argv, "-norandkey") == 0) {
+             norandkey++;
+#endif
 	  } else if (strcmp(*argv, "-e") == 0) {
 	       argc--;
 	       if (argc < 1) {
@@ -160,6 +175,13 @@ void kadmin_keytab_add(int argc, char **argv)
 	  return;
      }
 
+#ifdef KADMIN_LOCAL
+     if (norandkey && ks_tuple) {
+       fprintf(stderr, "cannot specify keysaltlist when not changing key\n");
+       return;
+     }
+#endif
+
      if (process_keytab(context, &keytab_str, &keytab))
 	  return;
      
@@ -261,6 +283,11 @@ int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
 	  goto cleanup;
      }
 
+#ifdef KADMIN_LOCAL
+     if (norandkey)
+       code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
+     else
+#endif
      if (keepold || ks_tuple != NULL) {
 	 code = kadm5_randkey_principal_3(lhandle, princ,
 					  keepold, n_ks_tuple, ks_tuple,