summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/kadmin/kadmin.1
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--third_party/heimdal/kadmin/kadmin.1624
1 files changed, 624 insertions, 0 deletions
diff --git a/third_party/heimdal/kadmin/kadmin.1 b/third_party/heimdal/kadmin/kadmin.1
new file mode 100644
index 0000000..b0e8529
--- /dev/null
+++ b/third_party/heimdal/kadmin/kadmin.1
@@ -0,0 +1,624 @@
+.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd Feb 22, 2007
+.Dt KADMIN 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmin
+.Nd Kerberos administration utility
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
+.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
+.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
+.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
+.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
+.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
+.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
+.Op Fl l | Fl Fl local
+.Op Fl h | Fl Fl help
+.Op Fl v | Fl Fl version
+.Op Ar command
+.Ek
+.Sh DESCRIPTION
+The
+.Nm
+program is used to make modifications to the Kerberos database, either remotely via the
+.Xr kadmind 8
+daemon, or locally (with the
+.Fl l
+option).
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl p Ar string , Fl Fl principal= Ns Ar string
+principal to authenticate as
+.It Fl K Ar string , Fl Fl keytab= Ns Ar string
+keytab for authentication principal
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
+location of config file
+.It Fl H Ar HDB , Fl Fl hdb= Ns Ar HDB
+location of HDB
+.It Fl k Ar file , Fl Fl key-file= Ns Ar file
+location of master key file
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
+realm to use
+.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
+server to contact
+.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
+port to use
+.It Fl l , Fl Fl local
+local admin mode
+.El
+.Pp
+If no
+.Ar command
+is given on the command line,
+.Nm
+will prompt for commands to process. Some of the commands that take
+one or more principals as argument
+.Ns ( Nm delete ,
+.Nm ext_keytab ,
+.Nm get ,
+.Nm modify ,
+and
+.Nm passwd )
+will accept a glob style wildcard, and perform the operation on all
+matching principals.
+.Pp
+Commands include:
+.\" not using a list here, since groff apparently gets confused
+.\" with nested Xo/Xc
+.Pp
+.Nm add
+.Op Fl r | Fl Fl random-key
+.Op Fl Fl enctypes= Ns Ar string
+.Op Fl Fl random-password
+.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
+.Op Fl Fl key= Ns Ar string
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl attributes= Ns Ar attributes
+.Op Fl Fl expiration-time= Ns Ar time
+.Op Fl Fl pw-expiration-time= Ns Ar time
+.Op Fl Fl policy= Ns Ar policy-name
+.Ar principal...
+.Bd -ragged -offset indent
+Adds a new principal to the database. The options not passed on the
+command line will be promped for.
+If enctypes to use are not given, then the
+.Ar [libdefaults] supported_enctypes
+configuration parameter will be used on the client side to select
+enctypes, defaulting to
+.Ar aes128-cts-hmac-sha1-96.
+For compatibility with MIT, the enctypes string is a space- or
+comma-separated list of enctype:salttype.
+If
+.Fl Fl keepold
+is given, then old keys needed to decrypt extant tickets are
+kept, and all other old keys are deleted.
+If
+.Fl Fl keepallold
+is given then all old keys are kept. If
+.Fl Fl pruneall is given then all old keys are removed.
+The
+.Fl Fl keepold
+behavior is the default if none of these are given.
+The only policy supported by Heimdal servers is
+.Ql default .
+.Pp
+This command has the following aliases:
+.Nm ank ,
+.Nm add_new_key .
+.Ed
+.Pp
+.Nm add_alias
+.Ar principal
+.Ar alias...
+.Bd -ragged -offset indent
+Adds one or more aliases to the given principal.
+.Pp
+When a client requests a service ticket for a service principal
+name that is an alias of a principal in a different realm, the
+TGS will return a referral to that realm.
+This compares favorably to using
+.Ar [domain_realm]
+entries in the KDC's
+.Ar krb5.conf ,
+but may be managed via the
+.Nm kadmin
+command and its
+.Nm add_alias
+and
+.Nm del_alias
+sub-commands rather than having to edit the KDC's configuration
+file and having to restart the KDC.
+.Pp
+There are two methods for issuing referrals for entire namespaces
+of hostnames.
+An alias of the form
+.Ar WELLKNOWN/HOSTBASED-NAMESPACE/service/namespace-fqdn@REALM
+(see
+.Nm add_namespace
+below) will cause all requests for host-based principals in the
+given namespace to be referred to the given realm.
+Alternatively, the KDC will issue referrals for all host-based
+service principals whose hostname component matches a
+.Ar [domain_realm]
+entry in the KDC's
+.Ar krb5.conf
+file referring to a different realm.
+.Ed
+.Pp
+.Nm add_namespace
+.Ar Fl Fl key-rotation-epoch= Ns Ar time
+.Ar Fl Fl key-rotation-period= Ns Ar time
+.Op Fl Fl enctypes= Ns Ar string
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl attributes= Ns Ar attributes
+.Ar host-based-principal...
+.Bd -ragged -offset indent
+Adds a new namespace of virtual host-based or domain-based
+principals to the database, whose keys will be automatically
+derived from base keys stored in the namespace record, and which
+keys will be rotated automatically.
+The namespace names are of the same form as host-based principal
+names:
+.Ar service/hostname@REALM
+and these will match all host-based or domain-based service names
+where hostname component of such a principal ends in the labels
+of the hostname in the namespace name.
+.Pp
+The service name component may be a wild-card (underscore,
+.Ar _ ),
+in which case it will match any service.
+.Pp
+For example,
+.Ar bar.baz.example@BAZ.EXAMPLE
+will match
+.Ar host/foo.bar.baz.example@BAZ.EXAMPLE
+but not
+.Ar host/foobar.baz.example@BAZ.EXAMPLE .
+.Pp
+Note well that services are expected to
+.Ar ext_keytab
+or otherwise re-fetch their keytabs at least as often as one
+quarter of the key rotation period, otherwise they risk not
+having keys they need to decrypt tickets with.
+.Pp
+The epoch must be given as either an absolute time,
+.Ar "now",
+or as
+.Ar "+<N>[<unit>]"
+where
+.Ar N
+is a natural and
+.Ar unit
+is one "s", "m", "h", "day", "week", "month", defaulting to
+"month".
+The default key rotation period is
+.Ar 7d .
+The default enctypes is as for the
+.Nm add
+command.
+.Pp
+Note that namespaces are stored as principals whose names are of the form
+.Ar WELLKNOWN/HOSTBASED-NAMESPACE/service/namespace.fqdn@REALM ,
+with the
+.Ar service
+.Pp
+This command has the following alias:
+.Nm add_ns .
+.Ed
+.Pp
+.Nm add_enctype
+.Op Fl r | Fl Fl random-key
+.Ar principal enctypes...
+.Pp
+.Bd -ragged -offset indent
+Adds a new encryption type to the principal, only random key are
+supported.
+.Ed
+.Pp
+.Nm delete
+.Ar principal...
+.Bd -ragged -offset indent
+Removes a principal.
+It is an error to delete an alias.
+To remove a principal's alias or aliases, use the
+.Nm del_alias
+command.
+To remove a principal given an alias, first
+.Nm get
+the principal to get its canonical name and then delete that.
+.Ed
+.Pp
+.Nm del_alias
+.Ar alias...
+.Bd -ragged -offset indent
+Deletes the given aliases, but not their canonical principals.
+.Pp
+This command has the following aliases:
+.Nm del ,
+.Nm del_entry .
+.Ed
+.Pp
+.Nm del_enctype
+.Ar principal enctypes...
+.Bd -ragged -offset indent
+Removes some enctypes from a principal; this can be useful if the
+service belonging to the principal is known to not handle certain
+enctypes.
+.Ed
+.Pp
+.Nm prune
+.Ar principal [kvno]
+.Bd -ragged -offset indent
+Deletes the named principal's keys of the given kvno. If a kvno is
+not given then this deletes all the named principals keys that are
+too old to be needed for decrypting tickets issued using those keys
+(i.e., any such tickets are necessarily expired). The determination
+of "too old" is made using the max-ticket-life attribute of the
+principal; though in practice that max ticket life is also constrained
+by the max-ticket-life of the client principals and the krbtgt
+principals, those are not consulted here.
+.Ed
+.Pp
+.Nm ext_keytab
+.Oo Fl k Ar keytab \*(Ba Xo
+.Op Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall
+.Op Fl Fl enctypes= Ns Ar string
+.Fl Fl keytab= Ns Ar string
+.Xc
+.Oc
+.Ar principal...
+.Bd -ragged -offset indent
+Creates a keytab with the keys of the specified principals. Requires
+get-keys rights, otherwise the principal's keys are changed and saved in
+the keytab.
+If enctypes to use are not given, then the
+.Ar [libdefaults] supported_enctypes
+configuration parameter will be used on the client side to select
+enctypes, defaulting to
+.Ar aes128-cts-hmac-sha1-96.
+For compatibility with MIT, the enctypes string is a space- or
+comma-separated list of enctype:salttype.
+If
+.Fl Fl keepold
+is given, then old keys needed to decrypt extant tickets are
+kept, and all other old keys are deleted.
+If
+.Fl Fl keepallold
+is given then all old keys are kept. If
+.Fl Fl pruneall is given then all old keys are removed.
+The
+.Fl Fl keepold
+behavior is the default if none of these are given.
+.Ed
+.Pp
+.Nm get
+.Op Fl l | Fl Fl long
+.Op Fl s | Fl Fl short
+.Op Fl t | Fl Fl terse
+.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
+.Op Fl C Ar path | Fl Fl krb5-config-file= Ns Ar path
+.Ar principal...
+.Bd -ragged -offset indent
+Lists the matching principals, short prints the result as a table,
+while long format produces a more verbose output. Which columns to
+print can be selected with the
+.Fl o
+option. The argument is a comma separated list of column names
+optionally appended with an equal sign
+.Pq Sq =
+and a column header. Which columns are printed by default differ
+slightly between short and long output.
+.Pp
+The default terse output format is similar to
+.Fl s o Ar principal= ,
+just printing the names of matched principals.
+.Pp
+If
+.Fl C
+or
+.Fl Fl krb5-config-file
+is given and the principal has krb5 config file contents saved
+in its HDB entry, then that will be saved in the given file.
+Note that if multiple principals are requested, then the second,
+third, and so on will have -1, -2, and so on appended to the
+given filename unless the given filename is a device name.
+.Pp
+Possible column names include:
+.Li principal ,
+.Li princ_expire_time ,
+.Li pw_expiration ,
+.Li last_pwd_change ,
+.Li max_life ,
+.Li max_rlife ,
+.Li mod_time ,
+.Li mod_name ,
+.Li attributes ,
+.Li kvno ,
+.Li mkvno ,
+.Li last_success ,
+.Li last_failed ,
+.Li fail_auth_count ,
+.Li policy ,
+and
+.Li keytypes .
+.Ed
+.Pp
+.Nm modify
+.Oo Fl a Ar attributes \*(Ba Xo
+.Fl Fl attributes= Ns Ar attributes
+.Xc
+.Oc
+.Op Fl Fl max-ticket-life= Ns Ar lifetime
+.Op Fl Fl max-renewable-life= Ns Ar lifetime
+.Op Fl Fl expiration-time= Ns Ar time
+.Op Fl Fl pw-expiration-time= Ns Ar time
+.Op Fl Fl kvno= Ns Ar number
+.Op Fl Fl policy= Ns Ar policy-name
+.Op Fl Fl alias= Ns Ar alias-name
+.Op Fl C Ar path | Fl Fl krb5-config-file= Ns Ar path
+.Ar principal...
+.Bd -ragged -offset indent
+Modifies certain attributes of a principal. If run without command
+line options, you will be prompted. With command line options, it will
+only change the ones specified.
+.Pp
+The
+.Fl Fl alias= Ns Ar alias-name
+option may be given multiple times, which will set the complete
+list of aliases for the principal.
+Use the
+.Nm add_alias
+command instead to add an alias without having to list all
+existing aliases to keep.
+.Pp
+The
+.Fl Fl alias=
+option without a value allows the user to set an empty list of
+aliases.
+Use the
+.Nm del_alias
+command to delete one or more aliases.
+.Pp
+The only policy supported by Heimdal is
+.Ql default .
+.Pp
+If a krb5 config file is given, it will be saved in the entry.
+.Pp
+Possible attributes are:
+.Li new-princ ,
+.Li support-desmd5 ,
+.Li pwchange-service ,
+.Li disallow-client ,
+.Li disallow-svr ,
+.Li requires-pw-change ,
+.Li requires-hw-auth ,
+.Li requires-pre-auth ,
+.Li allow-digest ,
+.Li trusted-for-delegation ,
+.Li ok-as-delegate ,
+.Li disallow-all-tix ,
+.Li disallow-dup-skey ,
+.Li disallow-proxiable ,
+.Li disallow-renewable ,
+.Li disallow-tgt-based ,
+.Li disallow-forwardable ,
+.Li disallow-postdated ,
+.Li no-auth-data-reqd
+.Pp
+Attributes may be negated with a "-", e.g.,
+.Pp
+kadmin -l modify -a -disallow-proxiable user
+.Pp
+This command has the following alias:
+.Nm mod .
+.Ed
+.Pp
+.Nm passwd
+.Op Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall
+.Op Fl Fl enctypes= Ns Ar string
+.Op Fl r | Fl Fl random-key
+.Op Fl Fl random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl Fl password= Ns Ar string
+.Xc
+.Oc
+.Op Fl Fl key= Ns Ar string
+.Ar principal...
+.Bd -ragged -offset indent
+Changes the password of an existing principal.
+If enctypes to use are not given, then the
+.Ar [libdefaults] supported_enctypes
+configuration parameter will be used on the client side to select
+enctypes, defaulting to
+.Ar aes128-cts-hmac-sha1-96.
+For compatibility with MIT, the enctypes string is a space- or
+comma-separated list of enctype:salttype.
+If
+.Fl Fl keepold
+is given, then old keys needed to decrypt extant tickets are
+kept, and all other old keys are deleted.
+If
+.Fl Fl keepallold
+is given then all old keys are kept. If
+.Fl Fl pruneall is given then all old keys are removed.
+The
+.Fl Fl keepold
+behavior is the default if none of these are given.
+.Pp
+This command has the following aliases:
+.Nm cpw ,
+.Nm change_password .
+.Ed
+.Pp
+.Nm verify-password-quality
+.Ar principal
+.Ar password
+.Bd -ragged -offset indent
+Run the password quality check function locally.
+You can run this on the host that is configured to run the kadmind
+process to verify that your configuration file is correct.
+The verification is done locally, if kadmin is run in remote mode,
+no rpc call is done to the server. NOTE: if the environment has
+verify-password-quality configured to use a back-end that stores
+password history (such as heimdal-history), running
+verify-quality-password will cause an update to the password
+database meaning that merely verifying the quality of the password
+using verify-quality-password invalidates the use of that
+principal/password in the future.
+.Pp
+This command has the following alias:
+.Nm pwq .
+.Ed
+.Pp
+.Nm privileges
+.Bd -ragged -offset indent
+Lists the operations you are allowed to perform. These include
+.Li add ,
+.Li add_enctype ,
+.Li change-password ,
+.Li delete ,
+.Li del_enctype ,
+.Li get ,
+.Li get-keys ,
+.Li list ,
+and
+.Li modify .
+.Pp
+This command has the following alias:
+.Nm privs .
+.Ed
+.Pp
+.Nm rename
+.Ar from to
+.Bd -ragged -offset indent
+Renames a principal. This is normally transparent, but since keys are
+salted with the principal name, they will have a non-standard salt,
+and clients which are unable to cope with this will fail. Kerberos 4
+suffers from this.
+.Ed
+.Pp
+.Nm check
+.Op Ar realm
+.Pp
+.Bd -ragged -offset indent
+Check database for strange configurations on important principals. If
+no realm is given, the default realm is used.
+.Ed
+.Pp
+When running in local mode, the following commands can also be used:
+.Pp
+.Nm dump
+.Op Fl d | Fl Fl decrypt
+.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format
+.Op Ar dump-file
+.Bd -ragged -offset indent
+Writes the database in
+.Dq machine readable text
+form to the specified file, or standard out. If the database is
+encrypted, the dump will also have encrypted keys, unless
+.Fl Fl decrypt
+is used. If
+.Fl Fl format=MIT
+is used then the dump will be in MIT format. Otherwise it will be in
+Heimdal format.
+.Ed
+.Pp
+.Nm init
+.Op Fl Fl realm-max-ticket-life= Ns Ar string
+.Op Fl Fl realm-max-renewable-life= Ns Ar string
+.Ar realm
+.Bd -ragged -offset indent
+Initializes the Kerberos database with entries for a new realm. It's
+possible to have more than one realm served by one server.
+.Ed
+.Pp
+.Nm load
+.Ar file
+.Bd -ragged -offset indent
+Reads a previously dumped database, and re-creates that database from
+scratch.
+.Ed
+.Pp
+.Nm merge
+.Ar file
+.Bd -ragged -offset indent
+Similar to
+.Nm load
+but just modifies the database with the entries in the dump file.
+.Ed
+.Pp
+.Nm stash
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl Fl enctype= Ns Ar enctype
+.Xc
+.Oc
+.Oo Fl k Ar keyfile \*(Ba Xo
+.Fl Fl key-file= Ns Ar keyfile
+.Xc
+.Oc
+.Op Fl Fl convert-file
+.Op Fl Fl master-key-fd= Ns Ar fd
+.Bd -ragged -offset indent
+Writes the Kerberos master key to a file used by the KDC.
+.Pp
+This command has the following alias:
+.Nm kstash .
+.Ed
+.Pp
+.Nm exit
+.Bd -ragged -offset indent
+Exits
+.Nm kadmin .
+.Pp
+This command has the following alias:
+.Nm quit .
+.Ed
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kadmind 8 ,
+.Xr kdc 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS