diff options
| author | Russ Allbery <eagle@eyrie.org> | 2014-01-06 21:09:00 -0800 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2014-01-06 21:13:33 -0800 |
| commit | 782e71d568957e05233f63fa8dca7cc53ba1afa1 (patch) | |
| tree | d8372803edd356cf7b18d5a9020215215b1b4b2b /client/wallet-rekey.pod | |
| parent | 0cc453bcfb8fc4b5cf7378fa8d6496f7d6f6efc3 (diff) | |
Fix wallet-rekey on keytabs containing multiple principals
Fix wallet-rekey on keytabs containing multiple principals. Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded. As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.
Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'client/wallet-rekey.pod')
| -rw-r--r-- | client/wallet-rekey.pod | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/client/wallet-rekey.pod b/client/wallet-rekey.pod index 47413ad..5892244 100644 --- a/client/wallet-rekey.pod +++ b/client/wallet-rekey.pod @@ -1,6 +1,6 @@ =for stopwords wallet-rekey rekey rekeying keytab -hv Heimdal remctl remctld PKINIT kinit -appdefaults Allbery +appdefaults Allbery kadmin =head1 NAME @@ -21,11 +21,8 @@ from the local default realm, requests new wallet keytab objects for each principal (removing the realm when naming the keytab), and merges the new keys into the keytab. -If an error occurs before any new keys were downloaded, B<wallet-rekey> -aborts. If some new keys were successfully downloaded, B<wallet-rekey> -warns about errors but continues to rekey all principals that it can. In -this case, a copy of the existing keytab prior to the rekeying is saved in -a file named by appending C<.old> to the file name. +If an error occurs, B<wallet-rekey> continues to rekey all principals that +it can, producing error messages for those that it cannot rekey. If no keytab file name is given on the command line, B<wallet-rekey> attempts to rekey F</etc/krb5.keytab>, the system default keytab file. @@ -43,8 +40,10 @@ or: ktutil -k <keytab> purge -for Heimdal. This functionality will eventually be provided by -B<wallet-rekey> directly. +for Heimdal. The Heimdal command can be run by any user with access to +the keytab, but the MIT Kerberos command unfortunately has to be run by a +someone with direct B<kadmin> access. This functionality will eventually +be provided by B<wallet-rekey> directly. =head1 OPTIONS |