aboutsummaryrefslogtreecommitdiff
path: root/client/wallet.pod
diff options
context:
space:
mode:
Diffstat (limited to 'client/wallet.pod')
-rw-r--r--client/wallet.pod79
1 files changed, 27 insertions, 52 deletions
diff --git a/client/wallet.pod b/client/wallet.pod
index 657929b..db93700 100644
--- a/client/wallet.pod
+++ b/client/wallet.pod
@@ -2,6 +2,11 @@
wallet - Client for retrieving secure data from a central server
+=for stopwords
+-hv srvtab arg keytabs metadata keytab ACL PTS kinit klist remctl PKINIT
+acl timestamp autocreate backend-specific setacl enctypes enctype ktadd
+KDC appdefaults remctld Allbery uuencode getacl backend
+
=head1 SYNOPSIS
B<wallet> [B<-hv>] [B<-c> I<command>] [B<-f> I<file>]
@@ -44,14 +49,12 @@ entries, each of which is a scheme and an identifier. A scheme specifies
a way of checking whether a user is authorized. An identifier is some
data specific to the scheme that specifies which users are authorized.
For example, for the C<krb5> scheme, the identifier is a principal name
-and only that principal is authorized by that ACL entry. For the C<pts>
-scheme, the identifier is a PTS group name, and all members of that PTS
-group are authorized by that ACL entry.
+and only that principal is authorized by that ACL entry.
-To run the wallet command-line client, you must already have a Kerberos
-ticket. You can obtain a Kerberos ticket with B<kinit> and see your
-current Kerberos tickets with B<klist>. The wallet client uses the remctl
-protocol to talk to the wallet server.
+To run the wallet command-line client, you must either already have a
+Kerberos ticket or use the B<-u> option. You can obtain a Kerberos ticket
+with B<kinit> and see your current Kerberos tickets with B<klist>. The
+wallet client uses the remctl protocol to talk to the wallet server.
=head1 OPTIONS
@@ -84,11 +87,6 @@ ktremove> or an equivalent later to clean up old keys. F<I<output>.new>
is still used as a temporary file and any existing file with that name
will be deleted.
-C<store> does not yet support nul bytes in I<file> (or in any other way of
-specifying the data to be stored). To store binary files in the wallet,
-you will need to encode them with uuencode, base64, or some similar scheme
-and then decode them after retrieval.
-
=item B<-k> I<principal>
The service principal of the wallet server. The default is to use the
@@ -114,9 +112,19 @@ C<keytab> object, and must be used in conjunction with the B<-f> flag.
After the keytab is saved to the file specified by B<-f>, the DES key for
that principal will be extracted and written as a Kerberos v4 srvtab to
the file I<srvtab>. Any existing contents of I<srvtab> will be
-destroyed. For more information on how the principal is converted to
-Kerberos v4, see the description of the B<sync> attribute under
-L<ATTRIBUTES>.
+destroyed.
+
+The Kerberos v4 principal name will be generated from the Kerberos v5
+principal name using the krb5_524_conv_principal() function of the
+Kerberos libraries. See its documentation for more information, but
+briefly (and in the absence of special configuration), the Kerberos v4
+principal name will be the same as the Kerberos v5 principal name except
+that the components are separated by C<.> instead of C</>; the second
+component is truncated after the first C<.> if the first component is one
+of the recognized host-based principals (generally C<host>, C<imap>,
+C<pop>, or C<smtp>); and the first component is C<rcmd> if the Kerberos v5
+principal component is C<host>. The principal name must not contain more
+than two components.
=item B<-s> I<server>
@@ -191,7 +199,7 @@ Display the history of the ACL <id>. Each change to the ACL (not
including changes to the name of the ACL) will be represented by two
lines. The first line will have a timestamp of the change followed by a
description of the change, and the second line will give the user who made
-the change and the host from which the change was mde.
+the change and the host from which the change was made.
=item acl remove <id> <scheme> <identifier>
@@ -336,11 +344,6 @@ retrieval with C<get>. Not all object types support this. If <data> is
not specified on the command line, it will be read from the file specified
with B<-f> (if given) or from standard input.
-Currently, the stored data must not contain nul characters and may
-therefore not be binary data. Its length is also limited by the maximum
-command line length of the operating system of the wallet server. These
-restrictions will be lifted in the future.
-
If an object with type <type> and name <name> does not already exist when
this command is issued (as checked with the check interface), B<wallet>
will attempt to automatically create it (using autocreate).
@@ -364,9 +367,9 @@ Keytab objects support the following attributes:
Restricts the generated keytab to a specific set of encryption types. The
values of this attribute must be enctype strings recognized by Kerberos
-(strings like C<aes256-cts> or C<des-cbc-crc>). Note that the salt should
-not be included; since the salt is irrelevant for keytab keys, it will
-always be set to C<normal> by the wallet.
+(strings like C<aes256-cts-hmac-sha1-96> or C<des-cbc-crc>). Note that
+the salt should not be included; since the salt is irrelevant for keytab
+keys, it will always be set to C<normal> by the wallet.
If this attribute is set, the specified enctype list will be passed to ktadd
when get() is called for that keytab. If it is not set, the default set in
@@ -377,34 +380,6 @@ Keytabs retrieved with C<unchanging> set will contain all keys present in
the KDC for that Kerberos principal and therefore may contain different
enctypes than those requested by this attribute.
-=item sync
-
-Sets the external systems to which the key of a given principal is
-synchronized. The only supported value for this attribute is C<kaserver>,
-which says to synchronize the key with an AFS Kerberos v4 kaserver.
-
-If this attribute is set on a keytab, whenever the C<get> command is run
-for that keytab, the DES key will be extracted from that keytab and set in
-the configured AFS kaserver. If the B<-S> option is given to the
-B<wallet> client, the srvtab corresponding to the keytab will be written
-to the file specified with that option. The Kerberos v4 principal name
-will be the same as the Kerberos v5 principal name except that the
-components are separated by C<.> instead of C</>; the second component is
-truncated after the first C<.> if the first component is one of C<host>,
-C<ident>, C<imap>, C<pop>, or C<smtp>; and the first component is C<rcmd>
-if the Kerberos v5 principal component is C<host>. The principal name
-must not contain more than two components.
-
-If this attribute is set, calling C<destroy> will also destroy the
-principal from the AFS kaserver, with a principal mapping determined as
-above.
-
-The realm of the srvtab defaults to the same realm as the keytab. You can
-change this by setting the v4_realm configuration option in the [realms]
-section of krb5.conf for the local realm. The keytab must be for a
-principal in the default local realm for the B<-S> option to work
-correctly.
-
=back
=head1 CONFIGURATION
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-06 05:17:12 +0000