diff options
Diffstat (limited to 'server/keytab-backend')
| -rwxr-xr-x | server/keytab-backend | 65 |
1 files changed, 35 insertions, 30 deletions
diff --git a/server/keytab-backend b/server/keytab-backend index 06fed3d..7b6adb4 100755 --- a/server/keytab-backend +++ b/server/keytab-backend @@ -1,5 +1,4 @@ #!/usr/bin/perl -our $ID = q$Id$; # # keytab-backend -- Extract keytabs from the KDC without changing the key. # @@ -18,7 +17,8 @@ our $ID = q$Id$; # The keytab for the extracted principal will be printed to standard output. # # Written by Russ Allbery <rra@stanford.edu> -# Copyright 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. University +# Copyright 2006, 2007, 2008, 2010 +# Board of Trustees, Leland Stanford Jr. University # # See LICENSE for licensing terms. @@ -156,6 +156,10 @@ __END__ # Documentation ############################################################################## +=for stopwords +keytab-backend keytabs KDC keytab kadmin.local -norandkey ktadd remctld +auth Allbery rekeying + =head1 NAME keytab-backend - Extract keytabs from the KDC without changing the key @@ -166,27 +170,28 @@ B<keytab-backend> retrieve I<principal> =head1 DESCRIPTION -B<keytab-backend> retrieves a keytab for an existing principal from the KDC -database without changing the current key. It allows generation of a keytab -for a service without rekeying that service. It requires a B<kadmin.local> -patched to support the B<-norandkey> option to B<ktadd>. +B<keytab-backend> retrieves a keytab for an existing principal from the +KDC database without changing the current key. It allows generation of a +keytab for a service without rekeying that service. It requires a +B<kadmin.local> patched to support the B<-norandkey> option to B<ktadd>. -This script is intended to run under B<remctld>. On success, it prints the -keytab to standard output, logs a success message to syslog (facility auth, -priority info), and exits with status 0. On failure, it prints out an error -message, logs an error to syslog (facility auth, priority err), and exits -with a non-zero status. +This script is intended to run under B<remctld>. On success, it prints +the keytab to standard output, logs a success message to syslog (facility +auth, priority info), and exits with status 0. On failure, it prints out +an error message, logs an error to syslog (facility auth, priority err), +and exits with a non-zero status. The principal is checked for basic sanity (only accepting alphanumerics, -C<_>, and C<-> with an optional instance and then only alphanumerics, C<_>, -C<->, and C<.> in the realm) and then checked against a configuration file -that lists regexes of principals that can be retrieved. When deploying this -software, limit as tightly as possible which principals can be downloaded in -this fashion. Generally only shared service principals used on multiple -systems should be made available in this way. +C<_>, and C<-> with an optional instance and then only alphanumerics, +C<_>, C<->, and C<.> in the realm) and then checked against a +configuration file that lists regexes of principals that can be retrieved. +When deploying this software, limit as tightly as possible which +principals can be downloaded in this fashion. Generally only shared +service principals used on multiple systems should be made available in +this way. -B<keytab-backend> does not do any authorization checks. Those should be done -by B<remctld> before it is called. +B<keytab-backend> does not do any authorization checks. Those should be +done by B<remctld> before it is called. =head1 FILES @@ -194,19 +199,19 @@ by B<remctld> before it is called. =item F</etc/krb5kdc/allow-extract> -The configuration file that controls which principals can have their keytabs -retrieved. Blank lines and lines starting with C<#>, as well as anything -after C<#> on a line, are ignored. All other lines should be Perl regular -expressions, one per line, that match principals whose keytabs can be -retrieved by B<keytab-backend>. Any principal that does not match one of -those regular expressions cannot be retrieved. +The configuration file that controls which principals can have their +keytabs retrieved. Blank lines and lines starting with C<#>, as well as +anything after C<#> on a line, are ignored. All other lines should be +Perl regular expressions, one per line, that match principals whose +keytabs can be retrieved by B<keytab-backend>. Any principal that does +not match one of those regular expressions cannot be retrieved. =item F</var/lib/keytabs> The temporary directory used for creating keytabs. B<keytab-backend> will -create the keytab in this directory, make sure that was successful, and then -delete the temporary file after the results have been sent to standard -output. +create the keytab in this directory, make sure that was successful, and +then delete the temporary file after the results have been sent to +standard output. =back @@ -214,8 +219,8 @@ output. kadmin.local(8), remctld(8) -This program is part of the wallet system. The current version is available -from L<http://www.eyrie.org/~eagle/software/wallet/>. +This program is part of the wallet system. The current version is +available from L<http://www.eyrie.org/~eagle/software/wallet/>. =head1 AUTHOR |