=for stopwords
wallet-rekey rekey rekeying keytab -hv Heimdal remctl remctld PKINIT kinit
appdefaults Allbery kadmin SPDX-License-Identifier FSFAP

=head1 NAME

wallet-rekey - Client for rekeying a Kerberos keytab using wallet

=head1 SYNOPSIS

B<wallet-rekey> [B<-hv>] [B<-c> I<command>] [B<-k> I<principal>]
    [B<-p> I<port>] [B<-s> I<server>] [B<-u> I<principal>] [I<keytab> ...]

=head1 DESCRIPTION

B<wallet-rekey> is a specialized client for the wallet system used to
rekey a Kerberos keytab by downloading new keytab objects from wallet for
each principal found in the keytab.  For each keytab file listed on the
command line, it walks through the principals in that keytab, finds all
from the local default realm, requests new wallet keytab objects for each
principal (removing the realm when naming the keytab), and merges the new
keys into the keytab.

If an error occurs, B<wallet-rekey> continues to rekey all principals that
it can, producing error messages for those that it cannot rekey.

If no keytab file name is given on the command line, B<wallet-rekey>
attempts to rekey F</etc/krb5.keytab>, the system default keytab file.

The new keys are merged into the existing keytab file, but old keys are
not removed.  This means that, over time, the keytab will grow and
accumulate old keys, which eventually should no longer be honored.
Administrators may want to run:

    kadmin -q 'ktremove -k <keytab> <principal> old'

for MIT Kerberos, where <keytab> is the path to the keytab and <principal>
is a principal in the keytab (repeating the command for each principal)
or:

    ktutil -k <keytab> purge

for Heimdal.  The Heimdal command can be run by any user with access to
the keytab, but the MIT Kerberos command unfortunately has to be run by a
someone with direct B<kadmin> access.  This functionality will eventually
be provided by B<wallet-rekey> directly.

=head1 OPTIONS

=over 4

=item B<-c> I<command>

The command prefix (remctl type) to use.  Normally this is an internal
implementation detail and the default (C<wallet>) should be fine.  It may
sometimes be useful to use a different prefix for testing a different
version of the wallet code on the server.  This option can also be set in
F<krb5.conf>; see L<CONFIGURATION> below.

=item B<-k> I<principal>

The service principal of the wallet server.  The default is to use the
C<host> principal for the wallet server.  The principal chosen must match
one of the keys in the keytab used by B<remctld> on the wallet server.
This option can also be set in F<krb5.conf>; see L<CONFIGURATION> below.

=item B<-h>

Display a brief summary of options and exit.  All other valid options and
commands are ignored.

=item B<-p> I<port>

The port to connect to on the wallet server.  The default is the default
remctl port.  This option can also be set in F<krb5.conf>; see
L<CONFIGURATION> below.

=item B<-s> I<server>

The wallet server to connect to.  The default may be set when compiling
the wallet client.  If it isn't, either B<-s> must be given or the server
must be set in F<krb5.conf>.  See L<CONFIGURATION> below.

=item B<-u> I<principal>

Rather than using the user's existing ticket cache for authentication,
authenticate as I<principal> first and use those credentials for
authentication to the wallet server.  B<wallet> will prompt for the
password for I<principal>.  Non-password authentication methods such as
PKINIT aren't supported; to use those, run B<kinit> first and use an
existing ticket cache.

=item B<-v>

Display the version of the B<wallet> client and exit.  All other valid
options and commands are ignored.

=back

=head1 CONFIGURATION

The wallet system, including B<wallet-rekey>, can optionally be configured
in the system F<krb5.conf>.  It will read the default F<krb5.conf> file
for the Kerberos libraries with which it was compiled.  To set an option,
put the option in the [appdefaults] section.  B<wallet-rekey> will look
for options either at the top level of the [appdefaults] section or in a
subsection named C<wallet>.  For example, the following fragment of a
F<krb5.conf> file would set the default port to 4373 and the default
server to C<wallet.example.org>.

    [appdefaults]
        wallet_port = 4373
        wallet = {
            wallet_server = wallet.example.org
        }

The supported options are:

=over 4

=item wallet_principal

The service principal of the wallet server.  The default is to use the
C<host> principal for the wallet server.  The principal chosen must match
one of the keys in the keytab used by B<remctld> on the wallet server.
The B<-k> command-line option overrides this setting.

=item wallet_port

The port to connect to on the wallet server.  The default is the default
remctl port.  The B<-p> command-line option overrides this setting.

=item wallet_server

The wallet server to connect to.  The B<-s> command-line option overrides
this setting.  The default may be set when compiling the wallet client.
If it isn't, either B<-s> must be given or this parameter must be present
in in F<krb5.conf>.

=item wallet_type

The command prefix (remctl type) to use.  Normally this is an internal
implementation detail and the default (C<wallet>) should be fine.  It may
sometimes be useful to use a different prefix for testing a different
version of the wallet code on the server.  The B<-c> command-line option
overrides this setting.

=back

=head1 AUTHOR

Russ Allbery <eagle@eyrie.org>

=head1 COPYRIGHT AND LICENSE

Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior
University

Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved.  This file is offered as-is, without any
warranty.

SPDX-License-Identifier: FSFAP

=head1 SEE ALSO

kadmin(8), kinit(1), krb5.conf(5), remctl(1), remctld(8), wallet(1)

This program is part of the wallet system.  The current version is available
from L<https://www.eyrie.org/~eagle/software/wallet/>.

B<wallet-rekey> uses the remctl protocol.  For more information about
remctl, see L<https://www.eyrie.org/~eagle/software/remctl/>.

=cut