1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
. if \nF \{
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "WALLET-REKEY 1"
.TH WALLET-REKEY 1 "2014-07-16" "1.1" "wallet"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
wallet\-rekey \- Client for rekeying a Kerberos keytab using wallet
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBwallet-rekey\fR [\fB\-hv\fR] [\fB\-c\fR \fIcommand\fR] [\fB\-k\fR \fIprincipal\fR]
[\fB\-p\fR \fIport\fR] [\fB\-s\fR \fIserver\fR] [\fB\-u\fR \fIprincipal\fR] [\fIkeytab\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBwallet-rekey\fR is a specialized client for the wallet system used to
rekey a Kerberos keytab by downloading new keytab objects from wallet for
each principal found in the keytab. For each keytab file listed on the
command line, it walks through the principals in that keytab, finds all
from the local default realm, requests new wallet keytab objects for each
principal (removing the realm when naming the keytab), and merges the new
keys into the keytab.
.PP
If an error occurs, \fBwallet-rekey\fR continues to rekey all principals that
it can, producing error messages for those that it cannot rekey.
.PP
If no keytab file name is given on the command line, \fBwallet-rekey\fR
attempts to rekey \fI/etc/krb5.keytab\fR, the system default keytab file.
.PP
The new keys are merged into the existing keytab file, but old keys are
not removed. This means that, over time, the keytab will grow and
accumulate old keys, which eventually should no longer be honored.
Administrators may want to run:
.PP
.Vb 1
\& kadmin \-q \*(Aqktremove \-k <keytab> <principal> old\*(Aq
.Ve
.PP
for \s-1MIT\s0 Kerberos, where <keytab> is the path to the keytab and <principal>
is a principal in the keytab (repeating the command for each principal)
or:
.PP
.Vb 1
\& ktutil \-k <keytab> purge
.Ve
.PP
for Heimdal. The Heimdal command can be run by any user with access to
the keytab, but the \s-1MIT\s0 Kerberos command unfortunately has to be run by a
someone with direct \fBkadmin\fR access. This functionality will eventually
be provided by \fBwallet-rekey\fR directly.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-c\fR \fIcommand\fR" 4
.IX Item "-c command"
The command prefix (remctl type) to use. Normally this is an internal
implementation detail and the default (\f(CW\*(C`wallet\*(C'\fR) should be fine. It may
sometimes be useful to use a different prefix for testing a different
version of the wallet code on the server. This option can also be set in
\&\fIkrb5.conf\fR; see \s-1CONFIGURATION\s0 below.
.IP "\fB\-k\fR \fIprincipal\fR" 4
.IX Item "-k principal"
The service principal of the wallet server. The default is to use the
\&\f(CW\*(C`host\*(C'\fR principal for the wallet server. The principal chosen must match
one of the keys in the keytab used by \fBremctld\fR on the wallet server.
This option can also be set in \fIkrb5.conf\fR; see \s-1CONFIGURATION\s0 below.
.IP "\fB\-h\fR" 4
.IX Item "-h"
Display a brief summary of options and exit. All other valid options and
commands are ignored.
.IP "\fB\-p\fR \fIport\fR" 4
.IX Item "-p port"
The port to connect to on the wallet server. The default is the default
remctl port. This option can also be set in \fIkrb5.conf\fR; see
\&\s-1CONFIGURATION\s0 below.
.IP "\fB\-s\fR \fIserver\fR" 4
.IX Item "-s server"
The wallet server to connect to. The default may be set when compiling
the wallet client. If it isn't, either \fB\-s\fR must be given or the server
must be set in \fIkrb5.conf\fR. See \s-1CONFIGURATION\s0 below.
.IP "\fB\-u\fR \fIprincipal\fR" 4
.IX Item "-u principal"
Rather than using the user's existing ticket cache for authentication,
authenticate as \fIprincipal\fR first and use those credentials for
authentication to the wallet server. \fBwallet\fR will prompt for the
password for \fIprincipal\fR. Non-password authentication methods such as
\&\s-1PKINIT\s0 aren't supported; to use those, run \fBkinit\fR first and use an
existing ticket cache.
.IP "\fB\-v\fR" 4
.IX Item "-v"
Display the version of the \fBwallet\fR client and exit. All other valid
options and commands are ignored.
.SH "CONFIGURATION"
.IX Header "CONFIGURATION"
The wallet system, including \fBwallet-rekey\fR, can optionally be configured
in the system \fIkrb5.conf\fR. It will read the default \fIkrb5.conf\fR file
for the Kerberos libraries with which it was compiled. To set an option,
put the option in the [appdefaults] section. \fBwallet-rekey\fR will look
for options either at the top level of the [appdefaults] section or in a
subsection named \f(CW\*(C`wallet\*(C'\fR. For example, the following fragment of a
\&\fIkrb5.conf\fR file would set the default port to 4373 and the default
server to \f(CW\*(C`wallet.example.org\*(C'\fR.
.PP
.Vb 5
\& [appdefaults]
\& wallet_port = 4373
\& wallet = {
\& wallet_server = wallet.example.org
\& }
.Ve
.PP
The supported options are:
.IP "wallet_principal" 4
.IX Item "wallet_principal"
The service principal of the wallet server. The default is to use the
\&\f(CW\*(C`host\*(C'\fR principal for the wallet server. The principal chosen must match
one of the keys in the keytab used by \fBremctld\fR on the wallet server.
The \fB\-k\fR command-line option overrides this setting.
.IP "wallet_port" 4
.IX Item "wallet_port"
The port to connect to on the wallet server. The default is the default
remctl port. The \fB\-p\fR command-line option overrides this setting.
.IP "wallet_server" 4
.IX Item "wallet_server"
The wallet server to connect to. The \fB\-s\fR command-line option overrides
this setting. The default may be set when compiling the wallet client.
If it isn't, either \fB\-s\fR must be given or this parameter must be present
in in \fIkrb5.conf\fR.
.IP "wallet_type" 4
.IX Item "wallet_type"
The command prefix (remctl type) to use. Normally this is an internal
implementation detail and the default (\f(CW\*(C`wallet\*(C'\fR) should be fine. It may
sometimes be useful to use a different prefix for testing a different
version of the wallet code on the server. The \fB\-c\fR command-line option
overrides this setting.
.SH "AUTHOR"
.IX Header "AUTHOR"
Russ Allbery <eagle@eyrie.org>
.SH "COPYRIGHT AND LICENSE"
.IX Header "COPYRIGHT AND LICENSE"
Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior
University
.PP
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any
warranty.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIkadmin\fR\|(8), \fIkinit\fR\|(1), \fIkrb5.conf\fR\|(5), \fIremctl\fR\|(1), \fIremctld\fR\|(8), \fIwallet\fR\|(1)
.PP
This program is part of the wallet system. The current version is available
from <http://www.eyrie.org/~eagle/software/wallet/>.
.PP
\&\fBwallet-rekey\fR uses the remctl protocol. For more information about
remctl, see <http://www.eyrie.org/~eagle/software/remctl/>.
|
