+2003-02-06 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in (install): Install k5srvutil
+
2003-01-07 Ken Raeburn <raeburn@mit.edu>
* Makefile.ov: Deleted.
install::
$(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+ $(INSTALL_PROGRAM) $(srcdir)/k5srvutil.sh ${DESTDIR}$(ADMIN_BINDIR)/k5srvutil
+ $(INSTALL_DATA)$(srcdir)/k5srvutil.M ${DESTDIR}$(ADMIN_MANDIR)/k5srvutil.8
$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8
$(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8
--- /dev/null
+.\" Copyright 1989, 2003 by the Massachusetts Institute of Technology.
+.\"
+.TH K5SRVUTIL 8
+.SH NAME
+k5srvutil \- host key table (keytab) manipulation utility
+.SH SYNOPSIS
+k5srvutil
+.B operation
+[
+.B \-i
+] [
+.B \-f filename
+]
+.SH DESCRIPTION
+.I k5srvutil
+allows a system manager to list or change keys currently in his
+keytab or to add new keys to the keytab.
+.PP
+
+Operation must be one of the following:
+.TP 10n
+.I list
+lists the keys in a keytab showing version number and principal
+name.
+.TP 10n
+.I change
+changes all the keys in the keytab to new randomly-generated keys,
+updating the keys in the Kerberos server's database to match by using the
+kadmin protocol. If a key's version number doesn't match the
+version number stored in the Kerberos server's database, then the operation will fail. The old keys are retained
+so that existing tickets continue to work.
+If the \-i flag is given,
+.I k5srvutil
+will prompt for yes or no before changing each key. If the \-k
+option is used, the old and new keys will be displayed.
+.TP 10n
+.I delold
+Deletes keys that are not the most recent version from the keytab. This operation
+should be used some time after a change operation to remove old keys.
+If the \-i flag is used, then the program prompts the user
+whether the old keys associated with each principal should be removed.
+.TP 10n
+.I delete
+deletes particular keys in the keytab, interactively prompting for
+each key.
+
+.PP
+In all cases, the default file used is /etc/krb5.keytab file
+ unless this is overridden by the \-f option.
+
+
+.I k5srvutil
+uses the kadmin program to edit the keytab in place. However, old keys are retained, so
+they are available in case of failure.
+
+.SH SEE ALSO
+kadmin(8), ktutil(8)
+
--- /dev/null
+#!/bin/sh
+
+# list_princs keytab
+# returns a list of principals in the keytab
+# sorted and uniquified
+list_princs() {
+ klist -k $keytab | tail +4 | awk '{print $2}' | sort | uniq
+}
+
+set_command() {
+ if [ x$command != x ] ; then
+ cmd_error Only one command can be specified
+ usage
+ exit 1
+ fi
+ command=$1
+}
+
+#interactive_prompt prompt princ
+# If in interactive mode return true if the principal should be acted on
+# otherwise return true all the time
+interactive_prompt() {
+ if [ $interactive = 0 ] ; then
+ return 0
+ fi
+ printf "%s for %s? [yn]" "$1" "$2"
+ read ans
+ case $ans in
+ n*|N*)
+ return 1
+ ;;
+ esac
+ return 0
+ }
+
+cmd_error() {
+ echo $@ 2>&1
+ }
+
+usage() {
+ echo "Usage: $0 [-i] [-f file] list|change|delete|delold"
+}
+
+
+
+change_key() {
+ princs=`list_princs `
+ for princ in $princs; do
+ if interactive_prompt "Change key " $princ; then
+ kadmin -k -t $keytab -p $princ -q "ktadd -k $keytab $princ"
+ fi
+ done
+ }
+
+delete_old_keys() {
+ princs=`list_princs `
+ for princ in $princs; do
+ if interactive_prompt "Delete old keys " $princ; then
+ kadmin -k -t $keytab -p $princ -q "ktrem -k $keytab $princ old"
+ fi
+ done
+ }
+
+delete_keys() {
+ interactive=1
+ princs=`list_princs `
+ for princ in $princs; do
+ if interactive_prompt "Delete all keys " $princ; then
+ kadmin -p $princ -k -t $keytab -q "ktrem -k $keytab $princ all"
+ fi
+ done
+ }
+
+
+keytab=/etc/krb5.keytab
+interactive=0
+
+while [ $# -gt 0 ] ; do
+ opt=$1
+ shift
+ case $opt in
+ "-f")
+ keytab=$1
+ shift
+ ;;
+ "-i")
+ interactive=1
+ ;;
+ change|delold|delete|list)
+ set_command $opt
+ ;;
+ *)
+ cmd_error Illegal option: $opt
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+
+case $command in
+ change)
+ change_key
+ ;;
+ delold)
+ delete_old_keys
+ ;;
+ delete)
+ delete_keys
+ ;;
+ list)
+ klist -k $keytab
+ ;;
+ *)
+ usage
+ ;;
+ esac