From 51eec9fdeb15346114976c320541c4c0927feb76 Mon Sep 17 00:00:00 2001 From: Will Fiveash Date: Wed, 25 Mar 2009 21:12:58 +0000 Subject: [PATCH] Update kdb5_util man page for mkey migration project Updated the kdb5_util command man page to include documentation on new subcommands added as a result of the Master Key Migration project. Ticket: 6432 Version_Reported: 1.7 Target_Version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22114 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/dbutil/kdb5_util.M | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M index 294357fc9..1883ce282 100644 --- a/src/kadmin/dbutil/kdb5_util.M +++ b/src/kadmin/dbutil/kdb5_util.M @@ -216,20 +216,31 @@ default. \fBark\fP Adds a random key. .TP -\fBadd_mkey\fP ... -This option needs documentation. +\fBadd_mkey\fP [\fB\-e etype\fP] [\fB\-s\fP] +Adds a new master key to the K/M (master key) principal. Existing master keys will remain. +The +.B \-e etype +option allows specification of the enctype of the new master key. The +.B \-s +option stashes the new master key in a local stash file which will be created if it doesn't already exist. .TP -\fBuse_mkey\fP ... -This option needs documentation. +\fBuse_mkey\fP \fImkeyVNO [\fBtime\fP] +Sets the activation time of the master key specified by +.B mkeyVNO. +Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when the principal keys change, are newly created or when the update_princ_encryption command is run. If the +.B time +argument is provided then that will be the activation time otherwise the current time is used by default. The format of the optional +.B time +argument is that specified in the Time Formats section of the kadmin man page. .TP \fBlist_mkeys\fP -This option needs documentation. +List all master keys from most recent to earliest in K/M principal. The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output. A * following an mkey denotes the currently active master key. .TP \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP] [\fBprinc\-pattern\fP] Update all principal records (or only those matching the .B princ\-pattern -glob pattern) to re-encrypt the key data using the latest version of -the database master key, if they are encrypted using older versions, +glob pattern) to re-encrypt the key data using the active +database master key, if they are encrypted using older versions, and give a count at the end of the number of principals updated. If the .B \-f -- 2.26.2