From d3ed0f832618288208ca7b72c7ae0b724865a953 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Thu, 6 Feb 2003 20:05:41 +0000 Subject: [PATCH] Add k5srvutil Add a script called k5srvutil that allows easy manipulation of keytabs for common tasks such as changing keys and deleting outdated keys. ticket: 1191 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15159 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/cli/ChangeLog | 4 ++ src/kadmin/cli/Makefile.in | 2 + src/kadmin/cli/k5srvutil.M | 58 ++++++++++++++++++ src/kadmin/cli/k5srvutil.sh | 117 ++++++++++++++++++++++++++++++++++++ 4 files changed, 181 insertions(+) create mode 100644 src/kadmin/cli/k5srvutil.M create mode 100644 src/kadmin/cli/k5srvutil.sh diff --git a/src/kadmin/cli/ChangeLog b/src/kadmin/cli/ChangeLog index 73828c392..849db8c78 100644 --- a/src/kadmin/cli/ChangeLog +++ b/src/kadmin/cli/ChangeLog @@ -1,3 +1,7 @@ +2003-02-06 Sam Hartman + + * Makefile.in (install): Install k5srvutil + 2003-01-07 Ken Raeburn * Makefile.ov: Deleted. diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in index 3213da72a..82af0931d 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -21,6 +21,8 @@ kadmin_ct.o: kadmin_ct.c install:: $(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) + $(INSTALL_PROGRAM) $(srcdir)/k5srvutil.sh ${DESTDIR}$(ADMIN_BINDIR)/k5srvutil + $(INSTALL_DATA)$(srcdir)/k5srvutil.M ${DESTDIR}$(ADMIN_MANDIR)/k5srvutil.8 $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8 $(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8 diff --git a/src/kadmin/cli/k5srvutil.M b/src/kadmin/cli/k5srvutil.M new file mode 100644 index 000000000..b455b7c3c --- /dev/null +++ b/src/kadmin/cli/k5srvutil.M @@ -0,0 +1,58 @@ +.\" Copyright 1989, 2003 by the Massachusetts Institute of Technology. +.\" +.TH K5SRVUTIL 8 +.SH NAME +k5srvutil \- host key table (keytab) manipulation utility +.SH SYNOPSIS +k5srvutil +.B operation +[ +.B \-i +] [ +.B \-f filename +] +.SH DESCRIPTION +.I k5srvutil +allows a system manager to list or change keys currently in his +keytab or to add new keys to the keytab. +.PP + +Operation must be one of the following: +.TP 10n +.I list +lists the keys in a keytab showing version number and principal +name. +.TP 10n +.I change +changes all the keys in the keytab to new randomly-generated keys, +updating the keys in the Kerberos server's database to match by using the +kadmin protocol. If a key's version number doesn't match the +version number stored in the Kerberos server's database, then the operation will fail. The old keys are retained +so that existing tickets continue to work. +If the \-i flag is given, +.I k5srvutil +will prompt for yes or no before changing each key. If the \-k +option is used, the old and new keys will be displayed. +.TP 10n +.I delold +Deletes keys that are not the most recent version from the keytab. This operation +should be used some time after a change operation to remove old keys. +If the \-i flag is used, then the program prompts the user +whether the old keys associated with each principal should be removed. +.TP 10n +.I delete +deletes particular keys in the keytab, interactively prompting for +each key. + +.PP +In all cases, the default file used is /etc/krb5.keytab file + unless this is overridden by the \-f option. + + +.I k5srvutil +uses the kadmin program to edit the keytab in place. However, old keys are retained, so +they are available in case of failure. + +.SH SEE ALSO +kadmin(8), ktutil(8) + diff --git a/src/kadmin/cli/k5srvutil.sh b/src/kadmin/cli/k5srvutil.sh new file mode 100644 index 000000000..70b1b8548 --- /dev/null +++ b/src/kadmin/cli/k5srvutil.sh @@ -0,0 +1,117 @@ +#!/bin/sh + +# list_princs keytab +# returns a list of principals in the keytab +# sorted and uniquified +list_princs() { + klist -k $keytab | tail +4 | awk '{print $2}' | sort | uniq +} + +set_command() { + if [ x$command != x ] ; then + cmd_error Only one command can be specified + usage + exit 1 + fi + command=$1 +} + +#interactive_prompt prompt princ +# If in interactive mode return true if the principal should be acted on +# otherwise return true all the time +interactive_prompt() { + if [ $interactive = 0 ] ; then + return 0 + fi + printf "%s for %s? [yn]" "$1" "$2" + read ans + case $ans in + n*|N*) + return 1 + ;; + esac + return 0 + } + +cmd_error() { + echo $@ 2>&1 + } + +usage() { + echo "Usage: $0 [-i] [-f file] list|change|delete|delold" +} + + + +change_key() { + princs=`list_princs ` + for princ in $princs; do + if interactive_prompt "Change key " $princ; then + kadmin -k -t $keytab -p $princ -q "ktadd -k $keytab $princ" + fi + done + } + +delete_old_keys() { + princs=`list_princs ` + for princ in $princs; do + if interactive_prompt "Delete old keys " $princ; then + kadmin -k -t $keytab -p $princ -q "ktrem -k $keytab $princ old" + fi + done + } + +delete_keys() { + interactive=1 + princs=`list_princs ` + for princ in $princs; do + if interactive_prompt "Delete all keys " $princ; then + kadmin -p $princ -k -t $keytab -q "ktrem -k $keytab $princ all" + fi + done + } + + +keytab=/etc/krb5.keytab +interactive=0 + +while [ $# -gt 0 ] ; do + opt=$1 + shift + case $opt in + "-f") + keytab=$1 + shift + ;; + "-i") + interactive=1 + ;; + change|delold|delete|list) + set_command $opt + ;; + *) + cmd_error Illegal option: $opt + usage + exit 1 + ;; + esac +done + + +case $command in + change) + change_key + ;; + delold) + delete_old_keys + ;; + delete) + delete_keys + ;; + list) + klist -k $keytab + ;; + *) + usage + ;; + esac -- 2.26.2