From f5ef8e456359097505e5f8ffb460b4ffdae70272 Mon Sep 17 00:00:00 2001 From: Jeff Bigler Date: Thu, 29 Aug 1996 20:36:28 +0000 Subject: [PATCH] man page rewrite from Cygnus. Renamed the file kadmin.M. (kadmin.1 is just wrong, since it's in section 8.) Added kadmin.local.M, which is just a pointer to kadmin.M. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9009 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/cli/ChangeLog | 5 + src/kadmin/cli/Makefile.in | 2 + src/kadmin/cli/kadmin.1 | 453 -------------------- src/kadmin/cli/kadmin.M | 761 ++++++++++++++++++++++++++++++++++ src/kadmin/cli/kadmin.local.M | 1 + 5 files changed, 769 insertions(+), 453 deletions(-) delete mode 100644 src/kadmin/cli/kadmin.1 create mode 100644 src/kadmin/cli/kadmin.M create mode 100644 src/kadmin/cli/kadmin.local.M diff --git a/src/kadmin/cli/ChangeLog b/src/kadmin/cli/ChangeLog index e0dd898ba..5efe2b95d 100644 --- a/src/kadmin/cli/ChangeLog +++ b/src/kadmin/cli/ChangeLog @@ -1,3 +1,8 @@ +Thu Aug 29 16:08:10 1996 Jeff Bigler + + * Makefile.in (install): added man pages for kadmin and + kadmin.local + Fri Aug 23 14:16:18 1996 Sam Hartman * configure.in: Use shared libaries if present. diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in index 5136c450c..b02798510 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -16,6 +16,8 @@ kadmin_ct.o: kadmin_ct.c install:: $(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) + $(INSTALL_DATA) $(srcdir)/($PROG).M ${DESTDIR}$(ADMIN_MANDIR)/($PROG).8 + $(INSTALL_DATA) $(srcdir)/($PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/($PROG).local.8 clean:: $(RM) $(PROG).local $(PROG) $(OBJS) diff --git a/src/kadmin/cli/kadmin.1 b/src/kadmin/cli/kadmin.1 deleted file mode 100644 index dbd4d77ff..000000000 --- a/src/kadmin/cli/kadmin.1 +++ /dev/null @@ -1,453 +0,0 @@ -KADMIN(8) USER_COMMANDS KADMIN(8) - -NAME - kadmin - a command line interface to the Kerberos KADM5 - administration system - -SYNOPSIS - kadmin [-r realm] [-p principal] [-q query] [clnt|local args] - clnt args: [-p principal] [[-c ccache]|[-k [-t keytab]]] - [-w] [-s admin_server[:port]] - local args: [-d dbname] [-e \"enc:salt ...\"] [-m] - -DESCRIPTION - kadmin is a command-line interface to the Kerberos KADM5 - administration system. It provides for the maintainance of - Kerberos principals, KADM5 policies, and service key tables - (keytabs). It exists as both a remote client, using Kerberos - authentication and an encrypted RPC to operate securely from - anywhere on the network, and as a local client intended to run - directly on the KDC without Kerberos authentication. The - local version provides all of the functionality of the now - obsolete kdb5_edit(8) except for database dump and load, which - is now provided by the kdb5_util(8) utility. - -COMMAND LINE ARGUMENTS - If -r is specified, then kadmin will use the specified realm - as the default database realm rather than the default realm - for the local machine. - - The -q option allows the passing of a request directly to - kadmin, which will then exit. This can be useful for writing - scripts. - - The remote version authenticates to the KADM5 server using the - service kadmin/admin, and therefore needs a client Kerberos - principal name as which to authenticate. The -p, -c, and -k - are designed to work together to specify which principal as - which to authenticate and where the service ticket or - password/key for that principal should be obtained. If given - the -p option, kadmin will use the specified principal to - authenticate. Otherwise, if given -c option then the primary - principal name of the ccache is used. Otherwise, if given the - -k option, the principal name host/ is used. - Otherwise, kadmin will append "/admin" to the primary - principal name of the default ccache, the value of the USER - environment variable, or the username as obtained with - getpwuid, in order of preference. - - Once kadmin knows the principal name as which to authenticate, - it needs to acquire a Kerberos service ticket for the KADM5 - server. If the -c ccache argument is specified, the ccache - should contain a service ticket for the kadmin/admin service; - it can be acquired with the kinit(1) program. Otherwise, - kadmin requests a new service ticket from the KDC and stores - it in its own temporary ccache. If the -k keytab argument is - specified, the keytab is used to decrypt the KDC response; - otherwise, a password is required. By default, the user is - prompted for the password on the TTY. However, if given the - -w option, kadmin will use the password provided on the - command line instead of prompting for one on the TTY. - WARNING! Placing the password for a Kerberos principal with - administration access into a shell script is EXTREMELY - DANGEROUS and should only be done if you are highly sure that - the script will not fall into the wrong hands. - - If given the -d argument, kadmin will use the specified - database name instead of the default defined in kdc.conf. - Note that specifying a different KDC database name also - specifies a different name for the KADM5 policy database and - lock file. - - If given the -e argument, kadmin will use the specified list - of encryption and salt type tuples instead of the values - specified in kdc.conf. This is useful, for example, if you - want to create a single principal with a particular key/salt - type without affecting any other principals. - - If given the -m argument, kadmin will prompt for the Kerberos - master password on the command line instead of attempting to - use the stash file. - -DATE FORMAT - Various commands in kadmin can take a variety of - date formats, specifying durations or absolute times. - Examples of valid formats are: - - 1 month ago - 2 hours ago - 400000 seconds ago - last year - last Monday - yesterday - a fortnight ago - 3/31/92 10:00:07 PST - January 23, 1987 10:05pm - 22:00 GMT - - Dates which do not have the "ago" specifier default to being - absolute dates, unless they appear in a field where a duration - is expected. In that case the time specifier will be - interpreted as relative. Specifying "ago" on a duration may - result in unexpected behaviour. - -COMMAND DESCRIPTIONS - -add_principal [options] _newprinc_ - creates the principal _newprinc_, prompting twice for a - password. This command requires the "add" privilege. This - command has the aliases "addprinc", "ank". - - OPTIONS - -salt _salttype_ - uses the specified salt instead of the default V5 salt - for generating the key. Valid values for _salttype_ - are: - full_name (aliases "v5_salt", "normal") - name_only - realm_only - no_salt (alias "v4_salt") - - -expire _expdate_ - expiration date of the principal - - -pwexpire _pwexpdate_ - password expiration date - - -maxlife _maxlife_ - maximum ticket life of the principal - - -maxrenewlife _maxrenewlife_ - maximum renewable ticket lifetime of the principal - - -kvno _kvno_ - explicity set the key version number. This is not - recommended. - - -policy _policy_ - policy used by this principal. If no policy is - supplied, the principal will default to having no - policy, and a warning message will be printed. - - {-|+}allow_tgs_req - "-allow_tgs_req" specifies that a TGS request for a - ticket for a service ticket for this principal is not - permitted. This option is useless for most things. - "+allow_tgs_req" clears this flag. The default is - "+allow_tgs_req". In effect, "-allow_tgs_req" sets - the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal - in the database. - - {-|+}allow_tix - "-allow_tix" forbids the issuance of any tickets for - this principal. "+allow_tix" clears this flag. The - default is "+allow_tix". In effect, "-allow_tix" sets - the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in - the database. - - {-|+}needchange - "+needchange" sets a flag in attributes field to force - a password change; "-needchange" clears it. The - default is "-needchange". In effect, "+needchange" - sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the - principal in the database. - - {-|+}password_changing_service - "+password_changing_service" sets a flag in the - attributes field marking this as a password change - service principal (useless for most things). - "-password_changing_service" clears the flag. This - flag intentionally has a long name. The default is - "-password_changing_service". In effect, - "+password_changing_service" sets the - KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the - database. - - -randpass - sets the key of the principal to a random value - - -pw _password_ - sets the key of the principal to the specified string - and does not prompt for a password. This is not - recommended. - - EXAMPLE - kadmin: addprinc tlyu/deity - WARNING: no policy specified for "tlyu/deity@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal tlyu/deity@ATHENA.MIT.EDU: - Re-enter password for principal tlyu/deity@ATHENA.MIT.EDU: - Principal "tlyu/deity@ATHENA.MIT.EDU" created. - kadmin: - - ERRORS - KADM5_AUTH_ADD (requires "add" privilege) - KADM5_BAD_MASK (shouldn't happen) - KADM5_DUP (principal exists already) - KADM5_UNK_POLICY (policy does not exist) - KADM5_PASS_Q_* (password quality violations) - -delete_principal [-force] _principal_ - deletes the specified principal from the database. This - command prompts for deletion, unless the "-force" option is - given. This command requires the "delete" privilege. Aliased - to "delprinc". - - EXAMPLE - kadmin: delprinc mwm_user - Are you sure you want to delete the principal - "mwm_user@ATHENA.MIT.EDU"? (yes/no): yes - Principal "mwm_user@ATHENA.MIT.EDU" deleted. - Make sure that you have removed this principal from - all ACLs before reusing. - kadmin: - - ERRORS - KADM5_AUTH_DELETE (reequires "delete" privilege) - KADM5_UNK_PRINC (principal does not exist) - -modify_principal [options] _principal_ - modifies the specified principal, changing the fields as - specified. The options are as above for "add_principal", - except that password changing is forbidden by this command. - In addition, the option "-clearpolicy" will remove clear the - current policy of a principal. This command requires the - "modify" privilege. Aliased to "modprinc". - - ERRORS - KADM5_AUTH_MODIFY (requires "modify" privilege) - KADM5_UNK_PRINC (principal does not exist) - KADM5_UNK_POLICY (policy does not exist) - KADM5_BAD_MASK (shouldn't happen) - -change_password [options] _principal_ - changes the password of _principal_. Prompts for a new - password if neither -randpass or -pw is specified. Requires - the "modify" privilege, or that the principal that is running - the program to be the same as the one changed. Aliased to - "cpw". - - OPTIONS - -salt _salttype_ - uses the specified salt instead of the default V5 salt - for generating the key. Options are the same as for - add_principal. - - -randpass - sets the key of the principal to a random value - - -pw _password_ - set the password to the specified string. Not - recommended. - - EXAMPLE - kadmin: cpw systest - Enter password for principal systest@ATHENA.MIT.EDU: - Re-enter password for principal systest@ATHENA.MIT.EDU: - Password for systest@ATHENA.MIT.EDU changed. - kadmin: - - ERRORS - KADM5_AUTH_MODIFY (requires the modify privilege) - KADM5_UNK_PRINC (principal does not exist) - KADM5_PASS_Q_* (password policy violation errors) - KADM5_PADD_REUSE (password is in principal's password istory) - KADM5_PASS_TOOSOON (current password minimum life not xpired) - -get_principal [-terse] _principal_ - gets the attributes of _principal_. Requires the "get" - privilege, or that the principal that is running the the - program to be the same as the one being listed. With the - "-terse" option, outputs fields as a quoted tab-separated - strings. Alias "getprinc". - - EXAMPLES - kadmin: getprinc tlyu/deity - Principal: tlyu/deity@ATHENA.MIT.EDU - Key version: 3 - Maximum life: 1 day 00:00:00 - Maximum renewable life: 7 days 00:00:00 - Master key version: 1 - Expires: Mon Jan 18 22:14:07 EDT 2038 - Password expires: Mon Sep 19 14:40:00 EDT 1994 - Password last changed: Mon Jan 31 02:06:40 EDT 1994 - Last modified: by tlyu/admin@ATHENA.MIT.EDU - on Wed Jul 13 18:27:08 EDT 1994 - Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, - REQUIRES_HW_AUTH - Salt type: DEFAULT - kadmin: getprinc systest - systest@ATHENA.MIT.EDU 3 86400 604800 1 - 785926535 753241234 785900000 - tlyu/admin@ATHENA.MIT.EDU 786100034 0 - 0 - kadmin: - - ERRORS - KADM5_AUTH_GET (requires the get privilege) - KADM5_UNK_PRINC (principal does not exist) - -get_principals [expression] - Retrieves all or some principal names. _expression_ is a - shell-style glob expression that can contain the wild-card - characters ?, *, and []'s. All principal names matching the - expression are printed. If no expression is provided, the - expression "*" is assumed. If the expression does not contain - an "@" character, an "@" character followed by the local realm - is appended to the expression. Requires the "list" priviledge. - Alias "getprincs". - - EXAMPLES - kadmin: getprincs test* - test3@SECURE-TEST.OV.COM - test2@SECURE-TEST.OV.COM - test1@SECURE-TEST.OV.COM - testuser@SECURE-TEST.OV.COM - kadmin: - -add_policy [options] _policy_ - adds the named policy to the policy database. Requires the - "add" privilege. Aliased to "addpol". - - OPTIONS - -maxlife _time_ - sets the maximum lifetime of a password - - -minlife _time_ - sets the minimum lifetime of a password - - -minlength _length_ - sets the minimum length of a password - - -minclasses _number_ - sets the minimum number of character classes allowed - in a password - - -history _number_ - sets the number of past keys kept for a principal - - ERRORS - KADM5_AUTH_ADD (requires the add privilege) - KADM5_DUP (policy already exists) - -delete_policy _policy_ - deletes the named policy. Prompts for confirmation before - deletion. The command will fail if the policy is in use by - any principals. Requires the "delete" privilege. Alias - "delpol". - - EXAMPLE - kadmin: del_policy guests - Are you sure you want to delete the policy "guests"? - (yes/no): yes - Policy "guests" deleted. - kadmin: - - ERRORS - KADM5_AUTH_DELETE (requires the delete privilege) - KADM5_UNK_POLICY (policy does not exist) - KADM5_POLICY_REF (reference count on policy is not zero) - -modify_policy [options] _policy_ - modifies the named policy. Options are as above for - "add_policy". Requires the "modify" privilege". Alias - "modpol". - - ERRORS - KADM5_AUTH_MODIFY (requires the modify privilege) - KADM5_UNK_POLICY (policy does not exist) - -get_policy [-terse] _policy_ - displays the values of the named policy. Requires the "get" - privilege. With the "-terse" flag, outputs the fields as - quoted strings separated by tabs. Alias "getpol". - - EXAMPLES - kadmin: get_policy admin - Policy: admin - Maximum password life: 180 days 00:00:00 - Minimum password life: 00:00:00 - Minimum password length: 6 - Minimum number of password character classes: 2 - Number of old keys kept: 5 - Reference count: 17 - kadmin: get_policy -terse admin - admin 15552000 0 6 2 5 17 - kadmin: - - ERRORS - KADM5_AUTH_GET (requires the get privilege) - KADM5_UNK_POLICY (policy does not exist) - -get_policies [expression] - Retrieves all or some policy names. _expression_ is a - shell-style glob expression that can contain the wild-card - characters ?, *, and []'s. All policy names matching the - expression are printed. If no expression is provided, the - expression "*" is assumed. Requires the "list" priviledge. - Alias "getpols". - - EXAMPLES - kadmin: getpols - test-pol - dict-only - once-a-min - test-pol-nopw - kadmin: getpols t* - test-pol - test-pol-nopw - kadmin: - -ktadd [-k keytab] [-q] [principal | -glob princ-exp] [...] - Adds principal or all principals matching princ-exp to a - keytab. princ-exp follows the same rules described for the - get_principals command. An entry for each of the principal's - unique encryption types is added, ignoring multiple keys with - the same encryption type but different salt types. If the -k - argument is not specified, the default keytab /etc/v5srvtab is - used. If the -q option is specified, less verbose status - information is displayed. - - The -glob option requires the "list" privilege. - - EXAMPLES - kadmin% ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw - kadmin: Entry for principal kadmin/admin@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. - kadmin: Entry for principal kadmin/changepw@ATHENA.MIT.EDU - with kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. - kadmin: - -ktremove [-k keytab] [-q] principal [kvno|"all"|"old"] - Removes entries for the specified principal from a keytab. If - the string "all" is specified, all entries for that principal - are removed; if the string "old" is specified, all entries for - that principal except those with the highest kvno are removed. - Otherwise, the value specified is parsed as an integer, and - all entries whose kvno match that integer are removed. If the - -k argument is not specifeid, the default keytab /etc/v5srvtab - is used. If the -q is specified, less verbose status - information is displayed. - - EXAMPLES - kadmin: ktremove -k /krb5/kadmind.keytab kadmin/admin - kadmin: Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/krb5/kadmind.keytab. - kadmin: - -SEE ALSO - kerberos(1), kdb5_util(8) - - diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M new file mode 100644 index 000000000..db298a246 --- /dev/null +++ b/src/kadmin/cli/kadmin.M @@ -0,0 +1,761 @@ +.so man1/header.doc +.TH KADMIN 8 \*h +.SH NAME +kadmin \- Kerberos V5 database administration program +.SH SYNOPSYS +.TP +.B kadmin +.ad l +[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP] +.br +[[\fB-c\fP \fIcache_name\fP] | [\fB-k\fP [\fB-t\fP +\fIkeytab\fP]]] [\fB\-w\fP \fIpassword\fP] [\fB\-s\fP +\fIadmin_server\fP[\fI:port\fP] +.TP "\w'.B kadmin.local\ 'u" +.B kadmin.local +[\fB\-r\fP \fIrealm\fP] [\fB\-p\fP \fIprincipal\fP] [\fB\-q\fP \fIquery\fP] +.br +[\fB\-d\fP \fIdbname\fP] [\fB\-e \fI"enc:salt ..."\fP] [\fB-m\fP] +.ad b +.SH DESCRIPTION +.B kadmin +and +.B kadmin.local +are command-line interfaces to the Kerberos V5 KADM5 administration +system. Both +.B kadmin +and +.B kadmin.local +provide identical functionalities; the difference is that +.B kadmin.local +runs on the master KDC and does not use Kerberos to authenticate to the +database. Except as explicitly noted otherwise, this man page will use +.B kadmin +to refer to both versions. +.B kadmin +provides for the maintenance of Kerberos principals, KADM5 policies, and +service key tables (keytabs). +.PP +The remote version uses Kerberos authentication and an encrypted RPC, to +operate securely from anywhere on the network. It authenticates to the +KADM5 server using the service principal +.IR kadmin/admin . +If the credentials cache contains a ticket for the +.I kadmin/admin +principal, and the +.B \-c +.I credentials_cache +option is specified, that ticket is used to authenticate to KADM5. +Otherwise, the +.B -p +and +.B -k +options are used to specify the client Kerberos principal name used to +authenticate. Once +.B kadmin +has determined the principal name, it requests a +.I kadmin/admin +Kerberos service ticket from the KDC, and uses that service ticket to +authenticate to KADM5. +.PP +The local client +.BR kadmin.local , +is intended to run directly on the master KDC without Kerberos +authentication. The local version provides all of the functionality of +the now obsolete +.IR kdb5_edit (8), +except for database dump and load, which is now provided by the +.IR kdb5_util (8) +utility. +.PP +.SH OPTIONS +.TP +\fB\-r\fP \fIrealm\fP +Use +.I realm +as the default database realm. +.TP +\fB\-p\fP \fIprincipal\fP +Use +.I principal +to authenticate. Otherwise, kadmin will append "/admin" to the primary +principal name of the default ccache, the value of the +.SM USER +environment variable, or the username as obtained with getpwuid, in +order of preference. +.TP +\fB\-k\fP \fIkeytab\fP +Use +.I keytab +to decrypt the KDC response instead of prompting for a password on the +TTY. In this case, the default principal will be host/\fIhostname\fP. +.TP +\fB\-c\fP \fIcredentials_cache\fP +Use +.I credentials_cache +as the credentials cache. The +.I credentials_cache +should contain a service ticket for the +.I kadmin/admin +service; it can be acquired with the +.IR kinit (1) +program. If this option is not specified, +.B kadmin +requests a new service ticket from the KDC, and stores it in its own +temporary ccache. +.TP +\fB\-w\fP \fIpassword\fP +Use +.I password +instead of prompting for one on the TTY. Note: placing the password +for a Kerberos principal with administration access into a shell script +can be dangerous if unauthorized users gain read access to the script. +.TP +\fB\-q\fP \fIquery\fP +pass +.I query +directly to +.BR kadmin , +which will perform +.I query +and then exit. This can be useful for writing scripts. +.SH DATE FORMAT +Various commands in kadmin can take a variety of date formats, +specifying durations or absolute times. Examples of valid formats are: +.sp +.nf +.RS +1 month ago +2 hours ago +400000 seconds ago +last year +this Monday +next Monday +yesterday +tomorrow +now +second Monday +a fortnight ago +3/31/92 10:00:07 PST +January 23, 1987 10:05pm +22:00 GMT +.RE +.fi +.PP +Dates which do not have the "ago" specifier default to being absolute +dates, unless they appear in a field where a duration is expected. In +that case the time specifier will be interpreted as relative. +Specifying "ago" in a duration may result in unexpected behavior. +.PP +.SH COMMANDS +.TP +\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP +creates the principal +.IR newprinc , +prompting twice for a password. This command requires the +.I add +privilege. This command has the aliases +.B addprinc +and +.BR ank . +The options are: +.RS +.TP +\fB\-expire\fP \fIexpdate\fP +expiration date of the principal +.TP +\fB\-pwexpire\fP \fIpwexpdate\fP +password expiration date +.TP +\fB\-maxlife\fP \fImaxlife\fP +maximum ticket life for the principal +.TP +\fB\-maxrenewlife\fP \fImaxrenewlife\fP +maximum renewable life of tickets for the principal +.TP +\fB\-kvno\fP \fIkvno\fP +explicity set the key version number. +.TP +\fB\-policy\fP \fIpolicy\fP +policy used by this principal. If no policy is supplied, the principal +will default to having no policy, and a warning message will be printed. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_postdated\fP +.B -allow_postdated +prohibits this principal from obtaining postdated tickets. (Sets the +.SM KRB5_KDB_DISALLOW_POSTDATED +flag.) +.B +allow_postdated +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP +.B -allow_forwardable +prohibits this principal from obtaining forwardable tickets. (Sets the +.SM KRB5_KDB_DISALLOW_FORWARDABLE +flag.) +.B +allow_forwardable +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_renewable\fP +.B -allow_renewable +prohibits this principal from obtaining renewable tickets. (Sets the +.SM KRB5_KDB_DISALLOW_RENEWABLE +flag.) +.B +allow_renewable +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP +.B -allow_proxiable +prohibits this principal from obtaining proxiable tickets. (Sets the +.SM KRB5_KDB_DISALLOW_PROXIABLE +flag.) +.B +allow_proxiable +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP +.B -allow_dup_skey +Disables user-to-user authentication for this principal by prohibiting +this principal from obtaining a session key for another user. (Sets the +.SM KRB5_KDB_DISALLOW_DUP_SKEY +flag.) +.B +allow_dup_skey +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBrequires_preauth\fP +.B +requires_preauth +requires this principal to preauthenticate before being allowed to +kinit. (Sets the +.SM KRB5_KDB_REQUIRES_PRE_AUTH +flag.) +.B -requires_preauth +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP +.B +requires_hwauth +requires this principal to preauthenticate using a hardware device +before being allowed to kinit. (Sets the +.SM KRB5_KDB_REQUIRES_HW_AUTH +flag.) +.B -requires_hwauth +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_svr\fP +.B -allow_svr +prohibits the issuance of service tickets for this principal. (Sets the +.SM KRB5_KDB_DISALLOW_SVR +flag.) +.B +allow_svr +clears this flag. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_tgs_req\fP +.B \-allow_tgs_req +specifies that a Ticket-Granting Service (TGS) request for a service +ticket for this principal is not permitted. This option is useless for +most things. +.B +allow_tgs_req +clears this flag. The default is +.BR +allow_tgs_req . +In effect, +.B \-allow_tgs_req +sets the +.SM KRB5_KDB_DISALLOW_TGT_BASED +flag on the principal in the database. +.TP +{\fB\-\fP|\fB+\fP}\fBallow_tix\fP +.B \-allow_tix +forbids the issuance of any tickets for this principal. +.B +allow_tix +clears this flag. The default is +.BR +allow_tix . +In effect, +.B \-allow_tix +sets the +.SM KRB5_KDB_DISALLOW_ALL_TIX +flag on the principal in the database. +.TP +{\fB\-\fP|\fB+\fP}\fBneedchange\fP +.B +needchange +sets a flag in attributes field to force a password change; +.B \-needchange +clears it. The default is +.BR \-needchange . +In effect, +.B +needchange +sets the +.SM KRB5_KDB_REQUIRES_PWCHANGE +flag on the principal in the database. +.TP +{\fB\-\fP|\fB+\fP}\fBpassword_changing_service\fP +.B +password_changing_service +sets a flag in the attributes field marking this as a password change +service principal (useless for most things). +.B \-password_changing_service +clears the flag. This flag intentionally has a long name. The default +is +.BR \-password_changing_service . +In effect, +.B +password_changing_service +sets the +.SM KRB5_KDB_PWCHANGE_SERVICE +flag on the principal in the database. +.TP +.B \-randkey +sets the key of the principal to a random value +.TP +\fB\-pw\fP \fIpassword\fP +sets the key of the principal to the specified string and does not +prompt for a password. Note: using this option in a shell script can +be dangerous if unauthorized users gain read access to the script. +.nf +.TP +EXAMPLE: +kadmin: addprinc tlyu/admin +WARNING: no policy specified for "tlyu/admin@BLEEP.COM"; +defaulting to no policy. +Enter password for principal tlyu/admin@BLEEP.COM: +Re-enter password for principal tlyu/admin@BLEEP.COM: +Principal "tlyu/admin@BLEEP.COM" created. +kadmin: +.TP +ERRORS: +KADM5_AUTH_ADD (requires "add" privilege) +KADM5_BAD_MASK (shouldn't happen) +KADM5_DUP (principal exists already) +KADM5_UNK_POLICY (policy does not exist) +KADM5_PASS_Q_* (password quality violations) +.fi +.RE +.TP +\fBdelete_principal\fP [\fB-force\fP] \fIprincipal\fP +deletes the specified principal from the database. This command prompts +for deletion, unless the +.B -force +option is given. This command requires the +.I delete +privilege. Aliased +to +.BR delprinc . +.sp +.nf +.RS +.TP +EXAMPLE: +kadmin: delprinc mwm_user +Are you sure you want to delete the principal +"mwm_user@BLEEP.COM"? (yes/no): yes +Principal "mwm_user@BLEEP.COM" deleted. +Make sure that you have removed this principal from +all ACLs before reusing. +kadmin: +.TP +ERRORS: +KADM5_AUTH_DELETE (reequires "delete" privilege) +KADM5_UNK_PRINC (principal does not exist) +.RE +.fi +.TP +\fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP +modifies the specified principal, changing the fields as specified. The +options are as above for +.BR add_principal , +except that password changing is forbidden by this command. In +addition, the option +.B \-clearpolicy +will clear the current policy of a principal. This command requires the +.I modify +privilege. Aliased to +.BR modprinc . +.sp +.nf +.RS +.TP +ERRORS: +KADM5_AUTH_MODIFY (requires "modify" privilege) +KADM5_UNK_PRINC (principal does not exist) +KADM5_UNK_POLICY (policy does not exist) +KADM5_BAD_MASK (shouldn't happen) +.RE +.fi +.TP +\fBrename_principal\fP [\fB-force\fP] \fIold new\fP +rename the principal +.I old +to +.IR new . +Prompts for confirmation, unless the +.B \-force +option is given. Requires both the +.I add +and +.I delete +privileges. Aliased to +.BR renprinc . +.sp +.nf +.RS +.TP +EXAMPLE: +kadmin: renprinc tlyutest test0 +Are you sure you want to rename the principal +"tlyutest@BLEEP.COM" to +"test0@BLEEP.COM"? (yes/no): yes +Principal "tlyutest@BLEEP.COM" renamed to +"test0@BLEEP.COM". +Make sure that you have removed "tlyutest@BLEEP.COM" from +all ACLs before reusing. +kadmin: +.TP +ERRORS: +KADM5_AUTH_ADD (requires "add" privilege) +KADM5_AUTH_DELETE (requires "delete" privilege) +KADM5_UNK_PRINC (source principal does not exist) +KADM5_DUP (target principal already exists) +.RE +.fi +.TP +\fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP +changes the password of +.IR principal . +Prompts for a new password if neither +.B \-randkey +or +.B \-pw +is specified. Requires the +.I changepw +privilege, or that the principal that is running the program to be the +same as the one changed. Aliased to +.BR cpw . +The following options are available: +.RS +.TP +.B \-randkey +sets the key of the principal to a random value +.TP +\fB\-pw\fP \fIpassword\fP +set the password to the specified string. Not recommended. +.nf +.TP +EXAMPLE: +kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re-enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +.TP +ERRORS: +KADM5_AUTH_MODIFY (requires the modify privilege) +KADM5_UNK_PRINC (principal does not exist) +KADM5_PASS_Q_* (password policy violation errors) +KADM5_PADD_REUSE (password is in principal's password +history) +KADM5_PASS_TOOSOON (current password minimum life not +expired) +.RE +.fi +.TP +\fBget_principal\fP [\fB-terse\fP] \fIprincipal\fP +gets the attributes of +.IR principal . +Requires the +.I inquire +privilege, or that the principal that is running the the program to be +the same as the one being listed. With the +.B \-terse +option, outputs fields as quoted tab-separated strings. Alias +.BR listprincs . +.sp +.nf +.RS +.TP +EXAMPLES: +kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, DES cbc mode with CRC-32, no salt +Key: vno 1, DES cbc mode with CRC-32, Version 4 +Attributes: +Policy: [none] +kadmin: getprinc -terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +.TP +ERRORS: +KADM5_AUTH_GET (requires the get (inquire) privilege) +KADM5_UNK_PRINC (principal does not exist) +.RE +.fi +.TP +\fBlist_principals\fP [\fIexpression\fP] +Retrieves all or some principal names. +.I Expression +is a shell-style glob expression that can contain the wild-card +characters \&?, *, and []'s. All principal names matching the +expression are printed. If no expression is provided, all principal +names are printed. If the expression does not contain an "@" character, +an "@" character followed by the local realm is appended to the +expression. Requires the +.I list +priviledge. Alias +.BR listprincs . +.nf +.RS +.TP +EXAMPLES: +kadmin: listprincs test* +test3@SECURE-TEST.OV.COM +test2@SECURE-TEST.OV.COM +test1@SECURE-TEST.OV.COM +testuser@SECURE-TEST.OV.COM +kadmin: +.RE +.fi +.TP +\fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP +adds the named policy to the policy database. Requires the +.I add +privilege. Aliased to +.BR addpol . +The following options are available: +.RS +.TP +\fB\-maxlife\fP \fItime\fP +sets the maximum lifetime of a password +.TP +\fB\-minlife\fP \fItime\fP +sets the minimum lifetime of a password +.TP +\fB\-minlength\fP \fIlength\fP +sets the minimum length of a password +.TP +\fB\-minclasses\fP \fInumber\fP +sets the minimum number of character classes allowed in a password +.TP +\fB\-history\fP \fInumber\fP +sets the number of past keys kept for a principal +.sp +.nf +.TP +ERRORS: +KADM5_AUTH_ADD (requires the add privilege) +KADM5_DUP (policy already exists) +.fi +.RE +.TP +\fBdelete_policy\fP \fIpolicy\fB +deletes the named policy. Prompts for confirmation before deletion. +The command will fail if the policy is in use by any principals. +Requires the +.I delete +privilege. Alias +.BR delpol . +.sp +.nf +.RS +.TP +EXAMPLE: +kadmin: del_policy guests +Are you sure you want to delete the policy "guests"? +(yes/no): yes +Policy "guests" deleted. +kadmin: +.TP +ERRORS: +KADM5_AUTH_DELETE (requires the delete privilege) +KADM5_UNK_POLICY (policy does not exist) +KADM5_POLICY_REF (reference count on policy is not zero) +.RE +.fi +.TP +\fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP +modifies the named policy. Options are as above for +.BR add_policy . +Requires the +.I modify +privilege. Alias +.BR modpol . +.sp +.nf +.RS +.TP +ERRORS: +KADM5_AUTH_MODIFY (requires the modify privilege) +KADM5_UNK_POLICY (policy does not exist) +.RE +.fi +.TP +\fBget_policy\fP [\fB\-terse\fP] \fIpolicy\fP +displays the values of the named policy. Requires the +.I inquire +privilege. With the +.B \-terse +flag, outputs the fields as quoted strings separated by tabs. Alias +.BR getpol . +.nf +.RS +.TP +EXAMPLES: +kadmin: get_policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 +kadmin: get_policy -terse admin +admin 15552000 0 6 2 5 17 +kadmin: +.TP +ERRORS: +KADM5_AUTH_GET (requires the get privilege) +KADM5_UNK_POLICY (policy does not exist) +.RE +.fi +.TP +\fBlist_policies\fP [\fIexpression\fP] +Retrieves all or some policy names. +.I Expression +is a shell-style glob expression that can contain the wild-card +characters \&?, *, and []'s. All policy names matching the expression +are printed. If no expression is provided, all existing policy names +are printed. Requires the +.I list +priviledge. Alias +.BR listpols . +.sp +.nf +.RS +.TP +EXAMPLES: +kadmin: listpols +test-pol +dict-only +once-a-min +test-pol-nopw +kadmin: listpols t* +test-pol +test-pol-nopw +kadmin: +.RE +.fi +.TP +\fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP] +Adds a principal or all principals matching +.I princ-exp +to a keytab. Requires the +.I inquire +privilege. An entry for each of the principal's unique encryption types +is added, ignoring multiple keys with the same encryption type but +different salt types. If the +.B \-k +argument is not specified, the default keytab +.I /etc/v5srvtab +is used. If the +.B \-q +option is specified, less verbose status information is displayed. +.sp +The +.B -glob +option requires the +.I list +privilege. +.I princ-exp +follows the same rules described for the +.B list_principals +command. +.sp +.nf +.RS +.TP +EXAMPLE: +kadmin: ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw +Entry for principal kadmin/admin@ATHENA.MIT.EDU with + kvno 3, encryption type DES-CBC-CRC added to keytab + WRFILE:/krb5/kadmind.keytab. +Entry for principal kadmin/changepw@ATHENA.MIT.EDU + with kvno 3, encryption type DES-CBC-CRC added to keytab + WRFILE:/krb5/kadmind.keytab. +kadmin: +.RE +.fi +.TP +\fBktremove\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] \fIprincipal\fP [\fIkvno\fP | \fBall\fP | \fBold\fP] +Removes entries for the specified principal from a keytab. Requires no +permissions, since this does not require database access. If the string +"all" is specified, all entries for that principal are removed; if the +string "old" is specified, all entries for that principal except those +with the highest kvno are removed. Otherwise, the value specified is +parsed as an integer, and all entries whose kvno match that integer are +removed. If the +.B \-k +argument is not specifeid, the default keytab +.I /etc/v5srvtab +is used. If the +.B \-q +option is specified, less verbose status information is displayed. +.sp +.nf +.RS +.TP +EXAMPLE: +kadmin: ktremove -k /krb5/kadmind.keytab kadmin/admin +Entry for principal kadmin/admin with kvno 3 removed + from keytab WRFILE:/krb5/kadmind.keytab. +kadmin: +.RE +.fi +.SH FILES +.TP "\w'.kadm5.lock\ \ 'u" +principal.db +default name for Kerberos principal database +.TP +.kadm5 +KADM5 administrative database. (This would be "principal.kadm5", if you +use the default database name.) Contains policy information. +.TP +.kadm5.lock +lock file for the KADM5 administrative database. This file works +backwards from most other lock files. I.e., +.B kadmin +will exit with an error if this file does +.I not +exist. +.TP +kadm5.acl +file containing list of principals and their +.B kadmin +administrative privileges. See +.IR kadmind (8) +for a description. +.TP +kadm5.keytab +keytab file for +.I kadmin/admin +principal. +.TP +kadm5.dict +file containing dictionary of strings explicitly disallowed as +passwords. +.SH HISTORY +The +.B kadmin +prorgam was originally written by Tom Yu at MIT, as an interface to the +OpenVision Kerberos administration program. +.SH SEE ALSO +.IR kerberos (1), +.IR kpasswd (1), +.IR kadmind (8) +.SH BUGS +.PP +Command output needs to be cleaned up. diff --git a/src/kadmin/cli/kadmin.local.M b/src/kadmin/cli/kadmin.local.M new file mode 100644 index 000000000..cf447d7e6 --- /dev/null +++ b/src/kadmin/cli/kadmin.local.M @@ -0,0 +1 @@ +.so man8/kadmin.8 -- 2.26.2