Lines Matching +full:non +full:- +full:secure +full:- +full:otp

4 .nr rst2man-indent-level 0
7 \\$1 \\n[an-margin]
8 level \\n[rst2man-indent-level]
9 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
10 -
11 \\n[rst2man-indent0]
12 \\n[rst2man-indent1]
13 \\n[rst2man-indent2]
18 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
19 . nr rst2man-indent-level +1
24 .\" indent \\n[an-margin]
25 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
26 .nr rst2man-indent-level -1
27 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
32 kadmin \- Kerberos V5 database administration program
36 [\fB\-O\fP|\fB\-N\fP]
37 [\fB\-r\fP \fIrealm\fP]
38 [\fB\-p\fP \fIprincipal\fP]
39 [\fB\-q\fP \fIquery\fP]
40 [[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]
41 [\fB\-w\fP \fIpassword\fP]
42 [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
46 [\fB\-r\fP \fIrealm\fP]
47 [\fB\-p\fP \fIprincipal\fP]
48 [\fB\-q\fP \fIquery\fP]
49 [\fB\-d\fP \fIdbname\fP]
50 [\fB\-e\fP \fIenc\fP:\fIsalt\fP ...]
51 [\fB\-m\fP]
52 [\fB\-x\fP \fIdb_args\fP]
56 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
67 (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
69 principals, and the \fB\-c\fP credentials_cache option is specified, that
70 ticket is used to authenticate to kadmind.  Otherwise, the \fB\-p\fP and
71 \fB\-k\fP options are used to specify the client Kerberos principal name
83 \fB\-r\fP \fIrealm\fP
86 \fB\-p\fP \fIprincipal\fP
92 \fB\-k\fP
96 \fB\-t\fP option, then the default keytab will be used.
98 \fB\-t\fP \fIkeytab\fP
100 with the \fB\-k\fP option.
102 \fB\-n\fP
106 krb5.conf(5)\&.  Then use the \fB\-n\fP option with a principal
108 at\-sign and a realm name).  If permitted by the KDC, an anonymous
110 supported; these realm\-exposed tickets hide the identity of the
112 \-n\fP with a normal principal name.  If supported by the KDC, the
117 \fB\-c\fP \fIcredentials_cache\fP
120 \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified
126 \fB\-w\fP \fIpassword\fP
131 \fB\-q\fP \fIquery\fP
134 \fB\-d\fP \fIdbname\fP
138 \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
141 \fB\-m\fP
145 \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
150 \fB\-O\fP
153 \fB\-N\fP
156 \fB\-x\fP \fIdb_args\fP
161 Starting with release 1.14, if any command\-line arguments remain after
173 Confirmation prompts are disabled (as if \fB\-force\fP was given).
176 The exit status will be non\-zero if the query fails.
179 The \fB\-q\fP option does not carry these behavior differences; the query
180 will be processed as if it was entered interactively.  The \fB\-q\fP
185 Database options can be used to override database\-specific defaults.
191 \fB\-x dbname=\fP*filename*
194 \fB\-x lockiter\fP
202 \fB\-x unlockiter\fP
215 \fB\-x host=\fP\fIldapuri\fP
218 \fB\-x binddn=\fP\fIbind_dn\fP
221 \fB\-x bindpwd=\fP\fIpassword\fP
228 \fB\-x sasl_mech=\fP\fImechanism\fP
233 \fB\-x sasl_authcid=\fP\fIname\fP
238 \fB\-x sasl_authzid=\fP\fIname\fP
242 \fB\-x sasl_realm=\fP\fIrealm\fP
247 \fB\-x debug=\fP\fIlevel\fP
267 no password policy is specified with the \fB\-policy\fP option, and the
271 assignment can be suppressed with the \fB\-clearpolicy\fP option.
280 \fB\-expire\fP \fIexpdate\fP
283 \fB\-pwexpire\fP \fIpwexpdate\fP
286 \fB\-maxlife\fP \fImaxlife\fP
290 \fB\-maxrenewlife\fP \fImaxrenewlife\fP
294 \fB\-kvno\fP \fIkvno\fP
297 \fB\-policy\fP \fIpolicy\fP
299 policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
302 \fB\-clearpolicy\fP
303 Prevents any policy from being assigned when \fB\-policy\fP is not
306 {\-|+}\fBallow_postdated\fP
307 \fB\-allow_postdated\fP prohibits this principal from obtaining
310 {\-|+}\fBallow_forwardable\fP
311 \fB\-allow_forwardable\fP prohibits this principal from obtaining
314 {\-|+}\fBallow_renewable\fP
315 \fB\-allow_renewable\fP prohibits this principal from obtaining
318 {\-|+}\fBallow_proxiable\fP
319 \fB\-allow_proxiable\fP prohibits this principal from obtaining
322 {\-|+}\fBallow_dup_skey\fP
323 \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
328 {\-|+}\fBrequires_preauth\fP
330 before being allowed to kinit.  \fB\-requires_preauth\fP clears this
336 {\-|+}\fBrequires_hwauth\fP
339 \fB\-requires_hwauth\fP clears this flag.  When \fB+requires_hwauth\fP is
344 {\-|+}\fBok_as_delegate\fP
348 authenticating to the service.  \fB\-ok_as_delegate\fP clears this
351 {\-|+}\fBallow_svr\fP
352 \fB\-allow_svr\fP prohibits the issuance of service tickets for this
353 principal.  In release 1.17 and later, user\-to\-user service
354 tickets are still allowed unless the \fB\-allow_dup_skey\fP flag is
357 {\-|+}\fBallow_tgs_req\fP
358 \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
362 {\-|+}\fBallow_tix\fP
363 \fB\-allow_tix\fP forbids the issuance of any tickets for this
366 {\-|+}\fBneedchange\fP
368 authentication to this principal.  \fB\-needchange\fP clears this
371 {\-|+}\fBpassword_changing_service\fP
375 {\-|+}\fBok_to_auth_as_delegate\fP
380 {\-|+}\fBno_auth_data_required\fP
381 \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
384 {\-|+}\fBlockdown_keys\fP
395 \fB\-randkey\fP
398 \fB\-nokey\fP
402 \fB\-pw\fP \fIpassword\fP
408 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
413 \fB\-x\fP \fIdb_princ_args\fP
414 Indicates database\-specific options.  The options for the LDAP
418 \fB\-x dn=\fP\fIdn\fP
422 \fB\-x linkdn=\fP\fIdn\fP
426 \fB\-x containerdn=\fP\fIcontainer_dn\fP
430 \fB\-x tktpolicy=\fP\fIpolicy\fP
464 Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
480 for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options.  In addition, the
481 option \fB\-clearpolicy\fP will clear the current policy of a principal.
490 \fB\-unlock\fP
498 \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
503 command prompts for confirmation, unless the \fB\-force\fP option is
512 \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
517 prompts for deletion, unless the \fB\-force\fP option is given.
530 neither \fB\-randkey\fP or \fB\-pw\fP is specified.
541 \fB\-randkey\fP
544 \fB\-pw\fP \fIpassword\fP
549 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
554 \fB\-keepold\fP
567 Re\-enter password for principal systest@BLEEP.COM:
577 \fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
582 \-keepold\fP) from \fIprincipal\fP\&.  If \fB\-keepkvno\fP is specified, then
584 \fB\-all\fP is specified, then all keys are purged.  The \fB\-all\fP option
591 \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
595 Gets the attributes of principal.  With the \fB\-terse\fP option, outputs
596 fields as quoted tab\-separated strings.
621 Key: vno 1, aes256\-cts\-hmac\-sha384\-192
626 kadmin: getprinc \-terse systest
642 Retrieves all or some principal names.  \fIexpression\fP is a shell\-style
643 glob expression that can contain the wild\-card characters \fB?\fP,
661 test3@SECURE\-TEST.OV.COM
662 test2@SECURE\-TEST.OV.COM
663 test1@SECURE\-TEST.OV.COM
664 testuser@SECURE\-TEST.OV.COM
690 supply per\-principal configuration to the KDC and some KDC plugin
707 \fBotp\fP
708 Enables One Time Passwords (OTP) preauthentication for a client
724 "aes256\-sha1" on the cross\-realm krbtgt entry for an Active
725 Directory realm when using aes\-sha2 keys on the local krbtgt
739 set_string host/foo.mit.edu session_enctypes aes128\-cts
740 set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
773 \fB\-maxlife\fP \fItime\fP
777 \fB\-minlife\fP \fItime\fP
781 \fB\-minlength\fP \fIlength\fP
784 \fB\-minclasses\fP \fInumber\fP
789 \fB\-history\fP \fInumber\fP
795 \fB\-maxfailure\fP \fImaxnumber\fP
804 \fB\-failurecountinterval\fP \fIfailuretime\fP
813 \fB\-lockoutduration\fP \fIlockouttime\fP
819 with \fBmodprinc \-unlock\fP\&.
821 \fB\-allowedkeysalts\fP
822 Specifies the key/salt tuples supported for long\-term keys when
827 a value of \(aq\-\(aq.
836 kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
858 \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
887 \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
892 \fB\-terse\fP flag, outputs the fields as quoted strings separated by
914 kadmin: get_policy \-terse admin
932 Retrieves all or some policy names.  \fIexpression\fP is a shell\-style
933 glob expression that can contain the wild\-card characters \fB?\fP,
949 test\-pol
950 dict\-only
951 once\-a\-min
952 test\-pol\-nopw
955 test\-pol
956 test\-pol\-nopw
967 \fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP
973 Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a
975 The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
979 With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
984 \fB\-k[eytab]\fP \fIkeytab\fP
988 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
993 \fB\-q\fP
996 \fB\-norandkey\fP
999 \fB\-e\fP option.
1014 kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
1016      encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab
1017      FILE:/tmp/foo\-new\-keytab
1042 \fB\-k[eytab]\fP \fIkeytab\fP
1046 \fB\-q\fP
1097 1985-2024, MIT