xref: /freebsd/crypto/heimdal/kadmin/kadmin.8 (revision 6a068746777241722b2b32c5d0bc443a2a64d80b)
1*ae771770SStanislav Sedov.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden).
3bbd80c28SJacques Vidrine.\" All rights reserved.
4bbd80c28SJacques Vidrine.\"
5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without
6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions
7bbd80c28SJacques Vidrine.\" are met:
8bbd80c28SJacques Vidrine.\"
9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright
10bbd80c28SJacques Vidrine.\"    notice, this list of conditions and the following disclaimer.
11bbd80c28SJacques Vidrine.\"
12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright
13bbd80c28SJacques Vidrine.\"    notice, this list of conditions and the following disclaimer in the
14bbd80c28SJacques Vidrine.\"    documentation and/or other materials provided with the distribution.
15bbd80c28SJacques Vidrine.\"
16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors
17bbd80c28SJacques Vidrine.\"    may be used to endorse or promote products derived from this software
18bbd80c28SJacques Vidrine.\"    without specific prior written permission.
19bbd80c28SJacques Vidrine.\"
20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30bbd80c28SJacques Vidrine.\" SUCH DAMAGE.
31bbd80c28SJacques Vidrine.\"
32*ae771770SStanislav Sedov.\" $Id$
335e9cd1aeSAssar Westerlund.\"
34c19800e8SDoug Rabson.Dd Feb  22, 2007
355e9cd1aeSAssar Westerlund.Dt KADMIN 8
365e9cd1aeSAssar Westerlund.Os HEIMDAL
375e9cd1aeSAssar Westerlund.Sh NAME
385e9cd1aeSAssar Westerlund.Nm kadmin
3945524cd7SAssar Westerlund.Nd Kerberos administration utility
405e9cd1aeSAssar Westerlund.Sh SYNOPSIS
415e9cd1aeSAssar Westerlund.Nm
42c19800e8SDoug Rabson.Bk -words
43*ae771770SStanislav Sedov.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
44*ae771770SStanislav Sedov.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
45*ae771770SStanislav Sedov.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
46*ae771770SStanislav Sedov.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
47*ae771770SStanislav Sedov.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
48*ae771770SStanislav Sedov.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
49*ae771770SStanislav Sedov.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
50*ae771770SStanislav Sedov.Op Fl l | Fl Fl local
51*ae771770SStanislav Sedov.Op Fl h | Fl Fl help
52*ae771770SStanislav Sedov.Op Fl v | Fl Fl version
535e9cd1aeSAssar Westerlund.Op Ar command
54c19800e8SDoug Rabson.Ek
555e9cd1aeSAssar Westerlund.Sh DESCRIPTION
565e9cd1aeSAssar WesterlundThe
575e9cd1aeSAssar Westerlund.Nm
58bbd80c28SJacques Vidrineprogram is used to make modifications to the Kerberos database, either remotely via the
595e9cd1aeSAssar Westerlund.Xr kadmind 8
605e9cd1aeSAssar Westerlunddaemon, or locally (with the
615e9cd1aeSAssar Westerlund.Fl l
625e9cd1aeSAssar Westerlundoption).
635e9cd1aeSAssar Westerlund.Pp
645e9cd1aeSAssar WesterlundSupported options:
655e9cd1aeSAssar Westerlund.Bl -tag -width Ds
66*ae771770SStanislav Sedov.It Fl p Ar string , Fl Fl principal= Ns Ar string
675e9cd1aeSAssar Westerlundprincipal to authenticate as
68*ae771770SStanislav Sedov.It Fl K Ar string , Fl Fl keytab= Ns Ar string
69bbd80c28SJacques Vidrinekeytab for authentication principal
70*ae771770SStanislav Sedov.It Fl c Ar file , Fl Fl config-file= Ns Ar file
715e9cd1aeSAssar Westerlundlocation of config file
72*ae771770SStanislav Sedov.It Fl k Ar file , Fl Fl key-file= Ns Ar file
735e9cd1aeSAssar Westerlundlocation of master key file
74*ae771770SStanislav Sedov.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
755e9cd1aeSAssar Westerlundrealm to use
76*ae771770SStanislav Sedov.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
775e9cd1aeSAssar Westerlundserver to contact
78*ae771770SStanislav Sedov.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
795e9cd1aeSAssar Westerlundport to use
80*ae771770SStanislav Sedov.It Fl l , Fl Fl local
815e9cd1aeSAssar Westerlundlocal admin mode
825e9cd1aeSAssar Westerlund.El
835e9cd1aeSAssar Westerlund.Pp
845e9cd1aeSAssar WesterlundIf no
855e9cd1aeSAssar Westerlund.Ar command
865e9cd1aeSAssar Westerlundis given on the command line,
875e9cd1aeSAssar Westerlund.Nm
88c19800e8SDoug Rabsonwill prompt for commands to process. Some of the commands that take
89c19800e8SDoug Rabsonone or more principals as argument
90c19800e8SDoug Rabson.Ns ( Nm delete ,
91c19800e8SDoug Rabson.Nm ext_keytab ,
92c19800e8SDoug Rabson.Nm get ,
93c19800e8SDoug Rabson.Nm modify ,
94c19800e8SDoug Rabsonand
95c19800e8SDoug Rabson.Nm passwd )
96c19800e8SDoug Rabsonwill accept a glob style wildcard, and perform the operation on all
97c19800e8SDoug Rabsonmatching principals.
98c19800e8SDoug Rabson.Pp
99c19800e8SDoug RabsonCommands include:
1005e9cd1aeSAssar Westerlund.\" not using a list here, since groff apparently gets confused
1015e9cd1aeSAssar Westerlund.\" with nested Xo/Xc
1025e9cd1aeSAssar Westerlund.Pp
103*ae771770SStanislav Sedov.Nm add
104*ae771770SStanislav Sedov.Op Fl r | Fl Fl random-key
105*ae771770SStanislav Sedov.Op Fl Fl random-password
106*ae771770SStanislav Sedov.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
107*ae771770SStanislav Sedov.Op Fl Fl key= Ns Ar string
108*ae771770SStanislav Sedov.Op Fl Fl max-ticket-life= Ns Ar lifetime
109*ae771770SStanislav Sedov.Op Fl Fl max-renewable-life= Ns Ar lifetime
110*ae771770SStanislav Sedov.Op Fl Fl attributes= Ns Ar attributes
111*ae771770SStanislav Sedov.Op Fl Fl expiration-time= Ns Ar time
112*ae771770SStanislav Sedov.Op Fl Fl pw-expiration-time= Ns Ar time
113*ae771770SStanislav Sedov.Ar principal...
11445524cd7SAssar Westerlund.Bd -ragged -offset indent
115c19800e8SDoug RabsonAdds a new principal to the database. The options not passed on the
116c19800e8SDoug Rabsoncommand line will be promped for.
117c19800e8SDoug Rabson.Ed
118c19800e8SDoug Rabson.Pp
119c19800e8SDoug Rabson.Nm add_enctype
120*ae771770SStanislav Sedov.Op Fl r | Fl Fl random-key
121c19800e8SDoug Rabson.Ar principal enctypes...
122c19800e8SDoug Rabson.Pp
123c19800e8SDoug Rabson.Bd -ragged -offset indent
124c19800e8SDoug RabsonAdds a new encryption type to the principal, only random key are
125c19800e8SDoug Rabsonsupported.
126c19800e8SDoug Rabson.Ed
127c19800e8SDoug Rabson.Pp
128c19800e8SDoug Rabson.Nm delete
129c19800e8SDoug Rabson.Ar principal...
130c19800e8SDoug Rabson.Bd -ragged -offset indent
131c19800e8SDoug RabsonRemoves a principal.
132c19800e8SDoug Rabson.Ed
133c19800e8SDoug Rabson.Pp
134c19800e8SDoug Rabson.Nm del_enctype
135c19800e8SDoug Rabson.Ar principal enctypes...
136c19800e8SDoug Rabson.Bd -ragged -offset indent
137c19800e8SDoug RabsonRemoves some enctypes from a principal; this can be useful if the
138c19800e8SDoug Rabsonservice belonging to the principal is known to not handle certain
139c19800e8SDoug Rabsonenctypes.
140c19800e8SDoug Rabson.Ed
141c19800e8SDoug Rabson.Pp
142c19800e8SDoug Rabson.Nm ext_keytab
143c19800e8SDoug Rabson.Oo Fl k Ar string \*(Ba Xo
144*ae771770SStanislav Sedov.Fl Fl keytab= Ns Ar string
145c19800e8SDoug Rabson.Xc
146c19800e8SDoug Rabson.Oc
147c19800e8SDoug Rabson.Ar principal...
148c19800e8SDoug Rabson.Bd -ragged -offset indent
149c19800e8SDoug RabsonCreates a keytab with the keys of the specified principals.
150c19800e8SDoug Rabson.Ed
151c19800e8SDoug Rabson.Pp
152c19800e8SDoug Rabson.Nm get
153*ae771770SStanislav Sedov.Op Fl l | Fl Fl long
154*ae771770SStanislav Sedov.Op Fl s | Fl Fl short
155*ae771770SStanislav Sedov.Op Fl t | Fl Fl terse
156*ae771770SStanislav Sedov.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
157c19800e8SDoug Rabson.Ar principal...
158c19800e8SDoug Rabson.Bd -ragged -offset indent
159c19800e8SDoug RabsonLists the matching principals, short prints the result as a table,
160c19800e8SDoug Rabsonwhile long format produces a more verbose output. Which columns to
161c19800e8SDoug Rabsonprint can be selected with the
162c19800e8SDoug Rabson.Fl o
163c19800e8SDoug Rabsonoption. The argument is a comma separated list of column names
164c19800e8SDoug Rabsonoptionally appended with an equal sign
165c19800e8SDoug Rabson.Pq Sq =
166c19800e8SDoug Rabsonand a column header. Which columns are printed by default differ
167c19800e8SDoug Rabsonslightly between short and long output.
168c19800e8SDoug Rabson.Pp
169c19800e8SDoug RabsonThe default terse output format is similar to
170c19800e8SDoug Rabson.Fl s o Ar principal= ,
171c19800e8SDoug Rabsonjust printing the names of matched principals.
172c19800e8SDoug Rabson.Pp
173c19800e8SDoug RabsonPossible column names include:
174c19800e8SDoug Rabson.Li principal ,
175c19800e8SDoug Rabson.Li princ_expire_time ,
176c19800e8SDoug Rabson.Li pw_expiration ,
177c19800e8SDoug Rabson.Li last_pwd_change ,
178c19800e8SDoug Rabson.Li max_life ,
179c19800e8SDoug Rabson.Li max_rlife ,
180c19800e8SDoug Rabson.Li mod_time ,
181c19800e8SDoug Rabson.Li mod_name ,
182c19800e8SDoug Rabson.Li attributes ,
183c19800e8SDoug Rabson.Li kvno ,
184c19800e8SDoug Rabson.Li mkvno ,
185c19800e8SDoug Rabson.Li last_success ,
186c19800e8SDoug Rabson.Li last_failed ,
187c19800e8SDoug Rabson.Li fail_auth_count ,
188c19800e8SDoug Rabson.Li policy ,
189c19800e8SDoug Rabsonand
190c19800e8SDoug Rabson.Li keytypes .
191c19800e8SDoug Rabson.Ed
192c19800e8SDoug Rabson.Pp
193c19800e8SDoug Rabson.Nm modify
194c19800e8SDoug Rabson.Oo Fl a Ar attributes \*(Ba Xo
195*ae771770SStanislav Sedov.Fl Fl attributes= Ns Ar attributes
196c19800e8SDoug Rabson.Xc
197c19800e8SDoug Rabson.Oc
198*ae771770SStanislav Sedov.Op Fl Fl max-ticket-life= Ns Ar lifetime
199*ae771770SStanislav Sedov.Op Fl Fl max-renewable-life= Ns Ar lifetime
200*ae771770SStanislav Sedov.Op Fl Fl expiration-time= Ns Ar time
201*ae771770SStanislav Sedov.Op Fl Fl pw-expiration-time= Ns Ar time
202*ae771770SStanislav Sedov.Op Fl Fl kvno= Ns Ar number
203c19800e8SDoug Rabson.Ar principal...
204c19800e8SDoug Rabson.Bd -ragged -offset indent
205c19800e8SDoug RabsonModifies certain attributes of a principal. If run without command
206c19800e8SDoug Rabsonline options, you will be prompted. With command line options, it will
207c19800e8SDoug Rabsononly change the ones specified.
208c19800e8SDoug Rabson.Pp
209c19800e8SDoug RabsonPossible attributes are:
210c19800e8SDoug Rabson.Li new-princ ,
211c19800e8SDoug Rabson.Li support-desmd5 ,
212c19800e8SDoug Rabson.Li pwchange-service ,
213c19800e8SDoug Rabson.Li disallow-svr ,
214c19800e8SDoug Rabson.Li requires-pw-change ,
215c19800e8SDoug Rabson.Li requires-hw-auth ,
216c19800e8SDoug Rabson.Li requires-pre-auth ,
217c19800e8SDoug Rabson.Li disallow-all-tix ,
218c19800e8SDoug Rabson.Li disallow-dup-skey ,
219c19800e8SDoug Rabson.Li disallow-proxiable ,
220c19800e8SDoug Rabson.Li disallow-renewable ,
221c19800e8SDoug Rabson.Li disallow-tgt-based ,
222c19800e8SDoug Rabson.Li disallow-forwardable ,
223c19800e8SDoug Rabson.Li disallow-postdated
224c19800e8SDoug Rabson.Pp
225c19800e8SDoug RabsonAttributes may be negated with a "-", e.g.,
226c19800e8SDoug Rabson.Pp
227c19800e8SDoug Rabsonkadmin -l modify -a -disallow-proxiable user
2285e9cd1aeSAssar Westerlund.Ed
2295e9cd1aeSAssar Westerlund.Pp
2305e9cd1aeSAssar Westerlund.Nm passwd
231*ae771770SStanislav Sedov.Op Fl r | Fl Fl random-key
232*ae771770SStanislav Sedov.Op Fl Fl random-password
2335e9cd1aeSAssar Westerlund.Oo Fl p Ar string \*(Ba Xo
234*ae771770SStanislav Sedov.Fl Fl password= Ns Ar string
2355e9cd1aeSAssar Westerlund.Xc
236adb0ddaeSAssar Westerlund.Oc
237*ae771770SStanislav Sedov.Op Fl Fl key= Ns Ar string
2385e9cd1aeSAssar Westerlund.Ar principal...
23945524cd7SAssar Westerlund.Bd -ragged -offset indent
240c19800e8SDoug RabsonChanges the password of an existing principal.
2415e9cd1aeSAssar Westerlund.Ed
2425e9cd1aeSAssar Westerlund.Pp
243c19800e8SDoug Rabson.Nm password-quality
244c19800e8SDoug Rabson.Ar principal
245c19800e8SDoug Rabson.Ar password
24645524cd7SAssar Westerlund.Bd -ragged -offset indent
247c19800e8SDoug RabsonRun the password quality check function locally.
248c19800e8SDoug RabsonYou can run this on the host that is configured to run the kadmind
249c19800e8SDoug Rabsonprocess to verify that your configuration file is correct.
250c19800e8SDoug RabsonThe verification is done locally, if kadmin is run in remote mode,
251c19800e8SDoug Rabsonno rpc call is done to the server.
2525e9cd1aeSAssar Westerlund.Ed
2535e9cd1aeSAssar Westerlund.Pp
254c19800e8SDoug Rabson.Nm privileges
25545524cd7SAssar Westerlund.Bd -ragged -offset indent
256c19800e8SDoug RabsonLists the operations you are allowed to perform. These include
257c19800e8SDoug Rabson.Li add ,
258c19800e8SDoug Rabson.Li add_enctype ,
259c19800e8SDoug Rabson.Li change-password ,
260c19800e8SDoug Rabson.Li delete ,
261c19800e8SDoug Rabson.Li del_enctype ,
262c19800e8SDoug Rabson.Li get ,
263c19800e8SDoug Rabson.Li list ,
264c19800e8SDoug Rabsonand
265c19800e8SDoug Rabson.Li modify .
2665e9cd1aeSAssar Westerlund.Ed
2675e9cd1aeSAssar Westerlund.Pp
2685e9cd1aeSAssar Westerlund.Nm rename
2695e9cd1aeSAssar Westerlund.Ar from to
27045524cd7SAssar Westerlund.Bd -ragged -offset indent
271c19800e8SDoug RabsonRenames a principal. This is normally transparent, but since keys are
272c19800e8SDoug Rabsonsalted with the principal name, they will have a non-standard salt,
273c19800e8SDoug Rabsonand clients which are unable to cope with this will fail. Kerberos 4
274c19800e8SDoug Rabsonsuffers from this.
2755e9cd1aeSAssar Westerlund.Ed
2765e9cd1aeSAssar Westerlund.Pp
277c19800e8SDoug Rabson.Nm check
278c19800e8SDoug Rabson.Op Ar realm
2795e9cd1aeSAssar Westerlund.Pp
28045524cd7SAssar Westerlund.Bd -ragged -offset indent
281c19800e8SDoug RabsonCheck database for strange configurations on important principals. If
282c19800e8SDoug Rabsonno realm is given, the default realm is used.
2835e9cd1aeSAssar Westerlund.Ed
2845e9cd1aeSAssar Westerlund.Pp
285bbd80c28SJacques VidrineWhen running in local mode, the following commands can also be used:
2865e9cd1aeSAssar Westerlund.Pp
287*ae771770SStanislav Sedov.Nm dump
288*ae771770SStanislav Sedov.Op Fl d | Fl Fl decrypt
289*ae771770SStanislav Sedov.Op Ar dump-file
29045524cd7SAssar Westerlund.Bd -ragged -offset indent
291c19800e8SDoug RabsonWrites the database in
2925e9cd1aeSAssar Westerlund.Dq human readable
293c19800e8SDoug Rabsonform to the specified file, or standard out. If the database is
294c19800e8SDoug Rabsonencrypted, the dump will also have encrypted keys, unless
295*ae771770SStanislav Sedov.Fl Fl decrypt
296c19800e8SDoug Rabsonis used.
2975e9cd1aeSAssar Westerlund.Ed
2985e9cd1aeSAssar Westerlund.Pp
2995e9cd1aeSAssar Westerlund.Nm init
300*ae771770SStanislav Sedov.Op Fl Fl realm-max-ticket-life= Ns Ar string
301*ae771770SStanislav Sedov.Op Fl Fl realm-max-renewable-life= Ns Ar string
3025e9cd1aeSAssar Westerlund.Ar realm
30345524cd7SAssar Westerlund.Bd -ragged -offset indent
304c19800e8SDoug RabsonInitializes the Kerberos database with entries for a new realm. It's
305c19800e8SDoug Rabsonpossible to have more than one realm served by one server.
3065e9cd1aeSAssar Westerlund.Ed
3075e9cd1aeSAssar Westerlund.Pp
3085e9cd1aeSAssar Westerlund.Nm load
3095e9cd1aeSAssar Westerlund.Ar file
31045524cd7SAssar Westerlund.Bd -ragged -offset indent
311c19800e8SDoug RabsonReads a previously dumped database, and re-creates that database from
312c19800e8SDoug Rabsonscratch.
3135e9cd1aeSAssar Westerlund.Ed
3145e9cd1aeSAssar Westerlund.Pp
3155e9cd1aeSAssar Westerlund.Nm merge
3165e9cd1aeSAssar Westerlund.Ar file
31745524cd7SAssar Westerlund.Bd -ragged -offset indent
318c19800e8SDoug RabsonSimilar to
319c19800e8SDoug Rabson.Nm load
320c19800e8SDoug Rabsonbut just modifies the database with the entries in the dump file.
321c19800e8SDoug Rabson.Ed
322c19800e8SDoug Rabson.Pp
323c19800e8SDoug Rabson.Nm stash
324c19800e8SDoug Rabson.Oo Fl e Ar enctype \*(Ba Xo
325*ae771770SStanislav Sedov.Fl Fl enctype= Ns Ar enctype
326c19800e8SDoug Rabson.Xc
327c19800e8SDoug Rabson.Oc
328c19800e8SDoug Rabson.Oo Fl k Ar keyfile \*(Ba Xo
329*ae771770SStanislav Sedov.Fl Fl key-file= Ns Ar keyfile
330c19800e8SDoug Rabson.Xc
331c19800e8SDoug Rabson.Oc
332*ae771770SStanislav Sedov.Op Fl Fl convert-file
333*ae771770SStanislav Sedov.Op Fl Fl master-key-fd= Ns Ar fd
334c19800e8SDoug Rabson.Bd -ragged -offset indent
335c19800e8SDoug RabsonWrites the Kerberos master key to a file used by the KDC.
3365e9cd1aeSAssar Westerlund.Ed
3375e9cd1aeSAssar Westerlund.\".Sh ENVIRONMENT
3385e9cd1aeSAssar Westerlund.\".Sh FILES
3395e9cd1aeSAssar Westerlund.\".Sh EXAMPLES
3405e9cd1aeSAssar Westerlund.\".Sh DIAGNOSTICS
3415e9cd1aeSAssar Westerlund.Sh SEE ALSO
3425e9cd1aeSAssar Westerlund.Xr kadmind 8 ,
3435e9cd1aeSAssar Westerlund.Xr kdc 8
3445e9cd1aeSAssar Westerlund.\".Sh STANDARDS
3455e9cd1aeSAssar Westerlund.\".Sh HISTORY
3465e9cd1aeSAssar Westerlund.\".Sh AUTHORS
3475e9cd1aeSAssar Westerlund.\".Sh BUGS
348