xref: /freebsd/crypto/heimdal/kadmin/kadmin.8 (revision 9a14aa017b21c292740c00ee098195cd46642730) 
1.\" Copyright (c) 2000 - 2007 Kungliga Tekniska H�gskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id: kadmin.8 21739 2007-07-31 15:55:32Z lha $
33.\"
34.Dd Feb  22, 2007
35.Dt KADMIN 8
36.Os HEIMDAL
37.Sh NAME
38.Nm kadmin
39.Nd Kerberos administration utility
40.Sh SYNOPSIS
41.Nm
42.Bk -words
43.Oo Fl p Ar string \*(Ba Xo
44.Fl -principal= Ns Ar string
45.Xc
46.Oc
47.Oo Fl K Ar string \*(Ba Xo
48.Fl -keytab= Ns Ar string
49.Xc
50.Oc
51.Oo Fl c Ar file \*(Ba Xo
52.Fl -config-file= Ns Ar file
53.Xc
54.Oc
55.Oo Fl k Ar file \*(Ba Xo
56.Fl -key-file= Ns Ar file
57.Xc
58.Oc
59.Oo Fl r Ar realm \*(Ba Xo
60.Fl -realm= Ns Ar realm
61.Xc
62.Oc
63.Oo Fl a Ar host \*(Ba Xo
64.Fl -admin-server= Ns Ar host
65.Xc
66.Oc
67.Oo Fl s Ar port number \*(Ba Xo
68.Fl -server-port= Ns Ar port number
69.Xc
70.Oc
71.Op Fl l | Fl -local
72.Op Fl h | Fl -help
73.Op Fl v | Fl -version
74.Op Ar command
75.Ek
76.Sh DESCRIPTION
77The
78.Nm
79program is used to make modifications to the Kerberos database, either remotely via the
80.Xr kadmind 8
81daemon, or locally (with the
82.Fl l
83option).
84.Pp
85Supported options:
86.Bl -tag -width Ds
87.It Xo
88.Fl p Ar string ,
89.Fl -principal= Ns Ar string
90.Xc
91principal to authenticate as
92.It Xo
93.Fl K Ar string ,
94.Fl -keytab= Ns Ar string
95.Xc
96keytab for authentication principal
97.It Xo
98.Fl c Ar file ,
99.Fl -config-file= Ns Ar file
100.Xc
101location of config file
102.It Xo
103.Fl k Ar file ,
104.Fl -key-file= Ns Ar file
105.Xc
106location of master key file
107.It Xo
108.Fl r Ar realm ,
109.Fl -realm= Ns Ar realm
110.Xc
111realm to use
112.It Xo
113.Fl a Ar host ,
114.Fl -admin-server= Ns Ar host
115.Xc
116server to contact
117.It Xo
118.Fl s Ar port number ,
119.Fl -server-port= Ns Ar port number
120.Xc
121port to use
122.It Xo
123.Fl l ,
124.Fl -local
125.Xc
126local admin mode
127.El
128.Pp
129If no
130.Ar command
131is given on the command line,
132.Nm
133will prompt for commands to process. Some of the commands that take
134one or more principals as argument
135.Ns ( Nm delete ,
136.Nm ext_keytab ,
137.Nm get ,
138.Nm modify ,
139and
140.Nm passwd )
141will accept a glob style wildcard, and perform the operation on all
142matching principals.
143.Pp
144Commands include:
145.\" not using a list here, since groff apparently gets confused
146.\" with nested Xo/Xc
147.Bd -ragged -offset indent
148.Nm add
149.Op Fl r | Fl -random-key
150.Op Fl -random-password
151.Oo Fl p Ar string \*(Ba Xo
152.Fl -password= Ns Ar string
153.Xc
154.Oc
155.Op Fl -key= Ns Ar string
156.Op Fl -max-ticket-life= Ns Ar lifetime
157.Op Fl -max-renewable-life= Ns Ar lifetime
158.Op Fl -attributes= Ns Ar attributes
159.Op Fl -expiration-time= Ns Ar time
160.Op Fl -pw-expiration-time= Ns Ar time
161.Ar principal...
162.Pp
163.Bd -ragged -offset indent
164Adds a new principal to the database. The options not passed on the
165command line will be promped for.
166.Ed
167.Pp
168.Nm add_enctype
169.Op Fl r | Fl -random-key
170.Ar principal enctypes...
171.Pp
172.Bd -ragged -offset indent
173Adds a new encryption type to the principal, only random key are
174supported.
175.Ed
176.Pp
177.Nm delete
178.Ar principal...
179.Pp
180.Bd -ragged -offset indent
181Removes a principal.
182.Ed
183.Pp
184.Nm del_enctype
185.Ar principal enctypes...
186.Pp
187.Bd -ragged -offset indent
188Removes some enctypes from a principal; this can be useful if the
189service belonging to the principal is known to not handle certain
190enctypes.
191.Ed
192.Pp
193.Nm ext_keytab
194.Oo Fl k Ar string \*(Ba Xo
195.Fl -keytab= Ns Ar string
196.Xc
197.Oc
198.Ar principal...
199.Pp
200.Bd -ragged -offset indent
201Creates a keytab with the keys of the specified principals.
202.Ed
203.Pp
204.Nm get
205.Op Fl l | Fl -long
206.Op Fl s | Fl -short
207.Op Fl t | Fl -terse
208.Op Fl o Ar string | Fl -column-info= Ns Ar string
209.Ar principal...
210.Pp
211.Bd -ragged -offset indent
212Lists the matching principals, short prints the result as a table,
213while long format produces a more verbose output. Which columns to
214print can be selected with the
215.Fl o
216option. The argument is a comma separated list of column names
217optionally appended with an equal sign
218.Pq Sq =
219and a column header. Which columns are printed by default differ
220slightly between short and long output.
221.Pp
222The default terse output format is similar to
223.Fl s o Ar principal= ,
224just printing the names of matched principals.
225.Pp
226Possible column names include:
227.Li principal ,
228.Li princ_expire_time ,
229.Li pw_expiration ,
230.Li last_pwd_change ,
231.Li max_life ,
232.Li max_rlife ,
233.Li mod_time ,
234.Li mod_name ,
235.Li attributes ,
236.Li kvno ,
237.Li mkvno ,
238.Li last_success ,
239.Li last_failed ,
240.Li fail_auth_count ,
241.Li policy ,
242and
243.Li keytypes .
244.Ed
245.Pp
246.Nm modify
247.Oo Fl a Ar attributes \*(Ba Xo
248.Fl -attributes= Ns Ar attributes
249.Xc
250.Oc
251.Op Fl -max-ticket-life= Ns Ar lifetime
252.Op Fl -max-renewable-life= Ns Ar lifetime
253.Op Fl -expiration-time= Ns Ar time
254.Op Fl -pw-expiration-time= Ns Ar time
255.Op Fl -kvno= Ns Ar number
256.Ar principal...
257.Pp
258.Bd -ragged -offset indent
259Modifies certain attributes of a principal. If run without command
260line options, you will be prompted. With command line options, it will
261only change the ones specified.
262.Pp
263Possible attributes are:
264.Li new-princ ,
265.Li support-desmd5 ,
266.Li pwchange-service ,
267.Li disallow-svr ,
268.Li requires-pw-change ,
269.Li requires-hw-auth ,
270.Li requires-pre-auth ,
271.Li disallow-all-tix ,
272.Li disallow-dup-skey ,
273.Li disallow-proxiable ,
274.Li disallow-renewable ,
275.Li disallow-tgt-based ,
276.Li disallow-forwardable ,
277.Li disallow-postdated
278.Pp
279Attributes may be negated with a "-", e.g.,
280.Pp
281kadmin -l modify -a -disallow-proxiable user
282.Ed
283.Pp
284.Nm passwd
285.Op Fl r | Fl -random-key
286.Op Fl -random-password
287.Oo Fl p Ar string \*(Ba Xo
288.Fl -password= Ns Ar string
289.Xc
290.Oc
291.Op Fl -key= Ns Ar string
292.Ar principal...
293.Pp
294.Bd -ragged -offset indent
295Changes the password of an existing principal.
296.Ed
297.Pp
298.Nm password-quality
299.Ar principal
300.Ar password
301.Pp
302.Bd -ragged -offset indent
303Run the password quality check function locally.
304You can run this on the host that is configured to run the kadmind
305process to verify that your configuration file is correct.
306The verification is done locally, if kadmin is run in remote mode,
307no rpc call is done to the server.
308.Ed
309.Pp
310.Nm privileges
311.Pp
312.Bd -ragged -offset indent
313Lists the operations you are allowed to perform. These include
314.Li add ,
315.Li add_enctype ,
316.Li change-password ,
317.Li delete ,
318.Li del_enctype ,
319.Li get ,
320.Li list ,
321and
322.Li modify .
323.Ed
324.Pp
325.Nm rename
326.Ar from to
327.Pp
328.Bd -ragged -offset indent
329Renames a principal. This is normally transparent, but since keys are
330salted with the principal name, they will have a non-standard salt,
331and clients which are unable to cope with this will fail. Kerberos 4
332suffers from this.
333.Ed
334.Pp
335.Nm check
336.Op Ar realm
337.Pp
338.Bd -ragged -offset indent
339Check database for strange configurations on important principals. If
340no realm is given, the default realm is used.
341.Ed
342.Pp
343.Ed
344.Pp
345When running in local mode, the following commands can also be used:
346.Bd -ragged -offset indent
347.Nm dump
348.Op Fl d | Fl -decrypt
349.Op Ar dump-file
350.Pp
351.Bd -ragged -offset indent
352Writes the database in
353.Dq human readable
354form to the specified file, or standard out. If the database is
355encrypted, the dump will also have encrypted keys, unless
356.Fl -decrypt
357is used.
358.Ed
359.Pp
360.Nm init
361.Op Fl -realm-max-ticket-life= Ns Ar string
362.Op Fl -realm-max-renewable-life= Ns Ar string
363.Ar realm
364.Pp
365.Bd -ragged -offset indent
366Initializes the Kerberos database with entries for a new realm. It's
367possible to have more than one realm served by one server.
368.Ed
369.Pp
370.Nm load
371.Ar file
372.Pp
373.Bd -ragged -offset indent
374Reads a previously dumped database, and re-creates that database from
375scratch.
376.Ed
377.Pp
378.Nm merge
379.Ar file
380.Pp
381.Bd -ragged -offset indent
382Similar to
383.Nm load
384but just modifies the database with the entries in the dump file.
385.Ed
386.Pp
387.Nm stash
388.Oo Fl e Ar enctype \*(Ba Xo
389.Fl -enctype= Ns Ar enctype
390.Xc
391.Oc
392.Oo Fl k Ar keyfile \*(Ba Xo
393.Fl -key-file= Ns Ar keyfile
394.Xc
395.Oc
396.Op Fl -convert-file
397.Op Fl -master-key-fd= Ns Ar fd
398.Pp
399.Bd -ragged -offset indent
400Writes the Kerberos master key to a file used by the KDC.
401.Ed
402.Pp
403.Ed
404.\".Sh ENVIRONMENT
405.\".Sh FILES
406.\".Sh EXAMPLES
407.\".Sh DIAGNOSTICS
408.Sh SEE ALSO
409.Xr kadmind 8 ,
410.Xr kdc 8
411.\".Sh STANDARDS
412.\".Sh HISTORY
413.\".Sh AUTHORS
414.\".Sh BUGS
415