| < wallet Design Notes | Russ Allbery > Software > wallet |
(Manipulate AFS kaserver service principal keys)
kasetkey [-dhv] -a admin -i [-p password] -k keyfile
kasetkey [-dhv] -a admin [-k keyfile] -D service
kasetkey [-dhv] -a admin [-k keyfile] [ -c k5srvtab | -r ] -s service -f srvtab
kasetkey manipulates principals in an AFS kaserver, usually service principals. It's primarily designed for automatic generation of srvtabs for keys without regular passwords, but it can be used to do other automated tasks, authenticating from a srvtab.
To start using kasetkey, obtain a srvtab for a principal with the ADMIN flag set in the AFS kaserver. Such a srvtab can be created from the password of that principal using kasetkey with the -i flag. Then, use -s to create a srvtab for a particular principal or -D to delete a principal from the Kerberos database, passing via -k the path to the srvtab containing the key for an ADMIN principal. If you don't use -k, kasetkey will prompt you for the password of the given ADMIN principal.
When generating a srvtab for a particular principal using -s, you have your choice of ways of setting the key for that principal. The default is to prompt you for a password, but usually that's not what you want. Provide the -r flag to set a random key, which is normally what you want to do for a pure Kerberos v4 principal. When synchronizing Kerberos v5 with Kerberos v4, generate a keytab in Kerberos v5, convert it to a srvtab using ktutil, and then provide that srvtab to kasetkey with the -c flag. kasetkey will then set the key in the AFS kaserver to match.
kasetkey uses a simple, brute-force approach to setting keys in the AFS kaserver. It creates the principal if it doesn't already exist, and if it does already exist, it deletes it and then recreates it.
The user as whom changes should be performed. This user must have the ADMIN flag set in the AFS kaserver.
When creating a service principal using -s, take the key for that principal from srvtab. srvtab must contain a DES key and can be created via ktutil from a Kerberos v5 keytab.
Delete the principal service from the AFS kaserver.
Turn on debugging. This prints out more information about the exit status of all of the API calls used.
Where to write the srvtab for a newly created (or modified) principal. Used only with -s.
Display an option summary and a few examples and then exit.
Initialize a srvtab. Takes the user from -a and either prompts for the password or takes it from the -p flag. Writes out the srvtab to the path given to -k.
The srvtab to use to authenticate. The key in the srvtab must be the key for the user given with -a.
The password for the user for which a srvtab is being initialized. This is only used with the -i flag.
When generating a new srvtab with -s, randomize the key for that user.
Create a new srvtab for the principal service. If this principal already exists, it's deleted and recreated. Takes the key for the principal from the srvtab specified with -c, randomizes it if -r is given, or prompts for it.
Prints the version of kasetkey and exits.
To create a srvtab for rcmd.slapshot and be prompted for the admin passowrd:
kasetkey -f srvtab.rcmd.slapshot -s rcmd.slapshot -r
To create a srvtab from within a script you must stash the DES key in a srvtab with:
kasetkey -a admin -i -k /.adminkey
(which will prompt you for the password) and then create a srvtab for rcmd.slapshot with:
kasetkey -k /.adminkey -a admin -r -f srvtab -s rcmd.slapshot
The error reporting of this program is not great. If an action fails, run it again with the -d flag, which will print out the return status of every AFS operation. You can then pass the failing error code to the translate_et program, installed with AFS, to translate the code into an error message.
kas(8), kaserver(8), ktutil(8)
This program is part of the wallet system. The current version is available from <http://www.eyrie.org/~eagle/software/wallet/>.
Originally written by Roland Schemers. Revised to use srvtabs rather than simple DES keys and to support principal deletion by Russ Allbery <rra@stanford.edu>, who currently maintains it.
| < wallet Design Notes | Russ Allbery > Software > wallet |