Wallet::Kadmin::MIT

(Wallet Kerberos administration API for MIT)

SYNOPSIS

    my $kadmin = Wallet::Kadmin::MIT->new;
    $kadmin->create ('host/foo.example.com');
    my $data = $kadmin->keytab_rekey ('host/foo.example.com',
                                      'aes256-cts-hmac-sha1-96');
    $data = $kadmin->keytab ('host/foo.example.com');
    my $exists = $kadmin->exists ('host/oldshell.example.com');
    $kadmin->destroy ('host/oldshell.example.com') if $exists;

Wallet::Kadmin::MIT implements the Wallet::Kadmin API for MIT Kerberos, providing an interface to create and delete principals and create keytabs. It provides the API documented in Wallet::Kadmin for an MIT Kerberos KDC.

MIT Kerberos does not provide any method via the kadmin network protocol to retrieve a keytab for a principal without rekeying it, so the keytab() method (as opposed to keytab_rekey(), which rekeys the principal) is implemented using a remctl backend. For that method (used for unchanging keytab objects) to work, the necessary wallet configuration and remctl interface on the KDC must be set up.

To use this class, several configuration parameters must be set. See "KEYTAB OBJECT CONFIGURATION" in Wallet::Config for details.

FILES

KEYTAB_TMP/keytab.<pid>: The keytab is created in this file and then read into memory. KEYTAB_TMP is set in the wallet configuration, and <pid> is the process ID of the current process. The file is unlinked after being read.

LIMITATIONS

Currently, this implementation calls an external kadmin program rather than using a native Perl module and therefore requires kadmin be installed and parses its output. It may miss some error conditions if the output of kadmin ever changes.

AUTHORS

Russ Allbery <eagle@eyrie.org> and Jon Robertson <jonrober@stanford.edu>.

Last spun 2022-12-12 from POD modified 2020-05-18

Wallet::Kadmin::MIT

SYNOPSIS

DESCRIPTION

FILES

LIMITATIONS

SEE ALSO

AUTHORS