PreviousNext

Key Management Subcommands

The key management subcommands must be run in command-line mode.

ktadd

Synopsis

kta[dd] -p principal_name [-pw password]
[-a[uto]] [-r[egistry]] [-f keyfile]

Description
Creates a password for a server or machine in the keytab file on the local node.

The -p option specifies the name of the server or machine principal for which you are creating a password.

The -pw option lets you supply the password on the command line. If you do not enter this option or the -auto option, ktadd prompts for the password.

The -a option generates the password randomly. If you use this option, you must also use the -r option. If you do not specify the -auto or the -pw option, you are prompted for a password.

The -r option updates the principals password in the registry to match the string you enter (or generate) for the password in the keytab file. Use it to ensure that the principals password in the registry and the keytab file are in synch when you change a principals password in the keytab file. To use this option, a password for the principal must exist in the default keytab file or the keytab file named by the -f option.

The -f option specifies the name of the server keytab file on the local node to which you are adding the password. If you do not specify a keytab file name, /krb5/v5srvtab is used. Note that you must be root to add entries in the default keytab file.

ktlist

Synopsis

ktl[ist] [-p principal_name] [-f keyfile]

Description
Displays principal names and password version numbers in the local keytab file.

The -p option specifies the name of the server or machine principal for which you are displaying passwords.

The -f option specifies the name of the server keytab file on the local node for which you want to display entries. If you do not specify a keytab file name, /krb5/v5srvtab is used.

ktdelete

Synopsis

ktd[elete] -p principal_name -v version_number
[-f keyfile]

Description
Deletes a sever or machine principals password entry from a keytab file.

The -p option specifies the name of the server or machine principal for which you are deleting a password entry.

The -v option specifies the version number of the password you want to delete. Version numbers are assigned to a principals password whenever the principals password is changed. This allows any servers or machines still using tickets granted under the old password to run without interruption until the ticket expires naturally.

The -f option specifies the name of the server keytab file on the local node from which you want to delete passwords. If you do not specify a keytab file name, /krb5/v5srvtab is used. Note that you must be root to delete entries in the default keytab file. You must have the appropriate access rights to delete entries in other keytab files.