k5srvutil operation [-i] [-f filename] [-e keysalts]
k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non-current keys from a keytab.
operation must be one of the following:
- Lists the keys in a keytab, showing version number and principal name.
- Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in the keytab to match. If a key’s version number doesn’t match the version number stored in the Kerberos server’s database, then the operation will fail. If the -i flag is given, k5srvutil will prompt for confirmation before changing each key. If the -k option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the -e option. Old keys are retained in the keytab so that existing tickets continue to work, but delold should be used after such tickets expire, to prevent attacks against the old keys.
- Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the -i flag is given, then k5srvutil will prompt for confirmation for each principal.
- Deletes particular keys in the keytab, interactively prompting for each key.
In all cases, the default keytab is used unless this is overridden by the -f option.
k5srvutil uses the kadmin program to edit the keytab in place.