ktutil(1)ktutil(1)NAMEktutil - Manages entries in service key table file
SYNOPSIS
/krb5/sbin/ktutil [-D] [-l] [-t [TYPE:] keytable] [-d | -p -X -x] [-c
keytable] [principal]
OPTIONS
Appends the specified service key table file to the service key table
file specified by the -t option. Destroys the entire service key table
file by first zeroing out each entry and then deleting the file.
Prints each entry in the service key table file and prompts you to
delete or retain the entry. Type yes to delete an entry. The default is
no, so pressing the return key retains the entry and advances to the
next entry. To stop at any time, type quit, exit, or done. All answers
can be abbreviated to as few as one character.
Use the optional principal argument to identify a specific prin‐
cipal ID, which indicates that only entries for that principal
should be deleted from the service key table file. The command
deletes the entries without prompting you. Lists the contents
of a service key table file. This is the default action if you
execute ktutil with no options other than the -t option.
You must specify the file type WFILE for all options other than
the -l option. That is, ktutil requires WFILE if the service key
table file must be modified or destroyed. Purges older entries
from the service key table file, which means that all entries
but the most recent entry for each principal are deleted. The
relative age of the entries is determined by comparing the entry
key version numbers.
Use the optional principal argument to identify a specific prin‐
cipal ID, which indicates that only the older keys for that
principal should be deleted from the key table file. Specifies
the name of a service key table file other than the default
/krb5/v5srvtab, unless the CSFC5KTNAME environment variable is
set to an alternate key table type or file name.
The supported types are FILE and WFILE (writable file). The
default key table type is FILE. You can specify both the type
and service key table file name, or you can accept the default
type and only specify the service key table name.
You must specify the file type WFILE for all options other than
the -l option. That is, ktutil requires WFILE if the service key
table file must be modified or destroyed. Extracts from the
security server a key for the host service principal (the
account for the computer where the administrator is logged in)
and adds the key to the service key table file designated by the
-t option. Use the optional principal argument to identify a
specific principal ID, which indicates that the key for that
principal should be extracted from the security server and added
to the service key table file.
Use the -x and -p options together to first add the extracted
key and then purge all older entries for the designated princi‐
pal from the service key table file.
If the principal argument is not used with the -x -p combina‐
tion, the older keys for only the host principal are purged from
the file after the new key is added. Requests that the security
server generate a new random key for the host service principal
(the account for the computer where the administrator is logged
in). The command then extracts that key from the security server
and adds it to the service key table file designated by the -t
option.
Use the optional principal argument to identify a specific prin‐
cipal ID, which indicates that the key for that principal should
be regenerated and extracted from the security server and added
to the service key table file.
Use the -X and -p options together to first add the extracted
key and then purge all older entries for the designated princi‐
pal from the service key table file.
If the [principal] argument is not used with the -X -p combina‐
tion, the older keys for only the host principal are purged from
the file after the new key is added.
DESCRIPTION
The ktutil command manages entries in service key table files. Note
that the service key table file is owned by root, so you must log on as
root to access it.
All options other than the -l option attempt to modify the service key
table file. Therefore, when you execute those commands, you must
include the -t TYPE:WFILE option to specify that the service key table
file is a writable file. To specify that the service key table file
should not be modified, use the default -t TYPE:FILE option instead.
Before you can extract a key from the service key table file using the
-x or -X options, you must authenticate yourself to the Kerberos server
and have the appropriate permissions.
EXAMPLES
To view all entries in the default service key table file, enter:
# ktutil
or # ktutil-t keytable -l To destroy the service key table file
called /krb5/mytable, enter:
# ktutil-D -t WFILE:/krb5/mytable To add all the entries in a
service key table called /krb5/srvtable to the default service
key table file, enter:
# ktutil-c /krb5/srvtable -t WFILE:/krb5/v5srvtab
If the -t option is not used to specify the WFILE type, this
operation fails; the type must be defined as WFILE rather than
the default FILE: for this operation to succeed. To add a new
entry to the default service key table file for the principal
host/ftpd.biz.com@BIZ.COM and then purge all older entries from
the service key table file, enter:
# ktutil-t WFILE:/krb5/v5srvtab -x -p host/ftpd.biz.com@BIZ.COM
ENVIRONMENT VARIABLES
CSFC5KTNAME
Controls the service key table file.
FILES
/krb5/v5svrtab
Default service key table file.
SEE ALSO
Commands: kdestroy(1), kinit(1)klist(1)ktutil(1)