KTUTIL(8)
NAME
ktutil -- manage Kerberos keytabs
SYNOPSIS
ktutil [-k keytab | --keytab=keytab] [-v | --verbose] [--version] [-h | --help] command [args]
DESCRIPTION
ktutil is a program for managing keytabs. Supported options:
- -v, --verbose
- Verbose output.
- command can be one of the following:
- add [-p principal] [--principal=principal] [-V kvno] [--kvno=kvno] [-e
- enctype] [--enctype=enctype] [-w password]
[--password=password] [-r] [--random] [-s] [--no-salt] [-H]
[--hex]
Adds a key to the keytab. Options that are not specified will be prompted for. This requires that you know the password or the hex key of the principal to add; if what you really want is to add a new principal to the keytab, you should consider the get command, which talks to the kadmin server. - change [-r realm] [--realm=realm] [--a host] [--admin-server=host] [--s
- port] [--server-port=port] Update one or several keys to new versions. By default, use the admin server for the realm of a keytab entry. Otherwise it will use the values specified by the options.
- If no principals are given, all the ones in the keytab are
updated. - copy keytab-src keytab-dest
- Copies all the entries from keytab-src to keytab-dest.
- get [-p admin principal] [--principal=admin principal] [-e enctype]
- [--enctypes=enctype] [-r realm] [--realm=realm] [-a admin server] [--admin-server=admin server] [-s server port] [--server-port=server port] principal ... For each principal, generate a new key for it (creating it if it doesn't already exist), and put that key in the keytab.
- If no realm is specified, the realm to operate on is taken from the first principal.
- list [--keys] [--timestamp]
- List the keys stored in the keytab.
- remove [-p principal] [--principal=principal] [-V -kvno] [--kvno=kvno]
- [-e -enctype] [--enctype=enctype]
Removes the specified key or keys. Not specifying a kvno
removes keys with any version number. Not specifying an
enctype removes keys of any type. - rename from-principal to-principal
- Renames all entries in the keytab that match the
from-principal to to-principal. - purge [--age=age]
- Removes all old versions of a key for which there is a newer version that is at least age (default one week) old.
- srvconvert
- srv2keytab [-s srvtab] [--srvtab=srvtab]
- Converts the version 4 srvtab in srvtab to a version 5 keytab
and stores it in keytab. Identical to:
ktutil copy krb4:srvtab keytab - srvcreate
- key2srvtab [-s srvtab] [--srvtab=srvtab]
- Converts the version 5 keytab in keytab to a version 4 srvtab
and stores it in srvtab. Identical to:
ktutil copy keytab krb4:srvtab