k5srvutil - host key table (keytab) manipulation utility
] [ -f filename
k5srvutil allows an administrator to list keys currently in a keytab, to obtain
new keys for a principal currently in a keytab, or to delete non-current keys
from a keytab.
must be one of the following:
- Lists the keys in a keytab, showing version number and principal
- Uses the kadmin protocol to update the keys in the Kerberos database to
new randomly-generated keys, and updates the keys in the keytab to match.
If a key's version number doesn't match the version number stored in the
Kerberos server's database, then the operation will fail. If the -i
flag is given, k5srvutil will prompt for confirmation before changing each
key. If the -k option is given, the old and new keys will be
displayed. Ordinarily, keys will be generated with the default encryption
types and key salts. This can be overridden with the -e option. Old
keys are retained in the keytab so that existing tickets continue to work,
but delold should be used after such tickets expire, to prevent
attacks against the old keys.
- Deletes keys that are not the most recent version from the keytab. This
operation should be used some time after a change operation to remove old
keys, after existing tickets issued for the service have expired. If the
-i flag is given, then k5srvutil will prompt for confirmation for
- Deletes particular keys in the keytab, interactively prompting for each
In all cases, the default keytab is used unless this is overridden by the
k5srvutil uses the kadmin(1)
program to edit the keytab in place.
for a description of Kerberos environment variables.