k5srvutil is a little more convenient to use for rolling keys than
kadmin is. When migrating off 1DES, though, it may be desirable to
explicitly specify the desired keysalts. This adds an option, -e, to
k5srvutil to specify desired keysalts.
[ghudson@mit.edu: style fix; make whitespace in keysalt list work]
ticket: 7589 (new)
**k5srvutil** *operation*
[**-i**]
[**-f** *filename*]
+[**-e** *keysalts*]
DESCRIPTION
-----------
existing tickets continue to work. If the **-i** flag is given,
k5srvutil will prompt for confirmation before changing each key.
If the **-k** option is given, the old and new keys will be
- displayed.
+ displayed. Ordinarily, keys will be generated with the default
+ encryption types and key salts. This can be overridden with the
+ **-e** option.
**delold**
Deletes keys that are not the most recent version from the keytab.
}
usage() {
- echo "Usage: $0 [-i] [-f file] list|change|delete|delold"
+ echo "Usage: $0 [-i] [-f file] [-e keysalts] list|change|delete|delold"
}
princs=`list_princs `
for princ in $princs; do
if interactive_prompt "Change key " $princ; then
- kadmin -k -t $keytab -p $princ -q "ktadd -k $keytab $princ"
+ kadmin -k -t $keytab -p $princ -q \
+ "ktadd -k $keytab $keysalts $princ"
fi
done
}
keytab=/etc/krb5.keytab
interactive=0
+keysalts=""
while [ $# -gt 0 ] ; do
opt=$1
"-i")
interactive=1
;;
+ "-e")
+ keysalts="$keysalts -e \"$1\""
+ shift
+ ;;
change|delold|delete|list)
set_command $opt
;;
projects / thirdparty / krb5.git / commitdiff
