Example--Adding a Service Principal to a Keytab File
In the following example, the kadmin/admin and kadmin/changepw principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.
kdc1 # /usr/sbin/kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/changepw@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: quit |
In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.
denver # /usr/sbin/kadmin kadmin: ktadd host/denver@example.com@EXAMPLE.COM kadmin: Entry for principal host/denver@example.com@EXAMPLE.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
How to Remove a Service Principal From a Keytab File
Become superuser on the host with a service principal that must be removed from its keytab file.
Start the kadmin command.
# /usr/sbin/kadmin
- (Optional)
To display the current list of principals (keys) in the keytab file, use the ktutil command.
See "How to Display the Keylist (Principals) in a Keytab File" for detailed instructions.
Remove a principal from the keytab file by using the ktremove command.
kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]
-k keytab
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.
-q
Displays less verbose information.
principal
Specifies the principal to be removed from the keytab file.
kvno
Removes all entries for the specified principal whose key version number matches kvno.
all
Removes all entries for the specified principal.
old
Removes all entries for the specified principal, except those principals with the highest key version number.
Quit the kadmin command.
kadmin: quit
Example--Removing a Service Principal From a Keytab
In the following example, denver's host principal is removed from denver's keytab file.
denver # /usr/sbin/kadmin kadmin: ktremove host/denver.example.com@EXAMPLE.COM kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
How to Display the Keylist (Principals) in a Keytab File
Become superuser on the host with the keytab file.
Note - Although you can create keytab files that are owned by other users, the default location for the keytab file requires root ownership.
Start the ktutil command.
# /usr/bin/ktutil
Read the keytab file into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab
Display the keylist buffer by using the list command.
ktutil: list
The current keylist buffer is displayed.
Quit the ktutil command.
ktutil: quit
Example--Displaying the Keylist (Principals) in a Keytab File
The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.
denver # /usr/bin/ktutil
ktutil: read_kt /etc/krb5/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
1 5 host/denver@EXAMPLE.COM
ktutil: quit
|
How to Temporarily Disable Authentication for a Service on a Host
At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.
Note - By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service will still work, even if you disable authentication for the service.
Become superuser on the host with the keytab file.
Note - Although you can create keytab files that are owned by other users, the default location for the keytab file requires root ownership.
Save the current keytab file to a temporary file.
Start the ktutil command.
# /usr/bin/ktutil
Read the keytab file into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab
Display the keylist buffer by using the list command.
ktutil: list
The current keylist buffer is displayed. Note the slot number for the service that you want to disable.
To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
ktutil: delete_entry slot-number
In this example, slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.
Write the keylist buffer to the keytab file by using the write_kt command.
ktutil: write_kt keytab
Quit the ktutil command.
ktutil: quit
When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.
Example--Temporarily Disabling a Service on a Host
In the following example, the host service on the denver host is temporarily disabled. To enable the host service back on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.
denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
ktutil:read_kt /etc/krb5/krb5.keytab
ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
1 8 root/denver@EXAMPLE.COM
2 5 host/denver@EXAMPLE.COM
ktutil:delete_entry 2
ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
1 8 root/denver@EXAMPLE.COM
ktutil:write_kt /etc/krb5/krb5.keytab
ktutil: quit
|