Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ keytab(8dce) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

keytab(8dce)  —  Maintenance

NAME

keytab  — A dcecp object that manages server passwords on DCE hosts

SYNOPSIS

keytab add keytab_name_list member principal_name_list  {key plain_key | version key_version | registry  | random  | registry  | version key_version }  [ktname residual_keytab_name]  [noprivacy ]  [local ]

keytab catalog  [host_name_list]  [simplename ]  [noprivacy ]  [local ]

keytab create keytab_name_list  {attribute attribute_list | attribute value }  [ktname residual_keytab_name]  [entry ]  [noprivacy ]  [local ]

keytab delete keytab_name_list  [entry ]  [noprivacy ]  [local ]

keytab help  [operation | verbose  ]

keytab list keytab_name_list  [noprivacy ]  [local ]

keytab operations

keytab remove keytab_name_list member principal_name_list  [version key_version]  [type key_type]  [noprivacy ]  [local ]

keytab show keytab_name_list  [entry  | members  ]  [keys ]  [ktname residual_keytab_name]  [noprivacy ]  [local ]

Arguments

host_name_list
A list of one or more DCE host names specifying hosts for which to catalog key tables.  Host names can be in any of the following forms:

/.:/hosts/hostname/.../cell_name/hosts/hostnamehosts/hostname

The name can also be a single string binding representing the host with which to communicate.  For example:

{ncacn_ip_tcp 130.105.1.227} 

A string binding is useful when the name service is not operating and cannot translate the other forms of host names. If you supply a single string binding, you must use the ktname  option to specify the object’s residual name. 

keytab_name_list
A list of one or more names of key tables to operate on.  Key table names are similar to other dced  objects with the following form:

/.../cell/hosts/hostname/config/keytab/name 

For the add, create , and show  operations, the name can also be a single string binding representing the key table to operate on.  See hostdata_name_list for more information on string bindings. 

operationThe name of the keytab  operation for which to display help information. 

Description

The keytab  object represents key tables (usually files) that store server keys (and key version numbers) on hosts.  These key tables are manipulated remotely by using dced .  The keys are considered members of the key table container.  The keytab  names are in the form

/.../cell_name/hosts/hostname/config/keytab/name 

A key table has a set of keys.  Each key contains a principal name, type, version, and value.  The value can be created and changed, but is never shown on output.  Removal of a key is based on the name, type, and version number.  The dcecp  syntax of a key is a list of principal_name, type (plain or des), version (a nonnegative integer), and value.  The value of a des key is 64 bits long and can be represented in dcecp as Extended Registry Attributes (ERAs) of type byte (refer to the xattrschema  object attributes for details).  The value is valid on input, but is not displayed on output so that keys are not shown on the screen.  For example:

melman des 1 key1
melman plain 3 key2 

Multiple keys for the same principal are displayed as separate keys.  See the example in the show  operation below. 

Attributes

uuid valueA Universal Unique Identifier (UUID) that is the internal identifier for the key table’s configuration information kept by dced .  If the UUID is not specified when the key table is created, one is generated automatically.  This attribute cannot be modified after it is created. 

annotation string
A human-readable comment field in Portable Character Set (PCS) format.  This attribute cannot be modified after creation. It defaults to a null string (that is, blank).

storage string
The name of the key table (usually a filename).  It is required and may not be modified after creation.

data key_list
The contents of the key table.  Represented as a list of keys.

See the OSF DCE Administration Guide for more information about keytab attributes. 

Errors

A representative list of errors that might be returned is not shown here.  Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages. 

Operations

keytab add

Adds members to a key table.  The syntax is as follows:

keytab add keytab_name_list member  principal_name_list
 {key  plain_key version  key_version [registry ] |
random  registry  [version  key_version] }
 [ktname residual_keytab_name] [noprivacy ] [local ]

Options

member  principal_name_list
List of principal names to be added to each key table in the argument.

registryUpdates the principal’s key in the registry as well as on the host.  Required if the random  option is used. 

randomGenerates a random des key.  Cannot be used with the key option. 

key  plain_key
Specifies a key explicitly.  Cannot be used with the random  option. 

version  key_version
Specifies a version number for the key. Required if the registry  option is not used. 

ktname  residual_keytab_name
Specifies the keytab  object to add members to.  If you use this option, you must specify keytab_name_list as a string binding.  See Arguments for more information about specifying a string binding for keytab_name_list. 

localSpecifies that the add operation operates on local files only. 

noprivacySpecifies that keytables are sent over the network unencrypted. 

The add operation adds members to key tables.  The argument is a list of names of key tables to which members should be added.  The required member  option lists principal names to be added to each key table in the keytab_name_list argument.  If the principals named do not exist, command will return an error.  The operation adds each principal name and its key to the key table. 

Use either the random  option to have dcecp  generate a random des key or the key  option to specify a plain key explicitly.  The same key (whether specified or randomly generated) is used for all principals being added to all key tables.  The registry  option updates the principal’s key in the key table and in the registry.  The  registry  option is required if random  is used.  The version  option specifies the version number of the key.  You must specify either registry  or version  or both on any keytab add  command. The ktname  option is used to identify the specific key table to operate on, but only when the argument is a string binding representing a key table, not the fully qualified key table name.  This operation returns an empty string on success. 

Privileges Required

You must have a (auth_info) permission to the keytab  object. 

Examples

dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \
> -member melman -random -registry dcecp>
dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \
> -member melman -key yrrebnesor dcecp> 

keytab catalog

Returns a list of the names of all key tables on the specified host.  The syntax is as follows:

keytab catalog [host_name_list] [simplename ] [noprivacy ] [local ]

Options

simplename
Returns key table names without prepending the cell name.

noprivacySpecifies the key tables sent over the network are not encrypted. 

localSpecifies that the catalog  operation operates on local files only. 

The catalog  operation returns a list of the names of all key tables on the host specified in the argument.  The argument can be a list of one or more host names or a single string binding that identifies a host.  If a host name is not specified, the current host is used.  If the argument is a list, the output is concatenated.  The return order is arbitrary. 

Privileges Required

You must have r (read) permission to the keytab  object on the host. 

Examples

dcecp> keytab catalog
/.../pokey/hosts/jimbo/config/keytab/self
dcecp> 

keytab create

Creates a key table.  The syntax is as follows:

keytab create keytab_name_list
{attribute  attribute_list | -attribute value}
 [ktname residual_keytab_name] [entry ] [noprivacy ] [local ]

Options

attribute  attribute_list
Allows you to specify attributes by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:

{{attribute value}...{attribute value}}

-attribute value
As an alternative to using the attribute  option with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in Attributes. 

ktname  residual_keytab_name
Specifies the keytab  object to create.  If you use this option, you must specify keytab_name_list as a string binding.  See Arguments for more information about specifying a string binding for keytab_name_list. 

localSpecifies that the create  operation operates on local files only. 

noprivacySpecifies that key tables are sent over the network unencrypted. 

The create  operation creates a key table.  The argument is a list of names of key tables to be created.  The command takes an attribute  option to specify configuration information for dced .   The ktname  option identifies the specific key table to operate on, but only when the argument is a string binding representing a key table, not the fully qualified key table name.    Use the data attribute to specify the contents of the key tables named in keytab_name_list.  The data attribute is a list of keys with associated principal names, key types, versions, and key values in the form

principal_name key_type version {key_value}

where:

principal_name
Is the required name of the server principal for which the keytab file is being created.

key_typeIs a required code that specifies whether the key is stored in plain text or in DES encrypted format:

   •des indicates DES encryption. 

   •plain indicates plain text. 

versionIs the key’s required version number. 

key_valueIf the key type is plain, key value is required.  If the key type is des, key value is optional; if one is not entered, a key value is randomly generated. 

This operation creates the key tables named in keytab_name_list and assigns all of them the values specified by the data attribute.  This operation returns an empty string on success. 

Privileges Required

You must have i (insert) permission to the keytab  object on the host. 

Examples

The following example creates two keys for user vmr and one key for pwang on host medusa.  One of vmr’s keys is an automatically generated Data Encryption Standard (DES) key.  Both vmr’s second key and pwang’s key are manually entered keys. 

dcecp> keytab create /.:/hosts/medusa/config/keytab/radiology -attribute \
> {{{storage /opt/dcelocal/keys/radiology} {data {{vmr des 2} \
> {vmr plain 3 key2} {pwang des 2 key3}}}} dcecp> 

keytab delete

Deletes a key table entry and its data.  The syntax is as follows:

keytab delete keytab_name_list [entry ] [noprivacy ] [local ]

Options

entrySpecifies that only the configuration information that dced  keeps is deleted, not the actual key table. 

noprivacySpecifies that key tables are sent over the network unencrypted. 

localSpecifies that the delete  operation operates on local files only. 

The delete  operation deletes a key table entry and its data.  The argument is a list of names of key table entries to be deleted in the order specified.  If the entry  option is present, only the configuration information that dced  keeps is deleted, not the actual key table.  This operation returns an empty string on success. 

Privileges Required

You must have d (delete ) permission to the keytab  object.  If you are removing the key table, you must have D (Delete_object) permission to the keytab  object as well. 

Examples

dcecp> keytab delete /.:/hosts/medusa/config/keytab/radiology
dcecp>  

keytab help

Returns help information about the keytab  object and its operations.  The syntax is as follows:

keytab help [operation | verbose ]

Options

verboseDisplays information about the keytab  object. 

Used without an argument or option, the keytab help  command returns brief information about each keytab  operation.  The optional operation argument is the name of an operation about which you want detailed information.  Alternatively, you can use the verbose  option for more detailed information about the keytab  object itself. 

Privileges Required

No special privileges are needed to use the keytab help command. 

Examples

dcecp> keytab help
add                 Adds keys into a key table.
catalog             Returns the list of key table names.
create              Creates a new key table entry and its keys.
delete              Deletes a key table and its associated data.
list                Lists all principals in a specified key table.
remove              Removes keys from a key table.
show                Returns the list of keys of a key table.
help                Prints a summary of command-line options.
operations          Returns a list of the valid operations for this command.
dcecp>

keytab list

Returns a list of all the principals in the specified key table.  The syntax is as follows:

keytab list keytab_name_list [noprivacy ] [local ]

Options

noprivacySpecifies that key tables are sent over the network unencrypted. 

localSpecifies that the list  operation operates on local files only. 

The list  operation returns a list of all the principals in the specified key table.  If the argument is a list of key table names, the output is concatenated and a blank line inserted between key tables. 

Privileges Required

You must have r (read) permission to the keytab  object on the host. 

Examples

dcecp> keytab list /.:/hosts/medusa/config/keytab/self
/.../mycell/hosts/medusa/self
/.../mycell/hosts/medusa/cds-server
/.../mycell/hosts/medusa/cds-server
dcecp> 

keytab operations

Returns a list of the operations supported by the keytab object.  The syntax is as follows:

keytab operations

The list of available operations is in alphabetical order except for help  and operations, which are listed last. 

Privileges Required

No special privileges are needed to use the keytab operations command. 

Examples

dcecp> keytab operations
add catalog create delete list remove show help operations
dcecp> 

keytab remove

Removes a member from a key table.  The syntax is as follows:

keytab remove keytab_name_list member  principal_name_list
 [version  key_version] [type  key_type] [noprivacy ] [local ]

Options

member  principal_name_list
Specifies a list of one or more principal names of members to be removed from the key table.

version  key_version
Specifies a version number for the key.

type  key_type
Specifies whether the key is a des (data encryption standard) key or a plain key. 

noprivacySpecifies that key tables are sent over the network unencrypted. 

localSpecifies that the remove operation operates on local files only. 

The remove operation removes a member from a key table.  The argument is a list of names of key tables from which to remove members.  The value of the required member  option is a list of names of principals to be removed from the key tables listed in the argument.  The two options version  and type can be used to limit the keys removed.  If either or both of these options is present, then only keys matching the values of these options are removed.  The value of the version  option can be a list of version numbers.  This operation returns an empty string on success. 

Privileges Required

You must have x (execute) permission to the keytab  object on the host. 

Examples

The following example removes all des keys for principal D_Britt:

dcecp> keytab remove /.:/hosts/jimbo/config/keytab/self -member D_Britt -type des dcecp>  

keytab show

Returns an attribute list of the key table entries specified in the argument.  The syntax is as follows:

keytab show keytab_name_list [entry  | members ]
 [keys ] [ktname residual_keytab_name] [noprivacy ] [local ]

Options

entryReturns only the configuration information that dced  keeps, not the actual key table data. 

membersSpecifies that only the data attribute of each entry be returned. 

keysReturns the actual values of keys. 

noprivacySpecifies that key tables are sent over the network unencrypted. 

ktname  residual_keytab_name
Specifies the keytab  object for which to list entries.  If you use this option, you must specify keytab_name_list as a string binding.  See Arguments for more information about specifying a string binding for  keytab_name_list. 

localSpecifies that the show  operation operates on local files only. 

The show  operation returns an attribute list of the key tables specified in the argument.  The argument is a list of names of key tables.  If the operation is called without the entry  option, the data attribute is not returned.  If the optional members  option is given, only the value of the data attribute is returned (a list of keys).  Keys are not normally returned unless the keys  option is used.  If the argument is a list, the output is concatenated and a blank line inserted between key tables.   The ktname  option is used to identify the specific key table to operation on, but only when the argument is a string binding representing a key table, not the fully qualified key table name. 

Privileges Required

You must have r (read) permission to the keytab  object on the host. 

Examples

dcecp> keytab show /.:/hosts/medusa/config/keytab/radiology -members
{melman des 1}
{melman plain 3}
{pwang des 2}
dcecp> 

Related Information

Commands: dcecp(8dce), dced(8dce), xattrschema(8dce). 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026