keytab(8dce) — Maintenance
NAME
keytab — A dcecp object that manages server passwords on DCE hosts
SYNOPSIS
keytab add keytab_name_list member principal_name_list {key plain_key | version key_version | registry | random | registry | version key_version } [ktname residual_keytab_name] [noprivacy ] [local ]
keytab catalog [host_name_list] [simplename ] [noprivacy ] [local ]
keytab create keytab_name_list {attribute attribute_list | attribute value } [ktname residual_keytab_name] [entry ] [noprivacy ] [local ]
keytab delete keytab_name_list [entry ] [noprivacy ] [local ]
keytab help [operation | verbose ]
keytab list keytab_name_list [noprivacy ] [local ]
keytab operations
keytab remove keytab_name_list member principal_name_list [version key_version] [type key_type] [noprivacy ] [local ]
keytab show keytab_name_list [entry | members ] [keys ] [ktname residual_keytab_name] [noprivacy ] [local ]
Arguments
host_name_list
A list of one or more DCE host names specifying hosts for which to catalog key tables. Host names can be in any of the following forms:
/.:/hosts/hostname/.../cell_name/hosts/hostnamehosts/hostname
The name can also be a single string binding representing the host with which to communicate. For example:
{ncacn_ip_tcp 130.105.1.227}
A string binding is useful when the name service is not operating and cannot translate the other forms of host names. If you supply a single string binding, you must use the ktname option to specify the object’s residual name.
keytab_name_list
A list of one or more names of key tables to operate on. Key table names are similar to other dced objects with the following form:
/.../cell/hosts/hostname/config/keytab/name
For the add, create , and show operations, the name can also be a single string binding representing the key table to operate on. See hostdata_name_list for more information on string bindings.
operationThe name of the keytab operation for which to display help information.
Description
The keytab object represents key tables (usually files) that store server keys (and key version numbers) on hosts. These key tables are manipulated remotely by using dced . The keys are considered members of the key table container. The keytab names are in the form
/.../cell_name/hosts/hostname/config/keytab/name
A key table has a set of keys. Each key contains a principal name, type, version, and value. The value can be created and changed, but is never shown on output. Removal of a key is based on the name, type, and version number. The dcecp syntax of a key is a list of principal_name, type (plain or des), version (a nonnegative integer), and value. The value of a des key is 64 bits long and can be represented in dcecp as Extended Registry Attributes (ERAs) of type byte (refer to the xattrschema object attributes for details). The value is valid on input, but is not displayed on output so that keys are not shown on the screen. For example:
melman des 1 key1
melman plain 3 key2
Multiple keys for the same principal are displayed as separate keys. See the example in the show operation below.
Attributes
uuid valueA Universal Unique Identifier (UUID) that is the internal identifier for the key table’s configuration information kept by dced . If the UUID is not specified when the key table is created, one is generated automatically. This attribute cannot be modified after it is created.
annotation string
A human-readable comment field in Portable Character Set (PCS) format. This attribute cannot be modified after creation. It defaults to a null string (that is, blank).
storage string
The name of the key table (usually a filename). It is required and may not be modified after creation.
data key_list
The contents of the key table. Represented as a list of keys.
See the OSF DCE Administration Guide for more information about keytab attributes.
Errors
A representative list of errors that might be returned is not shown here. Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages.
Operations
keytab add
Adds members to a key table. The syntax is as follows:
keytab add keytab_name_list member principal_name_list
{key plain_key version key_version [registry ] |
random registry [version key_version] }
[ktname residual_keytab_name] [noprivacy ] [local ]
Options
member principal_name_list
List of principal names to be added to each key table in the argument.
registryUpdates the principal’s key in the registry as well as on the host. Required if the random option is used.
randomGenerates a random des key. Cannot be used with the key option.
key plain_key
Specifies a key explicitly. Cannot be used with the random option.
version key_version
Specifies a version number for the key. Required if the registry option is not used.
ktname residual_keytab_name
Specifies the keytab object to add members to. If you use this option, you must specify keytab_name_list as a string binding. See Arguments for more information about specifying a string binding for keytab_name_list.
localSpecifies that the add operation operates on local files only.
noprivacySpecifies that keytables are sent over the network unencrypted.
The add operation adds members to key tables. The argument is a list of names of key tables to which members should be added. The required member option lists principal names to be added to each key table in the keytab_name_list argument. If the principals named do not exist, command will return an error. The operation adds each principal name and its key to the key table.
Use either the random option to have dcecp generate a random des key or the key option to specify a plain key explicitly. The same key (whether specified or randomly generated) is used for all principals being added to all key tables. The registry option updates the principal’s key in the key table and in the registry. The registry option is required if random is used. The version option specifies the version number of the key. You must specify either registry or version or both on any keytab add command. The ktname option is used to identify the specific key table to operate on, but only when the argument is a string binding representing a key table, not the fully qualified key table name. This operation returns an empty string on success.
Privileges Required
You must have a (auth_info) permission to the keytab object.
Examples
dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \
> -member melman -random -registry dcecp>
dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \
> -member melman -key yrrebnesor dcecp>
keytab catalog
Returns a list of the names of all key tables on the specified host. The syntax is as follows:
keytab catalog [host_name_list] [simplename ] [noprivacy ] [local ]
Options
simplename
Returns key table names without prepending the cell name.
noprivacySpecifies the key tables sent over the network are not encrypted.
localSpecifies that the catalog operation operates on local files only.
The catalog operation returns a list of the names of all key tables on the host specified in the argument. The argument can be a list of one or more host names or a single string binding that identifies a host. If a host name is not specified, the current host is used. If the argument is a list, the output is concatenated. The return order is arbitrary.
Privileges Required
You must have r (read) permission to the keytab object on the host.
Examples
dcecp> keytab catalog
/.../pokey/hosts/jimbo/config/keytab/self
dcecp>
keytab create
Creates a key table. The syntax is as follows:
keytab create keytab_name_list
{attribute attribute_list | -attribute value}
[ktname residual_keytab_name] [entry ] [noprivacy ] [local ]
Options
attribute attribute_list
Allows you to specify attributes by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:
{{attribute value}...{attribute value}}
-attribute value
As an alternative to using the attribute option with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in Attributes.
ktname residual_keytab_name
Specifies the keytab object to create. If you use this option, you must specify keytab_name_list as a string binding. See Arguments for more information about specifying a string binding for keytab_name_list.
localSpecifies that the create operation operates on local files only.
noprivacySpecifies that key tables are sent over the network unencrypted.
The create operation creates a key table. The argument is a list of names of key tables to be created. The command takes an attribute option to specify configuration information for dced . The ktname option identifies the specific key table to operate on, but only when the argument is a string binding representing a key table, not the fully qualified key table name. Use the data attribute to specify the contents of the key tables named in keytab_name_list. The data attribute is a list of keys with associated principal names, key types, versions, and key values in the form
principal_name key_type version {key_value}
where:
principal_name
Is the required name of the server principal for which the keytab file is being created.
key_typeIs a required code that specifies whether the key is stored in plain text or in DES encrypted format:
•des indicates DES encryption.
•plain indicates plain text.
versionIs the key’s required version number.
key_valueIf the key type is plain, key value is required. If the key type is des, key value is optional; if one is not entered, a key value is randomly generated.
This operation creates the key tables named in keytab_name_list and assigns all of them the values specified by the data attribute. This operation returns an empty string on success.
Privileges Required
You must have i (insert) permission to the keytab object on the host.
Examples
The following example creates two keys for user vmr and one key for pwang on host medusa. One of vmr’s keys is an automatically generated Data Encryption Standard (DES) key. Both vmr’s second key and pwang’s key are manually entered keys.
dcecp> keytab create /.:/hosts/medusa/config/keytab/radiology -attribute \
> {{{storage /opt/dcelocal/keys/radiology} {data {{vmr des 2} \
> {vmr plain 3 key2} {pwang des 2 key3}}}} dcecp>
keytab delete
Deletes a key table entry and its data. The syntax is as follows:
keytab delete keytab_name_list [entry ] [noprivacy ] [local ]
Options
entrySpecifies that only the configuration information that dced keeps is deleted, not the actual key table.
noprivacySpecifies that key tables are sent over the network unencrypted.
localSpecifies that the delete operation operates on local files only.
The delete operation deletes a key table entry and its data. The argument is a list of names of key table entries to be deleted in the order specified. If the entry option is present, only the configuration information that dced keeps is deleted, not the actual key table. This operation returns an empty string on success.
Privileges Required
You must have d (delete ) permission to the keytab object. If you are removing the key table, you must have D (Delete_object) permission to the keytab object as well.
Examples
dcecp> keytab delete /.:/hosts/medusa/config/keytab/radiology
dcecp>
keytab help
Returns help information about the keytab object and its operations. The syntax is as follows:
keytab help [operation | verbose ]
Options
verboseDisplays information about the keytab object.
Used without an argument or option, the keytab help command returns brief information about each keytab operation. The optional operation argument is the name of an operation about which you want detailed information. Alternatively, you can use the verbose option for more detailed information about the keytab object itself.
Privileges Required
No special privileges are needed to use the keytab help command.
Examples
dcecp> keytab help
add Adds keys into a key table.
catalog Returns the list of key table names.
create Creates a new key table entry and its keys.
delete Deletes a key table and its associated data.
list Lists all principals in a specified key table.
remove Removes keys from a key table.
show Returns the list of keys of a key table.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
keytab list
Returns a list of all the principals in the specified key table. The syntax is as follows:
keytab list keytab_name_list [noprivacy ] [local ]
Options
noprivacySpecifies that key tables are sent over the network unencrypted.
localSpecifies that the list operation operates on local files only.
The list operation returns a list of all the principals in the specified key table. If the argument is a list of key table names, the output is concatenated and a blank line inserted between key tables.
Privileges Required
You must have r (read) permission to the keytab object on the host.
Examples
dcecp> keytab list /.:/hosts/medusa/config/keytab/self
/.../mycell/hosts/medusa/self
/.../mycell/hosts/medusa/cds-server
/.../mycell/hosts/medusa/cds-server
dcecp>
keytab operations
Returns a list of the operations supported by the keytab object. The syntax is as follows:
keytab operations
The list of available operations is in alphabetical order except for help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the keytab operations command.
Examples
dcecp> keytab operations
add catalog create delete list remove show help operations
dcecp>
keytab remove
Removes a member from a key table. The syntax is as follows:
keytab remove keytab_name_list member principal_name_list
[version key_version] [type key_type] [noprivacy ] [local ]
Options
member principal_name_list
Specifies a list of one or more principal names of members to be removed from the key table.
version key_version
Specifies a version number for the key.
type key_type
Specifies whether the key is a des (data encryption standard) key or a plain key.
noprivacySpecifies that key tables are sent over the network unencrypted.
localSpecifies that the remove operation operates on local files only.
The remove operation removes a member from a key table. The argument is a list of names of key tables from which to remove members. The value of the required member option is a list of names of principals to be removed from the key tables listed in the argument. The two options version and type can be used to limit the keys removed. If either or both of these options is present, then only keys matching the values of these options are removed. The value of the version option can be a list of version numbers. This operation returns an empty string on success.
Privileges Required
You must have x (execute) permission to the keytab object on the host.
Examples
The following example removes all des keys for principal D_Britt:
dcecp> keytab remove /.:/hosts/jimbo/config/keytab/self -member D_Britt -type des dcecp>
keytab show
Returns an attribute list of the key table entries specified in the argument. The syntax is as follows:
keytab show keytab_name_list [entry | members ]
[keys ] [ktname residual_keytab_name] [noprivacy ] [local ]
Options
entryReturns only the configuration information that dced keeps, not the actual key table data.
membersSpecifies that only the data attribute of each entry be returned.
keysReturns the actual values of keys.
noprivacySpecifies that key tables are sent over the network unencrypted.
ktname residual_keytab_name
Specifies the keytab object for which to list entries. If you use this option, you must specify keytab_name_list as a string binding. See Arguments for more information about specifying a string binding for keytab_name_list.
localSpecifies that the show operation operates on local files only.
The show operation returns an attribute list of the key tables specified in the argument. The argument is a list of names of key tables. If the operation is called without the entry option, the data attribute is not returned. If the optional members option is given, only the value of the data attribute is returned (a list of keys). Keys are not normally returned unless the keys option is used. If the argument is a list, the output is concatenated and a blank line inserted between key tables. The ktname option is used to identify the specific key table to operation on, but only when the argument is a string binding representing a key table, not the fully qualified key table name.
Privileges Required
You must have r (read) permission to the keytab object on the host.
Examples
dcecp> keytab show /.:/hosts/medusa/config/keytab/radiology -members
{melman des 1}
{melman plain 3}
{pwang des 2}
dcecp>
Related Information
Commands: dcecp(8dce), dced(8dce), xattrschema(8dce).