rekeymgr - Manage Kerberos principal rekeying
rekeymgr [-k keytab] [-r realm] [-s server] [-P serverprinc] [-d|-D] [-A|-N] command args...
rekeymgr is used to manage automatic Kerberos principal rekeying. The rekey process is coordinated by rekeyd(8), which generates new keys, tracks rekey operations in progress, and provides new keys to clients when appropriate. Administrators use rekeymgr to manage these operations.
Additionally, rekeymgr's key subcommand may be used by ordinary service principals to perform a safe one-shot rekey operation.
- -k keytab
-
Specifies the keytab into which downloaded keys should be stored, instead of the Kerberos default keytab. This option is used only with the key command.
- -r realm
-
Specifies the realm in which rekeying is done. This is currently used only to determine the default server name when -s is not given.
- -s server
-
Specifies the hostname of the rekey server. The default is to form a hostname by prepending "rekey." to the realm name specified via the -r option, or to the default realm if -r is not given.
- -P serverprinc
-
Specifies the Kerberos service principal name of the rekey server. If '
-' is given, the rekey server's host principal is used. The default is @def_rekey_service@ - -d
-
Instruct the server to generate only single-DES keys. This option is used only with the start and key commands.
- -D
-
Instruct the server to generate DES keys. This option is used only with the start and key commands, and is implied by -d.
- -A
-
Instruct the server to generate keys compatible with older Kerberos implementations. Currently, this means using only enctypes not newer than DES3-CBC-SHA1. Not compatible with -N
- -N
-
Instruct the server to generate keys compatible with newer Kerberos implementations. Currently, this means using only enctypes newer than DES3-CBC-SHA1. Not compatible with -A
Begin a new rekey cycle for principal, distributing new keys to all of the listed hosts. This command may be used only by an administrator.
Show the status of an active rekey cycle for principal, if any. This lists all of the hosts to which the princpal's new keys will be distributed, along with an indication as to whether each host has yet downloaded the new key. This command may be used only by an administrator.
Abort an in-progress rekey cycle for principal. The temporary keys are discaded. This command may be used by an administrator or by the target principal.
Finalize an in-progress rekey cycle for principal. This commits the temporary keys to the Kerberos database. This operation can only be performed once all hosts have downloaded the new keys, and is generally needed only to force a retry when there has been a problem committing a change to the Kerberos database. This command may be used by an administrator or by the target principal.
Delete principal from the Kerberos database. This command may be used only by an administrator.
Perform a safe one-shot rekey of principal. A new key is generated, written to the keytab specified via the -k option (or the Kerberos default keytab), and then stored to the Kerberos database. This command is appropriate only when the key will be used only on a single host. It may be used by an administrator or by the target principal.
Because the server stores and compares principal names as strings, the principal name arguments for most subcommands must be in canonical form, including the realm. Failing to follow this rule will generally result in confusing errors.
There is currently no way to tell the server to use specific enctypes, and rekeymgr has no way to tell which enctypes may be supported by software using a given principal. Therefore, administrators must take care in requesting the appropriate key-generation mode.
getnewkeys(8), age_keytab(8), rekeysrv(8)
The rekey tools were written by Chaskiel Grundman.
Copyright (c) 2008-2021 Carnegie Mellon University.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. The name "Carnegie Mellon University" must not be used to
endorse or promote products derived from this software without
prior written permission. For permission or any other legal
details, please contact
Office of Technology Transfer
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3890
(412) 268-4387, fax: (412) 268-7395
[email protected]
4. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by Computing Services
at Carnegie Mellon University (http://www.cmu.edu/computing/)."
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.