From 9cbafd7320b8023ea8c6ea89643803bd021adda5 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Fri, 26 May 2023 23:52:07 -0500 Subject: [PATCH] kadmin: Add missing options to kadmin(1) page (fix #1118) --- kadmin/kadmin-commands.in | 2 +- kadmin/kadmin.1 | 81 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 76 insertions(+), 7 deletions(-) diff --git a/kadmin/kadmin-commands.in b/kadmin/kadmin-commands.in index db9c4415e..0872b47a4 100644 --- a/kadmin/kadmin-commands.in +++ b/kadmin/kadmin-commands.in @@ -498,7 +498,7 @@ command = { long = "krb5-config-file" short = "C" type = "string" - help = "filename to save the principal's krb5.confg in" + help = "filename to save the principal's krb5.conf in" } option = { long = "upto" diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1 index ded599794..42ccad739 100644 --- a/kadmin/kadmin.1 +++ b/kadmin/kadmin.1 @@ -114,6 +114,7 @@ Commands include: .Op Fl Fl expiration-time= Ns Ar time .Op Fl Fl pw-expiration-time= Ns Ar time .Op Fl Fl policy= Ns Ar policy-name +.Op Fl Fl use-defaults .Ar principal... .Bd -ragged -offset indent Adds a new principal to the database. The options not passed on the @@ -139,6 +140,13 @@ behavior is the default if none of these are given. The only policy supported by Heimdal servers is .Ql default . .Pp +If some parameters are not given then they will be prompted for +unless the +.Fl Fl use-defaults +option is given, in which case defaults will be taken from the +principal named +.Dq default . +.Pp This command has the following aliases: .Nm ank , .Nm add_new_key . @@ -305,10 +313,12 @@ enctypes. .Ed .Pp .Nm prune -.Ar principal [kvno] +.Oo Fl Fl kvno= Ns Ar number +.Oc +.Ar principal .Bd -ragged -offset indent Deletes the named principal's keys of the given kvno. If a kvno is -not given then this deletes all the named principals keys that are +not given then this deletes all the named principal's keys that are too old to be needed for decrypting tickets issued using those keys (i.e., any such tickets are necessarily expired). The determination of "too old" is made using the max-ticket-life attribute of the @@ -319,6 +329,7 @@ principals, those are not consulted here. .Pp .Nm ext_keytab .Oo Fl k Ar keytab \*(Ba Xo +.Op Fl Fl random-key .Op Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall .Op Fl Fl enctypes= Ns Ar string .Fl Fl keytab= Ns Ar string @@ -329,6 +340,12 @@ principals, those are not consulted here. Creates a keytab with the keys of the specified principals. Requires get-keys rights, otherwise the principal's keys are changed and saved in the keytab. +.Pp +If the +.Fl Fl random-key +option is given then new randomly-generated keys will be set on +the principal. +.Pp If enctypes to use are not given, then the .Ar [libdefaults] supported_enctypes configuration parameter will be used on the client side to select @@ -355,11 +372,17 @@ behavior is the default if none of these are given. .Op Fl t | Fl Fl terse .Op Fl o Ar string | Fl Fl column-info= Ns Ar string .Op Fl C Ar path | Fl Fl krb5-config-file= Ns Ar path +.Op Fl Fl upto= Ns Ar number .Ar principal... .Bd -ragged -offset indent Lists the matching principals, short prints the result as a table, -while long format produces a more verbose output. Which columns to -print can be selected with the +while long format produces a more verbose output. +If the +.Fl Fl upto= Ns Ar number +option is given, then only up to that many principals will be +listed. +.Pp +Which columns to print can be selected with the .Fl o option. The argument is a comma separated list of column names optionally appended with an equal sign @@ -413,6 +436,9 @@ and .Op Fl Fl kvno= Ns Ar number .Op Fl Fl policy= Ns Ar policy-name .Op Fl Fl alias= Ns Ar alias-name +.Op Fl Fl constrained-delegation= Ns Ar principal-name +.Op Fl Fl pkinit-acl= Ns Ar subject-name +.Op Fl Fl service-enctypes= Ns Ar enctype .Op Fl C Ar path | Fl Fl krb5-config-file= Ns Ar path .Ar principal... .Bd -ragged -offset indent @@ -471,6 +497,30 @@ Attributes may be negated with a "-", e.g., .Pp kadmin -l modify -a -disallow-proxiable user .Pp +The +.Fl Fl constrained-delegation= Ns Ar principal-name +option is not currently implemented. +.Pp +The +.Fl Fl pkinit-acl= Ns Ar subject-name +option authorizes clients with certificates with the given +subject distinguished name to get tickets for the principal using +PKINIT. +This option can be given multiple times. +The PKINIT ACLs set with this option will replace the existing +ones. +.Pp +The +.Fl Fl service-enctypes= Ns Ar enctype +option indicates that the service supports the given enctype +regardless of whether the service has long-term keys of that +enctype. +This option can be given multiple times and will replace the +existing set of enctypes supported by the service. +If a service principal does not have any supported enctypes then +the KDC will assume that it supports only the enctypes of all of +its long-term keys. +.Pp This command has the following alias: .Nm mod . .Ed @@ -588,10 +638,17 @@ Heimdal format. .Nm init .Op Fl Fl realm-max-ticket-life= Ns Ar string .Op Fl Fl realm-max-renewable-life= Ns Ar string +.Op Fl Fl bare .Ar realm .Bd -ragged -offset indent -Initializes the Kerberos database with entries for a new realm. It's -possible to have more than one realm served by one server. +Initializes the Kerberos database with entries for a new realm. +It's possible to have more than one realm served by one server +with the same database. +.Pp +If the +.Fl Fl bare +option is given, then only the root krbtgt principal for that +realm will be created. .Ed .Pp .Nm load @@ -620,9 +677,21 @@ but just modifies the database with the entries in the dump file. .Oc .Op Fl Fl convert-file .Op Fl Fl master-key-fd= Ns Ar fd +.Op Fl Fl random-password .Bd -ragged -offset indent Writes the Kerberos master key to a file used by the KDC. .Pp +If the +.Fl Fl convert-file +option is given then convert an existing file to the new format. +If the +.Fl Fl master-key-fd= Ns Ar fd +option is given the the password will be read from the given file +descriptor. +If the +.Fl Fl random-password +option is given then a password will be generated randomly. +.Pp This command has the following alias: .Nm kstash . .Ed