keytab(1m)keytab(1m)NAME
keytab - A dcecp object that manages server passwords on DCE hosts
SYNOPSIS
keytab add keytab_name_list -member principal_name_list {-key plain_key
-version key_version [-registry] | -random -registry [-version key_ver‐
sion] } [-ktname residual_keytab_name] [-noprivacy] [-local]
keytab catalog [host_name_list] [-simplename] [-noprivacy] [-local]
keytab create keytab_name_list {-attribute attribute_list | -attribute
value} [-ktname residual_keytab_name] [-entry] [-noprivacy] [-local]
keytab delete keytab_name_list [-entry] [-noprivacy] [-ktname resid‐
ual_keytab_name] [-local]
keytab help [operation | -verbose]
keytab list keytab_name_list [-noprivacy] [-ktname resid‐
ual_keytab_name] [-local]
keytab operations
keytab remove keytab_name_list -member principal_name_list [-version
key_version_list] [-type key_type] [-noprivacy] [-ktname resid‐
ual_keytab_name] [-local]
keytab show keytab_name_list [-entry | -members] [-keys] [-ktname
residual_keytab_name] [-noprivacy] [-local]
ARGUMENTS
A list of one or more DCE host names specifying hosts for which to cat‐
alog key tables. Host names can be in any of the following forms:
/.:/hosts/hostname
/.../cell_name/hosts/hostname
hosts/hostname
The name can also be a single string binding representing the host with
which to communicate. See keytab_name_list for more information. A
list of one or more names of key tables to operate on. Key table names
are similar to other dced objects with the following form:
/.../cell/hosts/hostname/config/keytab/name The name can also be a sin‐
gle string binding representing the host with which to communicate.
For example: {ncacn_ip_tcp 130.105.1.227}
A string binding is useful when the name service is not operating and
cannot translate the other forms of host names. If you supply a single
string binding, you must use the -ktname option to specify the object's
residual name. The name of the keytab operation for which to display
help information.
DESCRIPTION
The keytab object represents key tables (usually files) that store
server keys (and key version numbers) on hosts. These key tables are
manipulated remotely by using dced. The keys are considered members of
the key table container. The keytab names are in the form
/.../cell_name/hosts/hostname/config/keytab/name A key table has a set
of keys. Each key contains a principal name, type, version, and value.
The value can be created and changed, but is never shown on output.
Removal of a key is based on the name, type, and version number. The
syntax of a key is a list of principal_name, type (plain or des), ver‐
sion (a non-negative integer), and value. The value of a des key is 64
bits long and can be represented in dcecp as an Extended Registry
Attribute (ERA) of type byte (refer to the xattrschema attributes for
details). The value is valid on input, but is not displayed on output
so that keys are not shown on the screen. For example: melman des 1
key1
melman plain 3 key2
Multiple keys for the same principal are displayed as separate keys.
ATTRIBUTES
A Universal Unique Identifier (UUID) that is the internal identifier
for the key table's configuration information kept by dced. If the
UUID is not specified when the key table is created, one is generated
automatically. This attribute cannot be modified after it is created.
A human-readable comment field in Portable Character Set (PCS) format.
This attribute cannot be modified after creation. It defaults to a
null string (that is, blank). The name of the key table (usually a
filename). It is required and may not be modified after creation. The
contents of the key table. Represented as a list of keys.
See the OSF DCE Administration Guide for more information about keytab
attributes.
OPERATIONS
keytab add
Adds members to a key table. The syntax is as follows: keytab add
keytab_name_list -member principal_name_list {-key plain_key -version
key_version [-registry] | -random -registry [-version key_version] }
[-ktname residual_keytab_name] [-noprivacy] [-local]
Options List of principal names to be added to each key table in the
argument. Updates the principal's key in the registry as well as on
the host. Required if the -random option is used. Generates a random
des key. Cannot be used with the -key option. Specifies a key explic‐
itly. Cannot be used with the -random option. Specifies a version
number for the key. Required if the -registry option is not used.
Specifies the keytab object to add members to. If you use this option,
you must specify keytab_name_list as a string binding. See ARGUMENTS
for more information about specifying a string binding for
keytab_name_list. Specifies that the add operation operates on local
files only. Specifies that keytables are sent over the network unen‐
crypted.
The add operation adds members to key tables. The argument is a list
of names of key tables to which members should be added. The required
-member option lists principal names to be added to each key table in
the keytab_name_list argument. If the principals named do not exist,
the command will return an error. The operation adds each principal
name and its key to the key table.
Use either the -random option to have dcecp generate a random des key
or the -key option to specify a plain key explicitly. The same key
(whether specified or randomly generated) is used for all principals
being added to all key tables. The -registry option updates the prin‐
cipal's key in the key table and in the registry. The -registry
option is required if -random is used. The -version option specifies
the version number of the key. You must specify either -registry or
-version or both on any keytab add command. The -ktname option is used
to identify the specific key table to operation on, but only when the
argument is a string binding representing a host, not the fully quali‐
fied key table name. This operation returns an empty string on suc‐
cess.
Privileges Required
You must have a (auth_info) permission to the keytab object.
Examples dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \ >
-member melman -random -registry dcecp>
dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \ > -member
melman -key yrrebnesor dcecp>
dcecp> keytab add ncacn_ip_tcp:15.22.24.145 -ktname radiology \ > -mem‐
ber melman -random -registry dcecp>
keytab catalog
Returns a list of the names of all key tables on the specified host.
The syntax is as follows: keytab catalog [host_name_list] [-simplename]
[-noprivacy] [-local]
Options Returns key table names without prepending the cell name.
Specifies the key tables sent over the network are not encrypted.
Specifies that the catalog operation operates on local files only.
The catalog operation returns a list of the names of all key tables on
the host specified in the argument. The argument can be a list of one
or more host names or a single string binding that identifies a host.
If a host name is not specified, the current host is used. If the
argument is a list, the output is concatenated. The return order is
arbitrary.
Privileges Required
You must have r (read) permission to the keytab object on the host.
Examples
dcecp> keytab catalog /.../pokey/hosts/jimbo/config/keytab/self dcecp>
keytab create
Creates a key table. The syntax is as follows: keytab create
keytab_name_list {-attribute attribute_list | -attribute value}
[-ktname residual_keytab_name] [-entry] [-noprivacy] [-local]
Options As an alternative to using the -attribute option with an
attribute list, you can specify individual attribute options by
prepending a hyphen (-) to any attributes listed in the ATTRIBUTES sec‐
tion of this reference page. Allows you to specify attributes by using
an attribute list rather than individual attribute options. The format
of an attribute list is as follows: {{attribute value}...{attribute
value}} Specifies the keytab object to create. If you use this option,
you must specify keytab_name_list as a string binding. See ARGUMENTS
for more information about specifying a string binding for
keytab_name_list. Specifies that the create operation operates on
local files only. Specifies that key tables are sent over the network
unencrypted.
The create operation creates a key table. The argument is a list of
names of key tables to be created. The command takes an -attribute
option to specify configuration information for dced. The -ktname
option is used to identify the specific key table to operation on, but
only when the argument is a string binding representing a host, not the
fully qualified key table name. The contents of the key table can be
specified via the data attribute. The value of the option is applied
to all elements of the argument list. This operation returns an empty
string on success.
The value of the data attribute, if specified, is a list of keys. Each
key must have a principal name and key type. The version is optional;
if it is not present, the system generates a version of 1. If the key
type is plain, a key value must be specified. If the key type is des
and a key value is not specified, one will be randomly generated.
Privileges Required
You must have i (insert) permission to the keytab object on the host.
Examples
The following example creates two keys for user melman and one key for
danahy on host medusa. One of melman's keys is an automatically gener‐
ated Data Encryption Standard (DES) key. Both melman's second key and
danahy's key are manually entered keys. dcecp> keytab create
/.:/hosts/medusa/config/keytab/radiology -attribute { \ > {{storage
/opt/dcelocal/keys/radiology} {data {{melman des} \ > {melman plain 3
key2} {danahy des 2 key3}}}} dcecp>
dcecp> keytab create ncacn_ip_tcp:15.22.24.145 -ktname radiology \ >
-storage /tmp/keys/radiology -data {melman plain 3 key2} dcecp>
keytab delete
Deletes a key table entry and its data. The syntax is as follows:
keytab delete keytab_name_list [-entry] [-noprivacy] [-ktname resid‐
ual_keytab_name] [-local]
Options Specifies that only the configuration information that dced
keeps is deleted, not the actual key table. Specifies the keytab
object to delete. If you use this option, you must specify
keytab_name_list as a string binding. See ARGUMENTS for more informa‐
tion about specifying a string binding for keytab_name_list. Specifies
that key tables are sent over the network unencrypted. Specifies that
the delete operation operates on local files only.
The delete operation deletes a key table entry and its data. The argu‐
ment is a list of names of key table entries to be deleted in the order
specified. If the -entry option is present, only the configuration
information that dced keeps is deleted, not the actual key table. The
-ktname option is used to identify the specific key table to operation
on, but only when the argument is a string binding representing a host,
not the fully qualified key table name. This operation returns an
empty string on success.
Privileges Required
You must have d (delete) permission to the keytab object. If you are
removing the key table, you must have D (Delete_object) permission to
the keytab object as well.
Examples
dcecp> keytab delete /.:/hosts/medusa/config/keytab/radiology dcecp>
dcecp> keytab delete ncacn_ip_tcp:15.22.24.145 -ktname radiology dcecp>
keytab help
Returns help information about the keytab object and its operations.
The syntax is as follows: keytab help [operation | -verbose]
Options Displays information about the keytab object.
Used without an argument or option, the keytab help command returns
brief information about each keytab operation. The optional operation
argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the keytab object itself.
Privileges Required
No special privileges are needed to use the keytab help command.
Examples
dcecp> keytab help add Adds keys into a key table.
catalog Returns the list of key table names. create
Creates a new key table entry and its keys. delete
Deletes a key table and its associated data. list Lists
all principals in a specified key table. remove Removes
keys from a key table. show Returns the list of keys of
a key table. help Prints a summary of command-line
options. operations Returns a list of the valid operations
for this command. dcecp>
keytab list
Returns a list of all the principals in the specified key table. The
syntax is as follows: keytab list keytab_name_list [-noprivacy]
[-ktname residual_keytab_name] [-local]
Options
Specifies the keytab object to list. If you use this option, you must
specify keytab_name_list as a string binding. See ARGUMENTS for more
information about specifying a string binding for keytab_name_list.
Specifies that key tables are sent over the network unencrypted. Spec‐
ifies that the list operation operates on local files only.
The list operation returns a list of all the principals in the speci‐
fied key table. If the argument is a list of key table names, the out‐
put is concatenated and a blank line inserted between key tables. The
-ktname option is used to identify the specific key table to operation
on, but only when the argument is a string binding representing a host,
not the fully qualified key table name.
Privileges Required
You must have r (read) permission to the keytab object on the host.
Examples
dcecp> keytab list /.:/hosts/medusa/config/keytab/self
/.../mycell/hosts/medusa/self /.../mycell/hosts/medusa/cds-server
/.../mycell/hosts/medusa/cds-server dcecp>
dcecp> keytab list ncacn_ip_tcp:15.22.24.145 -ktname self
/.../mycell/hosts/medusa/self /.../mycell/hosts/medusa/cds-server
/.../mycell/hosts/medusa/cds-server dcecp>
keytab operations
Returns a list of the operations supported by the keytab object. The
syntax is as follows: keytab operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the keytab operations command.
Examples
dcecp> keytab operations add catalog create delete list remove show
help operations dcecp>
keytab remove
Removes a member from a key table. The syntax is as follows: keytab
remove keytab_name_list -member principal_name_list [-version key_ver‐
sion_list] [-type key_type] [-noprivacy] [-ktname residual_keytab_name]
[-local]
Options Specifies a list of one or more principal names of members to
be removed from the key table. Specifies a version number for the key.
Specifies whether the key is a des (data encryption standard) key or a
plain key. Specifies the keytab object to use during the remove opera‐
tion. If you use this option, you must specify keytab_name_list as a
string binding. See ARGUMENTS for more information about specifying a
string binding for keytab_name_list. Specifies that key tables are
sent over the network unencrypted. Specifies that the remove operation
operates on local files only.
The remove operation removes members from a key table. The argument is
a list of names of key tables from which to remove members. The value
of the required -member option is a list of names of principals to be
removed from the key tables listed in the argument. The -version and
-type options can be used to limit the keys removed. If either or both
of these options is present, then only keys matching the values of
these options are removed. The value of the -version option can be a
list of version numbers. The -ktname option is used to identify the
specific key table to operation on, but only when the argument is a
string binding representing a host, not the fully qualified key table
name. This operation returns an empty string on success.
Privileges Required
You must have x (execute) permission to the keytab object on the host.
Examples
The following examples remove all des keys for principal D_Britt:
dcecp> keytab remove /.:/hosts/jimbo/config/keytab/self -member D_Britt
-type des dcecp>
dcecp> keytab remove ncacn_ip_tcp:15.22.24.145 -ktname self -member
D_Britt -type des dcecp>
keytab show
Returns an attribute list of the key table entries specified in the
argument. The syntax is as follows: keytab show keytab_name_list
[-entry | -members] [-keys] [-ktname residual_keytab_name] [-noprivacy]
[-local] Options Returns only the configuration information that dced
keeps, not the actual key table data. Specifies that only the data
attribute of each entry be returned. Returns the actual values of
keys. Specifies that key tables are sent over the network unencrypted.
Specifies the keytab object for which to show information. If you use
this option, you must specify keytab_name_list as a string binding.
See ARGUMENTS for more information about specifying a string binding
for keytab_name_list. Specifies that the show operation operates on
local files only.
The show operation returns an attribute list of the key tables speci‐
fied in the argument. The argument is a list of names of key tables.
If the operation is called without the -entry option, the data
attribute is not returned. If the optional -members option is given,
only the value of the data attribute is returned (a list of keys).
Keys are not normally returned unless the -keys option is used. If the
argument is a list, the output is concatenated and a blank line
inserted between key tables. The -ktname option is used to identify
the specific key table to operation on, but only when the argument is a
string binding representing a host, not the fully qualified key table
name.
Privileges Required
You must have r (read) permission to the keytab object on the host.
Examples dcecp> keytab show /.:/hosts/medusa/config/keytab/radiology
-members {melman des 1} {melman plain 3} {danahy des 2} dcecp>
dcecp> keytab show ncacn_ip_tcp:15.22.24.145 -ktname radiology -members
{melman des 1} {melman plain 3} {danahy des 2} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_xattrschema(1m), dced(1m).
keytab(1m)
