oracular (8) keytab-backend.8.gz

Provided by: krb5-keytab-backend_1.5-1.1_all bug

NAME

       keytab-backend - Extract keytabs from the KDC without changing the key

SYNOPSIS

       keytab-backend retrieve principal

DESCRIPTION

       keytab-backend retrieves a keytab for an existing principal from the KDC database without
       changing the current key.  It allows generation of a keytab for a service without rekeying
       that service.  It requires a kadmin.local patched to support the -norandkey option to
       ktadd.

       This script is intended to run under remctld.  On success, it prints the keytab to
       standard output, logs a success message to syslog (facility auth, priority info), and
       exits with status 0.  On failure, it prints out an error message, logs an error to syslog
       (facility auth, priority err), and exits with a non-zero status.

       The principal is checked for basic sanity (only accepting alphanumerics, "_", and "-" with
       an optional instance and then only alphanumerics, "_", "-", and "." in the realm) and then
       checked against a configuration file that lists regexes of principals that can be
       retrieved.  When deploying this software, limit as tightly as possible which principals
       can be downloaded in this fashion.  Generally only shared service principals used on
       multiple systems should be made available in this way.

       keytab-backend does not do any authorization checks.  Those should be done by remctld
       before it is called.

FILES

       /etc/krb5kdc/allow-extract
           The configuration file that controls which principals can have their keytabs
           retrieved.  Blank lines and lines starting with "#", as well as anything after "#" on
           a line, are ignored.  All other lines should be Perl regular expressions, one per
           line, that match principals whose keytabs can be retrieved by keytab-backend.  Any
           principal that does not match one of those regular expressions cannot be retrieved.

       /var/lib/keytabs
           The temporary directory used for creating keytabs.  keytab-backend will create the
           keytab in this directory, make sure that was successful, and then delete the temporary
           file after the results have been sent to standard output.

AUTHOR

       Russ Allbery <eagle@eyrie.org>

       Copyright 2006-2008, 2010, 2013 The Board of Trustees of the Leland Stanford Junior
       University

       Permission is hereby granted, free of charge, to any person obtaining a copy of this
       software and associated documentation files (the "Software"), to deal in the Software
       without restriction, including without limitation the rights to use, copy, modify, merge,
       publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
       to whom the Software is furnished to do so, subject to the following conditions:

       The above copyright notice and this permission notice shall be included in all copies or
       substantial portions of the Software.

       THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
       INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
       PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
       FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
       OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
       DEALINGS IN THE SOFTWARE.

       SPDX-License-Identifier: MIT

SEE ALSO

       kadmin.local(8), remctld(8)

       This program is part of the wallet system.  The current version is available from
       <https://www.eyrie.org/~eagle/software/wallet/>.