Name
ktadd — Adding keys into keytabs
Synopsis
ktadd [-k keytab] [-e keysaltlist] principal-name | -glob glob-pattern
Aliases
xst
The ktadd
command creates
a random key for a principal or set of principals in the Kerberos
database, and returns those keys to the client so that they can be
saved into a keytab file on the client machine. This command is
used to create keytabs for service and host principals in a
Kerberos realm.
Note that ktadd
does not
extract the current key from the Kerberos database; it instead
creates a new, random key and returns it, incrementing the key
version number to indicate that a new key has been generated. This
is a deliberate design decision, as it prevents a rogue
administrator from simply dumping the entire Kerberos database
through kadmin. It also means that the old keys or passwords
assigned to this principal will no longer be valid once ktadd
is run on the principal, and you
cannot run ktadd
from more than
one system on the same principal since they will receive different
keys.
Optional parameters include -k
to specify the path to the keytab
file to append to; the default is the system keytab file in
/etc/krb5.keytab. You can also specify the
-e
option to indicate the list
of encryption keys and salts to use when creating and extracting
the new key.
The ktadd
command
requires that the administrator have I
and C
permissions on the principals that she
is adding to the keytab.
Example
kadmin: ktadd -k /tmp/key host/slave.wedgie.org@WEDGIE.ORG Entry for principal ...
Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.