WALLET-REKEY(1) wallet WALLET-REKEY(1)

wallet-rekey - Client for rekeying a Kerberos keytab using wallet

wallet-rekey [-hv] [-c command] [-k principal]
[-p port] [-s server] [-u principal] [keytab ...]

wallet-rekey is a specialized client for the wallet system used to rekey a Kerberos keytab by downloading new keytab objects from wallet for each principal found in the keytab. For each keytab file listed on the command line, it walks through the principals in that keytab, finds all from the local default realm, requests new wallet keytab objects for each principal (removing the realm when naming the keytab), and merges the new keys into the keytab.

If an error occurs, wallet-rekey continues to rekey all principals that it can, producing error messages for those that it cannot rekey.

If no keytab file name is given on the command line, wallet-rekey attempts to rekey /etc/krb5.keytab, the system default keytab file.

The new keys are merged into the existing keytab file, but old keys are not removed. This means that, over time, the keytab will grow and accumulate old keys, which eventually should no longer be honored. Administrators may want to run:

    kadmin -q 'ktremove -k <keytab> <principal> old'

for MIT Kerberos, where <keytab> is the path to the keytab and <principal> is a principal in the keytab (repeating the command for each principal) or:

    ktutil -k <keytab> purge

for Heimdal. The Heimdal command can be run by any user with access to the keytab, but the MIT Kerberos command unfortunately has to be run by a someone with direct kadmin access. This functionality will eventually be provided by wallet-rekey directly.

The command prefix (remctl type) to use. Normally this is an internal implementation detail and the default ("wallet") should be fine. It may sometimes be useful to use a different prefix for testing a different version of the wallet code on the server. This option can also be set in krb5.conf; see CONFIGURATION below.
The service principal of the wallet server. The default is to use the "host" principal for the wallet server. The principal chosen must match one of the keys in the keytab used by remctld on the wallet server. This option can also be set in krb5.conf; see CONFIGURATION below.
Display a brief summary of options and exit. All other valid options and commands are ignored.
The port to connect to on the wallet server. The default is the default remctl port. This option can also be set in krb5.conf; see CONFIGURATION below.
The wallet server to connect to. The default may be set when compiling the wallet client. If it isn't, either -s must be given or the server must be set in krb5.conf. See CONFIGURATION below.
Rather than using the user's existing ticket cache for authentication, authenticate as principal first and use those credentials for authentication to the wallet server. wallet will prompt for the password for principal. Non-password authentication methods such as PKINIT aren't supported; to use those, run kinit first and use an existing ticket cache.
Display the version of the wallet client and exit. All other valid options and commands are ignored.

The wallet system, including wallet-rekey, can optionally be configured in the system krb5.conf. It will read the default krb5.conf file for the Kerberos libraries with which it was compiled. To set an option, put the option in the [appdefaults] section. wallet-rekey will look for options either at the top level of the [appdefaults] section or in a subsection named "wallet". For example, the following fragment of a krb5.conf file would set the default port to 4373 and the default server to "wallet.example.org".

    [appdefaults]
        wallet_port = 4373
        wallet = {
            wallet_server = wallet.example.org
        }

The supported options are:

The service principal of the wallet server. The default is to use the "host" principal for the wallet server. The principal chosen must match one of the keys in the keytab used by remctld on the wallet server. The -k command-line option overrides this setting.
The port to connect to on the wallet server. The default is the default remctl port. The -p command-line option overrides this setting.
The wallet server to connect to. The -s command-line option overrides this setting. The default may be set when compiling the wallet client. If it isn't, either -s must be given or this parameter must be present in in krb5.conf.
The command prefix (remctl type) to use. Normally this is an internal implementation detail and the default ("wallet") should be fine. It may sometimes be useful to use a different prefix for testing a different version of the wallet code on the server. The -c command-line option overrides this setting.

Russ Allbery <eagle@eyrie.org>

Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior University

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.

SPDX-License-Identifier: FSFAP

kadmin(8), kinit(1), krb5.conf(5), remctl(1), remctld(8), wallet(1)

This program is part of the wallet system. The current version is available from <https://www.eyrie.org/~eagle/software/wallet/>.

wallet-rekey uses the remctl protocol. For more information about remctl, see <https://www.eyrie.org/~eagle/software/remctl/>.

2024-04-30 1.5