Provided by: krb5-wallet-client_1.7_amd64 
NAME
wallet-rekey - Client for rekeying a Kerberos keytab using wallet
SYNOPSIS
wallet-rekey [-hv] [-c command] [-k principal]
[-p port] [-s server] [-u principal] [keytab ...]
DESCRIPTION
wallet-rekey is a specialized client for the wallet system used to rekey a Kerberos keytab by downloading
new keytab objects from wallet for each principal found in the keytab. For each keytab file listed on
the command line, it walks through the principals in that keytab, finds all from the local default realm,
requests new wallet keytab objects for each principal (removing the realm when naming the keytab), and
merges the new keys into the keytab.
If an error occurs, wallet-rekey continues to rekey all principals that it can, producing error messages
for those that it cannot rekey.
If no keytab file name is given on the command line, wallet-rekey attempts to rekey /etc/krb5.keytab, the
system default keytab file.
The new keys are merged into the existing keytab file, but old keys are not removed. This means that,
over time, the keytab will grow and accumulate old keys, which eventually should no longer be honored.
Administrators may want to run:
kadmin -q 'ktremove -k <keytab> <principal> old'
for MIT Kerberos, where <keytab> is the path to the keytab and <principal> is a principal in the keytab
(repeating the command for each principal) or:
ktutil -k <keytab> purge
for Heimdal. The Heimdal command can be run by any user with access to the keytab, but the MIT Kerberos
command unfortunately has to be run by a someone with direct kadmin access. This functionality will
eventually be provided by wallet-rekey directly.
OPTIONS
-c command
The command prefix (remctl type) to use. Normally this is an internal implementation detail and the
default ("wallet") should be fine. It may sometimes be useful to use a different prefix for testing
a different version of the wallet code on the server. This option can also be set in krb5.conf; see
CONFIGURATION below.
-k principal
The service principal of the wallet server. The default is to use the "host" principal for the
wallet server. The principal chosen must match one of the keys in the keytab used by remctld on the
wallet server. This option can also be set in krb5.conf; see CONFIGURATION below.
-h Display a brief summary of options and exit. All other valid options and commands are ignored.
-p port
The port to connect to on the wallet server. The default is the default remctl port. This option
can also be set in krb5.conf; see CONFIGURATION below.
-s server
The wallet server to connect to. The default may be set when compiling the wallet client. If it
isn't, either -s must be given or the server must be set in krb5.conf. See CONFIGURATION below.
-u principal
Rather than using the user's existing ticket cache for authentication, authenticate as principal
first and use those credentials for authentication to the wallet server. wallet will prompt for the
password for principal. Non-password authentication methods such as PKINIT aren't supported; to use
those, run kinit first and use an existing ticket cache.
-v Display the version of the wallet client and exit. All other valid options and commands are ignored.
CONFIGURATION
The wallet system, including wallet-rekey, can optionally be configured in the system krb5.conf. It will
read the default krb5.conf file for the Kerberos libraries with which it was compiled. To set an option,
put the option in the [appdefaults] section. wallet-rekey will look for options either at the top level
of the [appdefaults] section or in a subsection named "wallet". For example, the following fragment of a
krb5.conf file would set the default port to 4373 and the default server to "wallet.example.org".
[appdefaults]
wallet_port = 4373
wallet = {
wallet_server = wallet.example.org
}
The supported options are:
wallet_principal
The service principal of the wallet server. The default is to use the "host" principal for the
wallet server. The principal chosen must match one of the keys in the keytab used by remctld on the
wallet server. The -k command-line option overrides this setting.
wallet_port
The port to connect to on the wallet server. The default is the default remctl port. The -p
command-line option overrides this setting.
wallet_server
The wallet server to connect to. The -s command-line option overrides this setting. The default may
be set when compiling the wallet client. If it isn't, either -s must be given or this parameter must
be present in in krb5.conf.
wallet_type
The command prefix (remctl type) to use. Normally this is an internal implementation detail and the
default ("wallet") should be fine. It may sometimes be useful to use a different prefix for testing
a different version of the wallet code on the server. The -c command-line option overrides this
setting.
AUTHOR
Russ Allbery <eagle@eyrie.org>
COPYRIGHT AND LICENSE
Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior University
Copying and distribution of this file, with or without modification, are permitted in any medium without
royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without
any warranty.
SPDX-License-Identifier: FSFAP
SEE ALSO
kadmin(8), kinit(1), krb5.conf(5), remctl(1), remctld(8), wallet(1)
This program is part of the wallet system. The current version is available from
<https://www.eyrie.org/~eagle/software/wallet/>.
wallet-rekey uses the remctl protocol. For more information about remctl, see
<https://www.eyrie.org/~eagle/software/remctl/>.
1.5 2024-04-30 WALLET-REKEY(1)