< Wallet::Kadmin::Heimdal API | Russ Allbery > Software > wallet | Wallet::Object::Base API > |
(Wallet Kerberos administration API for MIT)
my $kadmin = Wallet::Kadmin::MIT->new; $kadmin->create ('host/foo.example.com'); my $data = $kadmin->keytab_rekey ('host/foo.example.com', 'aes256-cts-hmac-sha1-96'); $data = $kadmin->keytab ('host/foo.example.com'); my $exists = $kadmin->exists ('host/oldshell.example.com'); $kadmin->destroy ('host/oldshell.example.com') if $exists;
Wallet::Kadmin::MIT implements the Wallet::Kadmin API for MIT Kerberos, providing an interface to create and delete principals and create keytabs. It provides the API documented in Wallet::Kadmin for an MIT Kerberos KDC.
MIT Kerberos does not provide any method via the kadmin network protocol to retrieve a keytab for a principal without rekeying it, so the keytab() method (as opposed to keytab_rekey(), which rekeys the principal) is implemented using a remctl backend. For that method (used for unchanging keytab objects) to work, the necessary wallet configuration and remctl interface on the KDC must be set up.
To use this class, several configuration parameters must be set. See "KEYTAB OBJECT CONFIGURATION" in Wallet::Config for details.
The keytab is created in this file and then read into memory. KEYTAB_TMP is set in the wallet configuration, and <pid> is the process ID of the current process. The file is unlinked after being read.
Currently, this implementation calls an external kadmin program rather than using a native Perl module and therefore requires kadmin be installed and parses its output. It may miss some error conditions if the output of kadmin ever changes.
kadmin(8), Wallet::Config(3), Wallet::Kadmin(3), Wallet::Object::Keytab(3), wallet-backend(8)
This module is part of the wallet system. The current version is available from <https://www.eyrie.org/~eagle/software/wallet/>.
Russ Allbery <eagle@eyrie.org> and Jon Robertson <jonrober@stanford.edu>.
< Wallet::Kadmin::Heimdal API | Russ Allbery > Software > wallet | Wallet::Object::Base API > |