| blob | 0872b47a4410ff99eb61b6cc6200f8b64a2c6f70 |
1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33 /* $Id$ */
35 command = {
36 name = "stash"
37 name = "kstash"
38 option = {
39 long = "enctype"
40 short = "e"
41 type = "string"
42 help = "encryption type"
43 default = "des3-cbc-sha1"
44 }
45 option = {
46 long = "key-file"
47 short = "k"
48 type = "string"
49 argument = "file"
50 help = "master key file"
51 }
52 option = {
53 long = "convert-file"
54 type = "flag"
55 help = "just convert keyfile to new format"
56 }
57 option = {
58 long = "random-password"
59 type = "flag"
60 help = "use a random password (and print the password to stdout)"
61 }
62 option = {
63 long = "master-key-fd"
64 type = "integer"
65 argument = "fd"
66 help = "filedescriptor to read passphrase from"
67 default = "-1"
68 }
69 help = "Writes the Kerberos master key to a file used by the KDC. \nLocal (-l) mode only."
70 }
71 command = {
72 name = "dump"
73 option = {
74 long = "decrypt"
75 short = "d"
76 type = "flag"
77 help = "decrypt keys"
78 }
79 option = {
80 long = "format"
81 short = "f"
82 type = "string"
83 help = "dump format, mit or heimdal (default: heimdal)"
84 }
85 argument = "[dump-file]"
86 min_args = "0"
87 max_args = "1"
88 help = "Dumps the database in a human readable format to the specified file, \nor the standard out. Local (-l) mode only."
89 }
91 command = {
92 name = "init"
93 option = {
94 long = "realm-max-ticket-life"
95 type = "string"
96 help = "realm max ticket lifetime"
97 }
98 option = {
99 long = "realm-max-renewable-life"
100 type = "string"
101 help = "realm max renewable lifetime"
102 }
103 option = {
104 long = "bare"
105 type = "flag"
106 help = "only create krbtgt for realm"
107 }
108 argument = "realm..."
109 min_args = "1"
110 help = "Initializes the default principals for a realm. Creates the database\nif necessary. Local (-l) mode only."
111 }
112 command = {
113 name = "load"
114 argument = "file"
115 min_args = "1"
116 max_args = "1"
117 help = "Loads a previously dumped file. Local (-l) mode only."
118 }
119 command = {
120 name = "merge"
121 argument = "file"
122 min_args = "1"
123 max_args = "1"
124 help = "Merges the contents of a dump file into the database. Local (-l) mode only."
125 }
126 command = {
127 name = "add"
128 name = "ank"
129 name = "add_new_key"
130 function = "add_new_key"
131 option = {
132 long = "random-key"
133 short = "r"
134 type = "flag"
135 help = "set random key"
136 }
137 option = {
138 long = "random-password"
139 type = "flag"
140 help = "set random password"
141 }
142 option = {
143 long = "enctypes"
144 short = "e"
145 type = "string"
146 help = "encryption type(s)"
147 }
148 option = {
149 long = "password"
150 short = "p"
151 type = "string"
152 help = "principal's password"
153 }
154 option = {
155 long = "key"
156 type = "string"
157 help = "DES-key in hex"
158 }
159 option = {
160 long = "max-ticket-life"
161 type = "string"
162 argument ="lifetime"
163 help = "max ticket lifetime"
164 }
165 option = {
166 long = "max-renewable-life"
167 type = "string"
168 argument = "lifetime"
169 help = "max renewable life"
170 }
171 option = {
172 long = "attributes"
173 type = "string"
174 argument = "attributes"
175 help = "principal attributes"
176 }
177 option = {
178 long = "expiration-time"
179 type = "string"
180 argument = "time"
181 help = "principal expiration time"
182 }
183 option = {
184 long = "pw-expiration-time"
185 type = "string"
186 argument = "time"
187 help = "password expiration time"
188 }
189 option = {
190 long = "hist-kvno-diff-clnt"
191 type = "integer"
192 argument = "kvno diff"
193 help = "historic keys allowed for client"
194 default = "-1"
195 }
196 option = {
197 long = "hist-kvno-diff-svc"
198 type = "integer"
199 argument = "kvno diff"
200 help = "historic keys allowed for service"
201 default = "-1"
202 }
203 option = {
204 long = "use-defaults"
205 type = "flag"
206 help = "use default values"
207 }
208 option = {
209 long = "policy"
210 type = "string"
211 argument = "policy"
212 help = "policy name"
213 }
214 argument = "principal..."
215 min_args = "1"
216 help = "Adds a principal to the database."
217 }
218 command = {
219 name = "add_namespace"
220 name = "add_ns"
221 function = "add_new_namespace"
222 option = {
223 long = "enctypes"
224 short = "e"
225 type = "string"
226 help = "encryption type(s)"
227 }
228 option = {
229 long = "max-ticket-life"
230 type = "string"
231 argument ="lifetime"
232 help = "max ticket lifetime"
233 }
234 option = {
235 long = "max-renewable-life"
236 type = "string"
237 argument = "lifetime"
238 help = "max renewable life"
239 }
240 option = {
241 long = "key-rotation-epoch"
242 type = "string"
243 argument = "time"
244 help = "absolute start time (or +timespec for relative to now with default unit of month)"
245 }
246 option = {
247 long = "key-rotation-period"
248 type = "string"
249 argument = "time"
250 help = "automatic key rotation period"
251 }
252 option = {
253 long = "attributes"
254 type = "string"
255 argument = "attributes"
256 help = "principal attributes"
257 }
258 argument = "principal..."
259 min_args = "1"
260 help = "Adds a namespace of virtual principals with derived keys to the database."
261 }
262 command = {
263 name = "modify_namespace"
264 name = "mod_ns"
265 function = "modify_namespace"
266 option = {
267 long = "enctypes"
268 short = "e"
269 type = "strings"
270 help = "encryption type(s)"
271 }
272 option = {
273 long = "max-ticket-life"
274 type = "string"
275 argument ="lifetime"
276 help = "max ticket lifetime"
277 }
278 option = {
279 long = "max-renewable-life"
280 type = "string"
281 argument = "lifetime"
282 help = "max renewable life"
283 }
284 option = {
285 long = "attributes"
286 type = "string"
287 argument = "attributes"
288 help = "principal attributes"
289 }
290 option = {
291 long = "krb5-config-file"
292 short = "C"
293 type = "string"
294 help = "filename to save the principal's krb5.confg in"
295 }
296 argument = "principal..."
297 min_args = "1"
298 help = "Modifies a namespace of virtual principals with derived keys to the database."
299 }
300 command = {
301 name = "modify_namespace_key_rotation"
302 name = "mod_ns_kr"
303 function = "modify_ns_kr"
304 option = {
305 long = "force"
306 short = "f"
307 type = "flag"
308 help = "change schedule even if it would revoke some extant tickets"
309 }
310 option = {
311 long = "keep-base-key"
312 short = "k"
313 type = "flag"
314 help = "keep current base key for new key rotation schedule"
315 }
316 option = {
317 long = "revoke-old"
318 short = "r"
319 type = "string"
320 argument = "time"
321 help = "delete base keys older than this to revoke old tickets"
322 }
323 option = {
324 long = "new-key-rotation-epoch"
325 type = "string"
326 argument = "time"
327 help = "new start time relative to now"
328 }
329 option = {
330 long = "new-key-rotation-period"
331 type = "string"
332 argument = "time"
333 help = "new automatic key rotation period"
334 }
335 argument = "principal..."
336 min_args = "1"
337 max_args = "1"
338 help = "Adds or changes new key rotation schedule for the given namespace."
339 }
340 command = {
341 name = "passwd"
342 name = "cpw"
343 name = "change_password"
344 function = "cpw_entry"
345 option = {
346 long = "random-key"
347 short = "r"
348 type = "flag"
349 help = "set random key"
350 }
351 option = {
352 long = "random-password"
353 type = "flag"
354 help = "set random password"
355 }
356 option = {
357 long = "enctypes"
358 short = "e"
359 type = "string"
360 help = "encryption type(s)"
361 }
362 option = {
363 long = "password"
364 short = "p"
365 type = "string"
366 help = "principal's password"
367 }
368 option = {
369 long = "key"
370 type = "string"
371 help = "DES key in hex"
372 }
373 option = {
374 long = "keepold"
375 type = "flag"
376 help = "keep old keys/password needed to decrypt extant tickets (default)"
377 }
378 option = {
379 long = "keepallold"
380 type = "flag"
381 help = "keep all old keys/password"
382 }
383 option = {
384 long = "pruneall"
385 type = "flag"
386 help = "delete all old keys"
387 }
388 argument = "principal..."
389 min_args = "1"
390 help = "Changes the password of one or more principals matching the expressions."
391 }
392 command = {
393 name = "delete"
394 name = "del"
395 name = "del_entry"
396 function = "del_entry"
397 argument = "principal..."
398 min_args = "1"
399 help = "Deletes all principals matching the expressions."
400 }
401 command = {
402 name = "delete_namespace"
403 name = "del_ns"
404 function = "del_namespace"
405 argument = "principal..."
406 min_args = "1"
407 help = "Deletes the given virtual principal namespaces"
408 }
409 command = {
410 name = "del_enctype"
411 argument = "principal enctype..."
412 min_args = "2"
413 help = "Delete all the mentioned enctypes for principal."
414 }
415 command = {
416 name = "add_enctype"
417 option = {
418 long = "random-key"
419 short = "r"
420 type = "flag"
421 help = "set random key"
422 }
423 argument = "principal enctype..."
424 min_args = "2"
425 help = "Add new enctypes for principal."
426 }
427 command = {
428 name = "ext_keytab"
429 option = {
430 long = "keytab"
431 short = "k"
432 type = "string"
433 help = "keytab to use"
434 argument = "keytab"
435 }
436 option = {
437 long = "random-key"
438 short = "r"
439 type = "flag"
440 help = "set random key"
441 }
442 option = {
443 long = "enctypes"
444 short = "e"
445 type = "string"
446 help = "encryption type(s)"
447 }
448 option = {
449 long = "keepold"
450 type = "flag"
451 help = "keep old keys/password needed to decrypt extant tickets (default)"
452 }
453 option = {
454 long = "keepallold"
455 type = "flag"
456 help = "keep all old keys/password"
457 }
458 option = {
459 long = "pruneall"
460 type = "flag"
461 help = "delete all old keys"
462 }
463 argument = "principal..."
464 min_args = "1"
465 help = "Extracts the keys of all principals matching the expressions, and stores them in a keytab."
466 }
467 command = {
468 name = "get"
469 name = "get_entry"
470 function = "get_entry"
471 /* Options added to list should be added here; not the reverse */
472 option = {
473 long = "long"
474 short = "l"
475 type = "flag"
476 help = "long format"
477 default = "-1"
478 }
479 option = {
480 long = "short"
481 short = "s"
482 type = "flag"
483 help = "short format"
484 }
485 option = {
486 long = "terse"
487 short = "t"
488 type = "flag"
489 help = "terse format"
490 }
491 option = {
492 long = "column-info"
493 short = "o"
494 type = "string"
495 help = "columns to print for short output"
496 }
497 option = {
498 long = "krb5-config-file"
499 short = "C"
500 type = "string"
501 help = "filename to save the principal's krb5.conf in"
502 }
503 option = {
504 long = "upto"
505 type = "integer"
506 default = "-1"
507 help = "maximum number of principals to get/list"
508 }
509 argument = "principal..."
510 min_args = "1"
511 help = "Shows information about principals matching the expressions."
512 }
513 command = {
514 name = "rename"
515 function = "rename_entry"
516 argument = "from to"
517 min_args = "2"
518 max_args = "2"
519 help = "Renames a principal."
520 }
521 command = {
522 name = "modify"
523 name = "mod"
524 function = "mod_entry"
525 option = {
526 long = "max-ticket-life"
527 type = "string"
528 argument ="lifetime"
529 help = "max ticket lifetime"
530 }
531 option = {
532 long = "max-renewable-life"
533 type = "string"
534 argument = "lifetime"
535 help = "max renewable life"
536 }
537 option = {
538 long = "attributes"
539 short = "a"
540 type = "string"
541 argument = "attributes"
542 help = "principal attributes"
543 }
544 option = {
545 long = "expiration-time"
546 type = "string"
547 argument = "time"
548 help = "principal expiration time"
549 }
550 option = {
551 long = "pw-expiration-time"
552 type = "string"
553 argument = "time"
554 help = "password expiration time"
555 }
556 option = {
557 long = "kvno"
558 type = "integer"
559 help = "key version number"
560 default = "-1"
561 }
562 option = {
563 long = "constrained-delegation"
564 type = "strings"
565 argument = "principal"
566 help = "allowed target principals"
567 }
568 option = {
569 long = "alias"
570 type = "strings"
571 argument = "principal"
572 help = "aliases"
573 }
574 option = {
575 long = "pkinit-acl"
576 type = "strings"
577 argument = "subject dn"
578 help = "aliases"
579 }
580 option = {
581 long = "policy"
582 type = "string"
583 argument = "policy"
584 help = "policy name"
585 }
586 option = {
587 long = "service-enctypes"
588 short = "e"
589 type = "strings"
590 argument = "enctype"
591 help = "set enctypes supported by service"
592 }
593 option = {
594 long = "hist-kvno-diff-clnt"
595 type = "integer"
596 argument = "kvno diff"
597 help = "historic keys allowed for client"
598 default = "-1"
599 }
600 option = {
601 long = "hist-kvno-diff-svc"
602 type = "integer"
603 argument = "kvno diff"
604 help = "historic keys allowed for service"
605 default = "-1"
606 }
607 option = {
608 long = "krb5-config-file"
609 short = "C"
610 type = "string"
611 help = "krb5.conf to save in principal record"
612 }
613 argument = "principal"
614 min_args = "1"
615 max_args = "1"
616 help = "Modifies some attributes of the specified principal."
617 }
618 command = {
619 name = "add_alias"
620 function = "add_alias"
621 argument = "principal"
622 min_args = "2"
623 help = "Add one or more aliases to the given principal."
624 }
625 command = {
626 name = "del_alias"
627 function = "del_alias"
628 argument = "principal"
629 min_args = "1"
630 help = "Delete one or more aliases without deleting their canonical principals."
631 }
632 command = {
633 name = "prune"
634 argument = "principal"
635 option = {
636 long = "kvno"
637 type = "integer"
638 help = "key version number"
639 default = "0"
640 }
641 min_args = "1"
642 max_args = "1"
643 help = "Delete keys from history by max-ticket-life or kvno."
644 }
645 command = {
646 name = "privileges"
647 name = "privs"
648 function = "get_privs"
649 help = "Shows which operations you are allowed to perform."
650 }
651 command = {
652 name = "list"
653 function = "list_princs"
654 /* XXX sync options with "get" */
655 option = {
656 long = "long"
657 short = "l"
658 type = "flag"
659 help = "long format"
660 }
661 option = {
662 long = "short"
663 short = "s"
664 type = "flag"
665 help = "short format"
666 }
667 option = {
668 long = "terse"
669 short = "t"
670 type = "flag"
671 help = "terse format"
672 default = "-1"
673 }
674 option = {
675 long = "column-info"
676 short = "o"
677 type = "string"
678 help = "columns to print for short output"
679 }
680 option = {
681 long = "krb5-config-file"
682 type = "string"
683 help = "only use this option with the get command"
684 }
685 option = {
686 long = "upto"
687 type = "integer"
688 default = "-1"
689 help = "maximum number of principals to get/list"
690 }
691 argument = "principal..."
692 min_args = "1"
693 help = "Lists principals in a terse format. Equivalent to \"get -t\"."
694 }
695 command = {
696 name = "verify-password-quality"
697 name = "pwq"
698 function = "password_quality"
699 argument = "principal password"
700 min_args = "2"
701 max_args = "2"
702 help = "Try run the password quality function locally (not doing RPC out to server)."
703 }
704 command = {
705 name = "check"
706 function = "check"
707 argument = "[realm]"
708 min_args = "0"
709 max_args = "1"
710 help = "Check the realm (if not given, the default realm) for configuration errors."
711 }
712 command = {
713 name = "lock"
714 function = "lock"
715 argument = ""
716 min_args = "0"
717 max_args = "0"
718 help = "Lock the database for writing (use with care)."
719 }
720 command = {
721 name = "unlock"
722 function = "unlock"
723 argument = ""
724 min_args = "0"
725 max_args = "0"
726 help = "Unlock the database."
727 }
728 command = {
729 name = "help"
730 name = "?"
731 argument = "[command]"
732 min_args = "0"
733 max_args = "1"
734 help = "Help! I need somebody."
735 }
736 command = {
737 name = "exit"
738 name = "quit"
739 function = "exit_kadmin"
740 help = "Quits."
741 }