Hi dkg, On Tue, 20 Sep 2016, Daniel Kahn Gillmor wrote:
> k5srvutil(1) says: > > DESCRIPTION > k5srvutil allows an administrator to list or change keys currently in a > keytab or to add new keys to the keytab. > > However, the only k5srvutil subcommands are: > > list > change > delold > delete > > none of these are capable of adding new keys to the keytab (change > updates keys to a new version of the key, but that's not what's > usually meant by "add new keys"). Actually, the documentation is quite poor in this space -- 'change' only adds the new keys, leaving the old ones in place; 'delold' is required to remove the old keys (and actually gain the security benefit of fresh keys for services, since all keys in the keytab, even not-latest-kvno ones, will be used to accept incoming connections). It's unclear to me whether this behavior matches up with your perception of what "add new keys" should mean. (It is the case that if you want to add new keys from a password, or even raw keys, you have to use ktutil and not k5srvutil, which is secretly just a thin wrapper around kadmin.) So more input is desired, and then we can work on sending patches upstream. -Ben
