To add a key to a keytab file, do the following:
1. Verify that you have the necessary privilege to issue the command. You must be include in the admin.bos list on the machine on which the keytab file to be affected is located. If necessary, issue the bos lsadmin command to check the admin.bos list on the appropriate machine.
2. Verify that the DFS server principal of the machine whose keytab file is to be affected has the necessary permissions to alter entries in the Registry Database. (See the Security Service portion of the OSF DCE Administration Guide - Core Components for more information.)
3. Choose a key version number for the new key. If necessary, issue the bos lskeys command to check the version numbers of the keys in the appropriate machine's keytab file:
$ bos lskeys -server machine [-principal name]
The -principal name option is the principal name for which associated keys are to be listed. The default is the DFS principal name of the machine specified with -server.
4. Create a new key in the keytab file with either the bos genkey command or the bos addkey command. The bos genkey command is the more secure of the two commands. It generates a random, octal string for use as the key. It also automatically updates the Registry Database in addition to adding the key to the keytab file.
$ bos genkey -server machine -kvno +_or_version_number [-principal name]
The -kvno +_or_version_number option is the key version number of the new key. Valid arguments for this option are
· An integer in the range 1 to 255. The command uses the specified integer as the version number of the new key. The integer must be unique for the indicated principal in the keytab file on the specified machine.
· + or 0 (zero). The command chooses an integer to serve as the version number of the new key. The integer it chooses is unique for the indicated principal in the Registry Database, but it may not be unique for the indicated principal in the keytab file on the specified machine.
The -principal name option is the principal name with which the key is to be associated. The default is the DFS principal name of the machine specified with -server.
The bos addkey command is less secure because it requires you to enter a string to be converted into the key. However, you can include the -localonly option with the command to add the key to the keytab file without updating the Registry Database, which is useful for certain server encryption key emergencies.
$ bos addkey -server machine -kvno +_or_version_number -password string
[-principal name]
[-localonly]
The -kvno +_or_version_number option is the key version number of the new key. Valid arguments for this option are
· An integer in the range 1 to 255. The command uses the specified integer as the version number of the new key. The integer must be unique for the indicated principal in the keytab file on the specified machine.
· + or 0 (zero). The command chooses an integer to serve as the version number of the new key. The integer it chooses is unique for the indicated principal in the Registry Database, but it may not be unique for the indicated principal in the keytab file on the specified machine.
The -password string option is a character string to be converted into an octal string. The string can include any characters, including spaces if it is enclosed in " " (double quotes).
The -principal name option is the principal name with which the new key is to be associated. The default is the DFS principal name of the machine specified with -server.
The -localonly option specifies that the key is to be added to the keytab file on the machine indicated by -server, but the Registry Database is not to be updated.
5. If you added the key to the keytab file using the bos addkey command and its -localonly option, use the dcecp keytab add command with the -registry option to add the key to the Registry Database when necessary.