Open Source Kerberos Tooling


Krb5_admin is a set of tools that replace kadmin for the purposes of managing the Kerberos database and your Kerberos infrastructure. It offers the following key benefits:

  • secure host key bootstrapping

  • self-service service key management

  • self-service client ticket management (prestashed tickets)

  • extensible

The tools are written in a scripting language (Perl) and designed to be easily extensible at an installation to allow rapid development of custom functionality.

This allows sites to quickly modify the basic ACLs with which krb5_admin ships to tailor them to an individual site. Any provided command can have its service side ACLs either extended or completely replaced with custom code which can, for example,

  1. enforce naming conventions,

  2. operate on local databases or files, or

  3. query external data sources.

Or to modify existing commands to change their behaviour, for example, redefining the administrative password reset workflow.

New commands can also be defined easily. This allows a site to provide custom commands when the need arises. Some situations where this has proved useful are:

  1. allowing users to upgrade from DES to AES using a self-service tool but not allowing them to change back (implemented as a one way policy modification command where each user is self-entitled), and

  2. writing custom password reset tools that restrict the rights of helpdesk administrators and limit what they are allowed to do more than a typical kadmind installation.


The man pages:

  1. krb5_admin (HTML, PDF).

  2. krb5_admind (HTML, PDF).

  3. krb5_admind.conf (HTML, PDF).

  4. krb5_prestash (HTML, PDF).

Perl Pod documentation:


The current development sources can be obtained via git:

        $ git clone
or      $ git clone
or      $ git clone

System requirements, building, installing, configuring and running krb5_admin are covered in the krb5_admin Tutorial.


Roland C. Dowdeswell.


The code is licensed via a BSD/MIT style license.