The Keytab File
All Kerberos server machines need a keytab file, called
/etc/krb5.keytab
, to authenticate to the KDC. The keytab file is
an encrypted, local, on-disk copy of the host's key. The keytab file,
like the stash file (Create the Database) is a potential
point-of-entry for a break-in, and if compromised, would allow
unrestricted access to its host. The keytab file should be readable
only by root, and should exist only on the machine's local disk. The
file should not be part of any backup of the machine, unless access to
the backup data is secured as tightly as access to the machine's root
password itself.
In order to generate a keytab for a host, the host must have a principal
in the Kerberos database. The procedure for adding hosts to the
database is described fully in the "Adding or Modifying Principals"
section of the Kerberos V5 System Administrator's Guide.
See Create Host Keys for the Slave KDCs. for a brief description.)
The keytab is generated by running kadmin
and issuing the
ktadd
command.
For example, to generate a keytab file to allow the host
trillium.mit.edu to authenticate for the services
host
, ftp
, and pop
, the administrator
joeadmin
would issue the command (on
trillium.mit.edu):
trillium% /usr/local/sbin/kadmin
kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
=> pop/trillium.mit.edu
kadmin: Entry for principal host/[email protected] with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin: Entry for principal ftp/[email protected] with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin: Entry for principal pop/[email protected] with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin5: quit
trillium%
If you generate the keytab file on another host, you need to get a copy
of the keytab file onto the destination host (trillium
, in the
above example) without sending it unencrypted over the network. If you
have installed the Kerberos V5 client programs, you can use
encrypted rcp
.