Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

The Keytab File

All Kerberos server machines need a keytab file, called /etc/krb5.keytab, to authenticate to the KDC. The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (Create the Database) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password itself.

In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in the "Adding or Modifying Principals" section of the Kerberos V5 System Administrator's Guide. See Create Host Keys for the Slave KDCs. for a brief description.) The keytab is generated by running kadmin and issuing the ktadd command.

For example, to generate a keytab file to allow the host trillium.mit.edu to authenticate for the services host, ftp, and pop, the administrator joeadmin would issue the command (on trillium.mit.edu):

     trillium% /usr/local/sbin/kadmin
     kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
     => pop/trillium.mit.edu
     kadmin: Entry for principal host/[email protected] with
     kvno 3, encryption type DES-CBC-CRC added to keytab
     WRFILE:/etc/krb5.keytab.
     kadmin: Entry for principal ftp/[email protected] with
     kvno 3, encryption type DES-CBC-CRC added to keytab
     WRFILE:/etc/krb5.keytab.
     kadmin: Entry for principal pop/[email protected] with
     kvno 3, encryption type DES-CBC-CRC added to keytab
     WRFILE:/etc/krb5.keytab.
     kadmin5: quit
     trillium%
     

If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (trillium, in the above example) without sending it unencrypted over the network. If you have installed the Kerberos V5 client programs, you can use encrypted rcp.


 
 
  © 1985-2006 by the Massachusetts Institute of Technology - Reproduced with permission. Design by Interspire