How To Use A Keytab
Article By: jessica
|
A keytab is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password. The most common personal use of these files is to allow scripts to authenticate to Kerberos without human interaction, or store a password in a plaintext file. The acquired credentials can then be used by the script to gain access to files stored in the Research File System (RFS) or Scholarly Data Archive (SDA), for example. |
Warning: Anyone with read permission on a keytab can use all of the keys it contains, so you must restrict and monitor permissions on any key tab files you create. Also, consider the following:
- When you change your Kerberos password, you will need to recreate all your key tabs.
- When following the examples on this page, enter the commands exactly as they are shown.
Creating A Keytab File
You can create a Key tab quickly on any computer with Kerberos. The file is computer independent, so you can perform the process once, and then copy the file to multiple computers. Note: The following assumes you have access to a Kerberos client (either on your own workstation or on a UITS shared system, such as Quarry). You may need to modify your path to include the location ofktutil (e.g., /usr/sbin or /usr/kerberos/sbin).
Following is an example of the key tab file creation process using MIT Kerberos:
> ktutil ktutil: addent -password -p username@bipmedia.com -k 1 -e rc4-hmac Password for username@bipmedia.com: [enter your password] ktutil: addent -password -p username@bipmedia.com -k 1 -e aes256-cts Password for username@bipmedia.com: [enter your password] ktutil: wkt username.keytab ktutil: quitFollowing is an example using Heimdal Kerberos:
> ktutil -k username.keytab add -p username@bipmedia.com -e arcfour-hmac-md5 -V 1If the keytab created in Heimdal does not work, it is possible you will need an
aes256-cts entry. In that case, you will need to find a computer with MIT Kerberos, and use that method instead.
Using A Key tab To Authenticate Scripts
To execute a script so it has valid Kerberos credentials, use:> kinit username@bipmedia.com -k -t mykeytab; myscriptReplace
username with your username, mykeytab with the name of your keytab file, and myscript with the name of your script.
Listing The Keys In A Key tab File
With MIT Kerberos, to list the contents of a file, useklist (replace mykeytab with the name of your file):
> klist -k mykeytab version_number username@bipmedia.com version_number username@bipmedia.comThe output contains two columns listing version numbers and principal names. If multiple keys for a principal exist, the one with the highest version number will be used. With Heimdal Kerberos, use
ktutil instead:
> ktutil -k mykeytab list mykeytab: Vno Type Prinicpal 1 des3-cbc-md5 username@bipmedia.com ...
Deleting A Key From A Key tab File
If you no longer need a key tab file, delete it immediately. If the keytab contains multiple keys, you can delete specific keys with thektutil command. You can also use this procedure to remove old versions of a key. An example using MIT Kerberos follows:
> ktutil ktutil: read_kt mykeytab ktutil: list ... slot# version# username@bipmedia.com version# ... ktutil: delent slot#Replace
mykeytab with the name of your file, username with your username, and version# with the appropriate version number.
Verify that the version is gone, and then in ktutil, enter:
quitTo do the same thing using Heimdal Kerberos, use:
> ktutil -k mykeytab list ... version# type username@bipmedia.com ... > ktutil -k mykeytab remove -V version# -e type username@bipmedia.com
Merging Key tab Files
If you have multiple files that need to be in one place, you can merge the keys with thektutilcommand.
To merge keytab files using MIT Kerberos, use:
> ktutil ktutil: read_kt mykeytab-1 ktutil: read_kt mykeytab-2 ktutil: read_kt mykeytab-3 ktutil: write_kt krb5.keytab ktutil: quitReplace
mykeytab-(number) with the name of each key tab file. The final merged key tab would bekrb5.keytab.
To verify the merge, use:
klist -k krb5.keytabTo do the same thing using Heimdal Kerberos, use:
> ktutil copy mykeytab-1 krb5.keytab > ktutil copy mykeytab-2 krb5.keytab > ktutil copy mykeytab-3 krb5.keytabThen, to verify the merge, use:
ktutil -k krb5.keytab list
Copying A Keytab File To Another Computer
The key tab file is independent of the computer it's created on, its filename, and its location in the file system. Once it's created, you can rename it, move it to another location on the same computer, or move it to another Kerberos computer, and it will still function. The file is a binary file, so be sure to transfer it in a way that does not corrupt it. If possible, use SCP or another secure method to transfer the keytab between computers. If you have to use FTP, be sure to issue thebin command from your FTP client before transferring the file. This will set the transfer type to binary so the file will not be corrupted.
Tags: File, keys, Files, computer, Kerberos, keytab, keytab file, ktutil, mykeytab, password, version
Welcome to the healthcare-only HIPAA - GDPR compliant cloud. Exclusively hosted on a HPC environment!
Learn more or start today by choosing your secure HIPAA - GDPR compliant server's Operating System bellow and pick the package that's best for you.
BIPmd makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine, thousand or more.
>
Looking for a custom solution?
Our technicians can provide you with the best custom-made solutionss on the market, no matter whether you're a small business or large enterprise.
Get in touch
Leave a Reply
Feedbacks
 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. |