- Keytab File Location
- How To Generate Keytab File
- Generate Keytab File Mac
- How To Generate Keytab File In Windows
- How To Generate Keytab File For Mac Os
Content |
|
I want to make a script that will generate the a keytab using ktutil. When running the script I want to use user$ script.sh PASSWORD. #script.sh echo 'addent -password -p PRINCIPAL -k 1 -e aes256-cts-hmac-sha1-96' ktutil. By default, the keytab name is retrieved from the Kerberos configuration file. If the keytab name is not specifed in the Kerberos configuration file, the name is assumed to be krb5.keytab. If you do not specify the password using the password option on the command line, kinit will prompt you for the password.
Objective
- Generate the Keytab Files Generate the Keytab Files at Node Level Generate the Keytab Files at Process Level Verify the Service Principal Names and Keytab Files Step 6. Enable Delegation for the Kerberos Principal User Accounts in Active Directory Enabling Kerberos Authentication in a Domain.
- The GlobalProtect™ app for Mac endpoints now supports Kerberos V5 single sign-on. Create a Kerberos keytab file. Log in to the KDC using your Kerberos service account credentials. Import the Kerberos keytab file to an authentication profile.
To add a host or service principal to a keytab using MIT Kerberos
Background
A keytab is a file used to store the encryption keys for one or more Kerberos principals (usually host and/or service principals). Given one of these keys it is possible to obtain a ticket-granting ticket, so having an encryption key can be equated to having a password. Whenever a host or service principal is created it is normal practice to add it to a keytab.
Kerberos hosts usually have a default keytab with the pathname
/etc/krb5.keytab
. The host principal should be added to this keytab, but it is not necessarily suitable for use with service principals. The reason is that /etc/krb5.keytab
should be readable only by root, whereas on modern systems it is common for network services to execute as a non-root user. The only secure solution to this issue is to have multiple keytabs, each owned by the user that needs access to it.Scenario
Suppose you wish to allow authentication to the web site
http://www.example.com/
using Kerberos. You have created a service principal called HTTP/[email protected]
for this purpose, and now need to add it to a keytab.The web site is served using Apache running as the user
www-data
. The default keytab cannot therefore be used, and you have chosen to create a separate one for use by Apache at the pathname /etc/apache2/http.keytab
.Prerequisites
The method described here assumes that you already have:
- a Kerberos realm with an admin server and at least one KDC (Key Distribution Centre);
- the host or service principal that is to be added to the keytab; and
- an admin principal with at least the
get
andchange-password
capabilities (i
andc
inkadm5.acl
) in respect of the host or service principal to be added.
It is not necessary for the keytab file to exist beforehand because it will be created if necessary.
To create a service principal see the microHOWTO Create a service principal using MIT Kerberos.
Method
A host or service principal can be added to a new or existing keytab using the
ktadd
command of kadmin
:The
-q
option specifies a kadmin
command to be executed, in this case ktadd
.The
-k
option of ktadd
specifies the pathname of the keytab to which the host or service principal is to be added. If the absence of this option the default keytab at /etc/krb5.keytab
is used instead. If the specified keytab does not exist then it will be created.By default
kadmin
appends /admin
to your default principal or username and attempts to authenticate to the admin server using that. You can specify an alternative admin principal using the -p
option if required.You do not need to be
root
to run kadmin
Share bucket 2 2. , however if you are not root then it will probably not be on your path. A common location for the executable is /usr/sbin/kadmin
.It is often convenient to run
kadmin
on the machine for which the keytab is needed, however you should do this only if you are willing to trust that machine with administrative rights to the realm as a whole. Otherwise, choose a machine that you do trust (such as the KDC). If you transfer a keytab from one machine to another then you should use a secure method such as scp
.On Debian-based systems
kadmin
is provided by the krb5-user
package, whereas on Red Hat-based systems it is provided by the krb5-workstation
package.Testing
List the content of the keytab
You can list the content of a keytab using the
ktutil
command:This will start an interpreter to which the following two commands should be issued:
If the keytab exists and the host or service principal has been correctly added to it then you should see output similar to the following:
Send an EOT character (control-D) to exit from
ktutil
.Obtain a ticket-granting ticket using the keytab
You can check that the keytab contains the appropriate encryption key by attempting to use it to obtain a ticket-granting ticket. This can be done using the
kinit
command:If the keytab exists and the host or service principal has been correctly added to it then
kinit
should return immediately, without requesting a password and without printing a message. You can verify that a ticket-granting ticket was obtained using klist
, which should product output similar to the following:Once you are satisfied that the keytab is working you should destroy the ticket using the
kdestroy
command.Note
The act of creating a keytab has the side effect of setting a new encryption key for the host or service principal. This will cause any keytab that may previously have been created for that host or service principal to be invalidated. You can check whether a keytab entry has been superseded in this way by comparing the Key Version Number (KVNO) within the keytab with that considered current by the KDC.
You should not normally need more than one keytab for any given host or service principal, however this can be a requirement for some types of clustering. In that case the appropriate procedure is to create the keytab once using
kadmin
then distribute copies to any other machines that need one.See also
Further reading
- Kerberos V5 System Administrator's Guide, version 1.10, MIT, 2012
- kadmin (Ubuntu manpage)
Tags:kerberos
Keytab File Location
Introduction
IU Kerberos servers stopped supporting DES encrypted kerberos tickets on April 14, 2019.
A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your Kerberos password, you will need to recreate all your keytabs.
Keytab files are commonly used to allow scripts to automatically authenticate using Kerberos, without requiring human interaction or access to password stored in a plain-text file. The script is then able to use the acquired credentials to access files stored on a remote system.
Anyone with read permission on a keytab file can use all the keys in the file. To prevent misuse, restrict access permissions for any keytab files you create. For instructions, see Manage file permissions on Unix-like systems.
Create a keytab file
To use the instructions and examples on this page, you need access to a Kerberos client, on either your personal workstation or an IU research supercomputer. When following the examples on this page, enter the commands exactly as they are shown. You may need to modify your path to include the location of
ktutil
(for example, /usr/sbin
or /usr/kerberos/sbin
). You can create keytab files on any computer that has a Kerberos client installed. Keytab files are not bound to the systems on which they were created; you can create a keytab file on one computer and copy it for use on other computers.
Following is an example of the keytab file creation process using MIT Kerberos:
Following is an example using Heimdal Kerberos:
How To Generate Keytab File
If the keytab created in Heimdal does not work, it is possible you will need an
aes256-cts
entry. In that case, you will need to find a computer with MIT Kerberos, and use that method instead. For more about the ADS.IU.EDU Kerberos realm, see Current Kerberos realm at IU.
Use a keytab to authenticate scripts
To execute a script so it has valid Kerberos credentials, use:
Replace
username
with your username, mykeytab
with the name of your keytab file, and myscript
with the name of your script.List the keys in a keytab file
With MIT Kerberos, to list the contents of a keytab file, use
klist
(replace mykeytab
with the name of your keytab file):The output contains two columns listing version numbers and principal names. If multiple keys for a principal exist, the one with the highest version number will be used.
With Heimdal Kerberos, use
ktutil
instead:Delete a key from a keytab file
If you no longer need a keytab file, delete it immediately. If the keytab contains multiple keys, you can delete specific keys with the
ktutil
command. You can also use this procedure to remove old versions of a key. An example using MIT Kerberos follows:Replace
mykeytab
with the name of your keytab file, username
with your username, and version#
with the appropriate version number.Verify that the version is gone, and then in
ktutil
, enter: To do the same thing using Heimdal Kerberos, use:
Merge keytab files
If you have multiple keytab files that need to be in one place, you can merge the keys with the
ktutil
command.To merge keytab files using MIT Kerberos, use:
Replace
mykeytab-(number)
with the name of each keytab file. The final merged keytab would be krb5.keytab
.To verify the merge, use:
To do the same thing using Heimdal Kerberos, use:
Then, to verify the merge, use:
Copy a keytab file to another computer
Generate Keytab File Mac
How To Generate Keytab File In Windows
The keytab file is independent of the computer it's created on, its filename, and its location in the file system. Once it's created, you can rename it, move it to another location on the same computer, or move it to another Kerberos computer, and it will still function. The keytab file is a binary file, so be sure to transfer it in a way that does not corrupt it.
How To Generate Keytab File For Mac Os
If possible, use SCP or another secure method to transfer the keytab between computers. If you have to use FTP, be sure to issue the
bin
command from your FTP client before transferring the file. This will set the transfer type to binary so the keytab file will not be corrupted.