Login/Register
What is a keytab exactly?
Asked Answered
Solved securityhadoopauthenticationkerberoskeytab
H

1

41

I am trying to understand how Kerberos works and so came across this file called Keytab which, I believe, is used for authentication to the KDC server.

Just like every user and service(say Hadoop) in a kerberos realm has a service principal, does every user and service have a keytab file?

Also, does authentication using keytab work on symmetric key cryptography or public-private key?

Harborage answered 9/5, 2017 at 7:4 Comment(2)
web.mit.edu/kerberos/krb5-1.15/doc/basic/keytab_def.html plus web.mit.edu/kerberos/krb5-1.15/doc/admin/conf_files/… for the supported encryption types.Deragon
A user can type his/her password when authenticating. A service cannot. Hence the need to persist the password in a file. Cf. docs.google.com/presentation/d/… page 15 (and the presentation as a whole is a must-read if you want to get acquainted with Kerberos in the Hadoop world).Deragon
D
40

To answer your two questions, every user and service does not need a keytab file and keytabs use symmetric key cryptography.

I'm going to explain a bit more based on my understanding on how keytabs are used in mixed networks of Windows and non-Windows systems using Active Directory as the directory service. If the directory service is something other than AD, which is the most popular directory service out there, then I am not as familiar with how the keytab would be used but I imagine the concepts would be the exact same since it is all based on Kerberos. Again, in enterprise networks, every user and service does not need a keytab file.

Keytabs are cryptographic files containing a representation of the service and its long-term key (what Samson referred to as the password) as it exists in the directory service. In an Active Directory realm, keytabs are especially useful for services running on a non-Windows platform protected by the Kerberos protocol.

Keytabs are used to either

  1. de-crypt the Kerberos service ticket of an inbound AD user to the service
  2. or authenticate the service itself to another service on the network.

Point #2 is especially useful, since as Samson said, a service cannot manually type in it's password to authenticate itself, so the long-term key is helpfully encoded into the file. This is why the keytab file itself is sensitive and needs to be protected.

For additional in-depth information regarding keytabs, you can read more about keytabs here: Kerberos Keytabs – Explained.

I frequently go back and edit it based on questions I see here in this forum.

Dysarthria answered 9/5, 2017 at 12:29 Comment(5)
Thanks a lot ! So, what is the format of the keytab file?Harborage
You wouldn't need to worry about that, as the keytab creation syntax builds the keytab for you. If you modify the keytab in any way after you create it, in my experience you will invalidate it and it won't work anymore. My article talks about keytab syntax and format in length. I just edited and added some additional details based on the questions you asked in this post. But, I've already answered your two original questions though.Dysarthria
Hi; If we've answered your question please mark it as such which will verify it to others in the community; otherwise please let us know if any.Dysarthria
Sure! Done. Can you also let me know if there is a Kerberos tutorial to understand most, if not all, things in one place ?Harborage
That's pretty subjective, there's lots out there on the web, but I have these four pages bookmarked for this type of question: gost.isi.edu/publications/kerberos-neuman-tso.html; zeroshell.org/kerberos/Kerberos-operation; dfusion.com.au/wiki/tiki-index.php?page=Kerberos+Tutorial; and social.technet.microsoft.com/wiki/contents/articles/…Dysarthria

© 2022 - 2024 — McMap. All rights reserved.