Newbie question on keytab -- no need for this on clients, right?

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Apr 12 08:17:15 EDT 2004


Gabe wrote:
> This same question was asked on 2003-08-14 10:58:14 PST (subject "newbie 
> question keytab for client or server"), but I don't think it got 
> answered, so I'm going to ask: the keytab folder in the MIT source code 
> is only needed for application servers or KDCs, right?  There's no need 
> for that code on the clients that will be requesting TGTs and so forth, 
> correct?  (I imagine the question applies to the Kerberos source code of 
> any implementation, MIT or otherwise.)

Yes, typically the keytab file is used by services that need access
to their service creds but which are not manually initiated.  Without
the keytab file, someone would have to enter the key (or passphrase)
manually every time that process was started.

Clients do not typically use the keytab file, they either prompt for
name/password and then request initial creds or read the initial
credentials from the user's cache.

The keytab file should be protected in such a way that only the processes
that actually need to read them have access as they hold very sensitive
information.

-Wyllys


More information about the Kerberos mailing list