keytab vs database
Sam Hartman
hartmans at MIT.EDU
Tue Aug 17 13:07:13 EDT 2004
>>>>> "Lara" == Lara Adianto <m1r4cle_26 at yahoo.com> writes:
Lara> Hi, I have a basic question about kerberos concept. As I
Lara> browsed through MIT source code to better understand how
Lara> kerberos works, I noticed that in processing the tgs
Lara> request, the ticket is always decrypted using server's key
Lara> retrieved from keytab. If the server is a TGS service
Lara> (krbtgt) or kadmin/changepw which are part of a KDC (am I
Lara> right to say this ?), is it okay to retrieve the key from
Lara> the database instead of from the keytab ?
Lara> Does a KDC need to maintain a keytab actually ?
No, and MIT does not. There is a special glue layer between the
keytab abstraction and the database. b If you happen to be running
inside the KDC process, there is a special keytab implementation that
looks up keys in the database rather than in a file. Look at
src/lib/kdb/keytab.c.
More information about the Kerberos
mailing list