keytab file format - exporting arcfour keys from active directory

ronnie sahlberg ronniesahlberg at gmail.com
Mon May 1 23:31:54 EDT 2006


List,

I would suggest just documenting the 5 2 format of keytab files properly and
make it the "official" file format for now.
I can put a wiki page up on wiki.ethereal.com that documents the format.

The file format is used by various tools ans products already and all have
basically had to reverse engineer the
format independently.

Lets call this format a de facto standard for keytab files.

MIT uses this format
Heimdal uses this format.
Microsofts KTPASS utility writes this format
Samba4 has some tool that creates/writes files in this format.
Ethereal will soonish read this format natively for BTN_KERBEROS (better
than nothing) that would be an rc4 only fallback mode when neither mit nor
heimdal is available to link with.
Mr Allen is writing a keytap encoder as well.
I know of several other proprietary kerberos client implementations that use
the same format as well.


There are many situations where one wants to read/write keytab files,
something which only requires at most a couple of hundred
lines of simple C-code and where one for various reasons do not want to link
with a full blown huge kerberos implementation.
There are also situations where one wants to be able to read/write such
files on platforms or hosts where there are no kerberos libraries installed.


ronnie

On 5/2/06, Marcus Watts <mdw at umich.edu> wrote:
>
> Various wrote:
> > Message-ID: <44569531.5080008 at nyc.rr.com>
> > From: Jeffrey Altman <jaltman2 at nyc.rr.com>
> > Subject: Re: keytab file format - exporting arcfour keys from active
> directory
> > Date: Mon, 01 May 2006 23:08:32 GMT
> > Organization: Road Runner High Speed Online http://www.rr.com
> > To: kerberos at mit.edu
> >
> > Michael B Allen wrote:
> > > On Mon, 01 May 2006 17:13:13 -0400
> > > Sam Hartman <hartmans at mit.edu> wrote:
> > >
> > >> We'd really prefer you just call into a krb5_32.dll.  That will
> > >> continue to work if the keytab format changes in the future.
> > >
> > > I don't think asking people to installing an MIT kerberos dll on a
> Windows
> > > KDC would go over well. I think I'll stick to standard C.
> > >
> > > Mike
> >
> > Why not?   People do it all the time.  Besides what language do you
> > think the DLL was compiled from?  "C".
> >
> > Jeffrey Altman
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> I can understand not wanting to make this file format
> very permanent.  I think it might be nice to have *some*
> format that is reasonably permanent and useable cross-platform,
> between different languages & all.  So far, we have:
>         mit kerberos
>         heimdal kerberos
>         microsoft
>         shishi
>         ... not to mention several vendor adaptions of mit,
>         several java implementations of kerberos, etc.
> The heimdal folks seem to have bothered to figure out the file format.
> Apparently Microsoft today can also make keytabs.  I don't know if they
> have any sort of public native API to read/write them.  The shishi
> folks don't yet have logic to do this, probably in part due to the lack
> of documentation.  The shishi folks *do* have their own keyfile
> format.  Nevertheless, this is on their project list.  So the MIT folks
> have already got significant compatibility issues to work out, at least
> with past versions of themselves, & if they care, also with heimdal,
> microsoft, and any other vendors or environments with which they wish
> to interoperate.
>
> I think this is an area where it would pay more to actually come up
> with a standard - ideally for keytab file formats, or failing that,
> some sort of import/export stringified key exchange text standard.
>
>                                 -Marcus
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list