Presence/absence of the keytab
Scott Lowe
slowe at eplus.com
Thu May 4 14:17:34 EDT 2006
On 2006-05-04 03:38:27 -0400, "Richard E. Silverman" <res at qoxp.net> said:
>>>>>> "SL" == Scott Lowe <slowe at eplus.com> writes:
>
> SL> Yesterday, however, I was able to successfully authenticate via
> SL> Kerberos from VMware ESX Server 2.5.3 (the console operating
> SL> system is Linux-based) *without* generating a keytab. This seems
> SL> to fly in the face of all the information and instructions I've
> SL> seen.
>
> SL> So, I'm curious...any thoughts as to why this worked?
>
> A keytab is needed for a host on which a kerberized service runs; it holds
> the service princpal's secret key, which the service software needs.
>
> You don't need anything special on a host to allow someone to "kinit" on
> it. The only secret needed is your password.
OK, that makes sense, since in this instance the "server" (let's say, a
non-Kerberized SSH daemon) is strictly a Kerberos client talking
through pam_krb5. In that instance, since it is not the one talking
Kerberos directly to all other systems involved (I'm hesitant to keep
using the terms "client" and "server" here), then a keytab would
typically not be necessary.
--
Regards,
Scott Lowe
ePlus Technology, Inc.
More information about the Kerberos
mailing list