Presence/absence of the keytab

[Scott Lowe]

On 2006-05-04 14:57:51 -0400, Donn Cave <donn at u.washington.edu> said:

> In article <4buuu2F13d5okU3 at individual.net>,
>  Scott Lowe <slowe at eplus.com> wrote:
> 
>> I suppose if I were seeking to use a fully Kerberized server 
>> application that accept Kerberos tickets from Kerberos clients, then a 
>> keytab would be necessary.  In this instance, the service does not 
>> accept Kerberos authentication from connecting systems, but acts a 
>> Kerberos client on the back-end to perform authentication (using PAM).  
>> It seems to make sense, then, that a keytab would not be necessary.  At 
>> least, not in this situation.
> 
> I guess it depends on what you mean by "necessary", but if there's
> any reasonable possibility that you could create a host service
> principal and install that keytab, I would do it.  If you have
> reason to believe that the PAM authentication isn't actually using
> the keytab, I would find out why and try to get it fixed.  Without
> it, you're vulnerable.  Of course everything's relative, and the
> authorization you're providing with this authentication may not
> warrant the concern, but that's different than thinking it isn't
> necessary in the sense that there is no use for it, which would be
> an error.

It's certainly not a problem to create the host service principal in 
Active Directory (using ktpass.exe) and installing the keytab on the 
Linux system.  I was just a bit caught off-guard by the fact that the 
authentication (again, via pam_krb5) worked even when the keytab was 
not installed.  Given the explanation that you and others have provided 
regarding the purpose of the keytab, I think that I understand why.  
However, just for the sake of completeness, it makes sense and is not a 
great deal of work to continue to generate the host service principal 
and its associated keytab for the Linux hosts.

Thanks for your time and the time of others to explain this situation.

-- 
Regards,
Scott Lowe
ePlus Technology, Inc.