Presence/absence of the keytab
Scott Lowe
slowe at eplus.com
Fri May 5 09:11:08 EDT 2006
On 2006-05-04 14:57:51 -0400, Donn Cave <donn at u.washington.edu> said:
> In article <4buuu2F13d5okU3 at individual.net>,
> Scott Lowe <slowe at eplus.com> wrote:
>
>> I suppose if I were seeking to use a fully Kerberized server
>> application that accept Kerberos tickets from Kerberos clients, then a
>> keytab would be necessary. In this instance, the service does not
>> accept Kerberos authentication from connecting systems, but acts a
>> Kerberos client on the back-end to perform authentication (using PAM).
>> It seems to make sense, then, that a keytab would not be necessary. At
>> least, not in this situation.
>
> I guess it depends on what you mean by "necessary", but if there's
> any reasonable possibility that you could create a host service
> principal and install that keytab, I would do it. If you have
> reason to believe that the PAM authentication isn't actually using
> the keytab, I would find out why and try to get it fixed. Without
> it, you're vulnerable. Of course everything's relative, and the
> authorization you're providing with this authentication may not
> warrant the concern, but that's different than thinking it isn't
> necessary in the sense that there is no use for it, which would be
> an error.
It's certainly not a problem to create the host service principal in
Active Directory (using ktpass.exe) and installing the keytab on the
Linux system. I was just a bit caught off-guard by the fact that the
authentication (again, via pam_krb5) worked even when the keytab was
not installed. Given the explanation that you and others have provided
regarding the purpose of the keytab, I think that I understand why.
However, just for the sake of completeness, it makes sense and is not a
great deal of work to continue to generate the host service principal
and its associated keytab for the Linux hosts.
Thanks for your time and the time of others to explain this situation.
--
Regards,
Scott Lowe
ePlus Technology, Inc.
More information about the Kerberos
mailing list