Is a keytab file encrypted?

Charles Hedrick hedrick at
Fri Jul 21 11:13:54 EDT 2017

The argument makes sense.

However I am disturbed by the fact that a keytab can be used anywhere. If someone manages to become root on one machine, I’d like them not to be able to do things on other machines. I’m in an environment where we have systems administered by users, and unattended public workstations.

That makes me unwilling to tell users to create key tables for cron jobs.

> On Jul 18, 2017, at 10:20 PM, pratyush parimal <pratyush.parimal at> wrote:
> Ah, I get it. It's much clearer now. Thanks guys!
> On Jul 18, 2017 10:15 PM, "Russ Allbery" <eagle at> wrote:
>> Greg Hudson <ghudson at> writes:
>>> On 07/18/2017 12:48 PM, pratyush parimal wrote:
>>>> (2) Is it possible to export the key in encrypted form? If so, then how
>>>> does the service application open the encrypted keytab?
>>> The keytab file does not have any way to represent encrypted keys, and
>>> the kadmin protocol has no facility to export encrypted keys.  One
>>> could, in principle, design an out-of-band system which used
>>> kadmin.local to create a keytab, encrypt the file, transmit the
>>> encrypted kyetab file to the server, and then decrypt the file on the
>>> server (into a memory filesystem, perhaps) before running the server
>>> application, but I've never heard of anyone doing that.
>> You have kind of a chicken and an egg problem, since in a typical Kerberos
>> environment the keytab *is* the core identity keys for an application.  If
>> it's encrypted, then you need some other unencrypted keys that *really*
>> represent the application, at which point why not use those keys for
>> Kerberos directly?
>> That said, if you had a private key in a TPM or some other sort of
>> tamper-resistent hardware, I could see wanting to hand out Kerberos
>> keytabs encrypted to the public key of the server.  But you'd have to
>> build the service to do key issuance that way yourself.  (It wouldn't be
>> horribly hard to build if you'd already done the work to build out the PKI
>> and its TPM component.)
>> But, even in that case, it's not clear to me what the keytab is then doing
>> for you versus just using the PKI and using PKINIT to get Kerberos
>> tickets.  There are probably some practical uses for introducing the extra
>> layer of complexity, but it's not obviously necessary.
>> --
>> Russ Allbery (eagle at              <>
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list