Is a keytab file encrypted?

[Russ Allbery]

Charles Hedrick <hedrick at rutgers.edu> writes:

> The argument makes sense.

> However I am disturbed by the fact that a keytab can be used
> anywhere. If someone manages to become root on one machine, I’d like
> them not to be able to do things on other machines. I’m in an
> environment where we have systems administered by users, and unattended
> public workstations.

> That makes me unwilling to tell users to create key tables for cron
> jobs.

Yeah, if you're worried about portable keys, that's when you probably want
to do something with a system TPM.  If you go down that path, I'd probably
try to figure out some way to do PKINIT using a TLS certificate stored in
the TPM.  I'm not aware of anyone who has already done that work, but it
would be a pretty interesting project.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>