Is a keytab file encrypted?

Russ Allbery eagle at
Fri Jul 21 15:42:38 EDT 2017

Charles Hedrick <hedrick at> writes:

> The argument makes sense.

> However I am disturbed by the fact that a keytab can be used
> anywhere. If someone manages to become root on one machine, I’d like
> them not to be able to do things on other machines. I’m in an
> environment where we have systems administered by users, and unattended
> public workstations.

> That makes me unwilling to tell users to create key tables for cron
> jobs.

Yeah, if you're worried about portable keys, that's when you probably want
to do something with a system TPM.  If you go down that path, I'd probably
try to figure out some way to do PKINIT using a TLS certificate stored in
the TPM.  I'm not aware of anyone who has already done that work, but it
would be a pretty interesting project.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list