Is a keytab file encrypted?

Charles Hedrick hedrick at
Fri Jul 21 16:30:18 EDT 2017

My approach is simpler:

* A kerberized service where the user registers that they want to be able to do cron jobs on a given machine. 
* A kerberized pam module that calls the same service and gets back credentials, locked to the IP address, and at least by default not forwardable.

The pam module authenticates using the system keytable.

This may not be quite as good as a TPM, because it depends upon the integrity of the system key table. But the service checks the IP address, so my host credential is host/FOO, a lookup of FOO has to produce the IP address the request came from. That seems pretty close. I’ll look into TPM, to see if that could somehow be used.

> On Jul 21, 2017, at 3:42 PM, Russ Allbery <eagle at> wrote:
> Charles Hedrick <hedrick at> writes:
>> The argument makes sense.
>> However I am disturbed by the fact that a keytab can be used
>> anywhere. If someone manages to become root on one machine, I’d like
>> them not to be able to do things on other machines. I’m in an
>> environment where we have systems administered by users, and unattended
>> public workstations.
>> That makes me unwilling to tell users to create key tables for cron
>> jobs.
> Yeah, if you're worried about portable keys, that's when you probably want
> to do something with a system TPM.  If you go down that path, I'd probably
> try to figure out some way to do PKINIT using a TLS certificate stored in
> the TPM.  I'm not aware of anyone who has already done that work, but it
> would be a pretty interesting project.
> -- 
> Russ Allbery (eagle at              <>

More information about the Kerberos mailing list