Is a keytab file encrypted?

Russ Allbery eagle at
Fri Jul 21 17:50:29 EDT 2017

Charles Hedrick <hedrick at> writes:

> * A kerberized service where the user registers that they want to be
> able to do cron jobs on a given machine.
> * A kerberized pam module that calls the same service and gets back
> credentials, locked to the IP address, and at least by default not
> forwardable.

How does this address the problem raised on this thread?  It's still the
case that if you become root on the host, you can just steal the keytab
used by that daemon and use it anywhere.  This gives you enhanced
protection if you trust the boundary between non-root users and root, but
not if you don't trust the machine.

The point of the TPM is that you can't exfiltrate the keys, even if you
have root, only perform on-line operations.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list