Doubts regarding Keytab file

Benjamin Kaduk kaduk at mit.edu
Tue May 9 11:59:54 EDT 2017


On Tue, May 09, 2017 at 01:02:08PM +0530, Abhishek Kaushik wrote:
> Hello,
> 
> I am trying to understand how Kerberos works and so came across this file
> called Keytab which, I believe, is used for authentication to the KDC
> server.
> 
> Just like every user and service(say Hadoop) in a kerberos realm has a
> service principal, does every user and service have a keytab file?
> 
> Also, does authentication using keytab work on symmetric key cryptography
> or public-private key?

For traditional kerberos, each principal (user or service) shares a
symmetric key with the KDC, and the KDC acts as a trusted
third-party for authentication exchanges.  Generally, users will
know this key in the form of a password (there is a fixed
password-to-key function, so the KDC stores the key and not the
password), and service principals will just have the raw shared
key(s).  Such raw shared keys are stored in a keytab file, which is
used both for authentication to the KDC as you note, and also for
decrypting and authentication authentication requests from other
principals to the service in question.

In order to be usable in the (traditional) kerberos ecosystem, each
principal needs at least one of a password and a keytab file.  It's
possible, but rare, to have both present for the same principal.

I have been referring to "traditional kerberos", which is
exclusively symmetric cryptography.  There are certain extensions to
kerberos that use public-key cryptography, most notably PKINIT (RFC
4556), but at present such schemes are only used for the initial
authentication to the KDC; subsequent protocol exchanges and
authentication to other services still use symmetric cryptography.

-Ben


More information about the Kerberos mailing list