Doubts regarding Keytab file

Abhishek Kaushik akaushik079 at gmail.com
Tue May 9 14:50:44 EDT 2017


Thank you for replying.

I understood that it is a symmetric key which is shared with the KDC.
So, is it in binary format or is there some other format which is used,
generally?
And what if(hypothetically) you don't have a password for some user, how is
the key generated in such a case?
Like you have mentioned that the services only have the raw key..

On Tue, May 9, 2017 at 9:29 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:

> On Tue, May 09, 2017 at 01:02:08PM +0530, Abhishek Kaushik wrote:
> > Hello,
> >
> > I am trying to understand how Kerberos works and so came across this file
> > called Keytab which, I believe, is used for authentication to the KDC
> > server.
> >
> > Just like every user and service(say Hadoop) in a kerberos realm has a
> > service principal, does every user and service have a keytab file?
> >
> > Also, does authentication using keytab work on symmetric key cryptography
> > or public-private key?
>
> For traditional kerberos, each principal (user or service) shares a
> symmetric key with the KDC, and the KDC acts as a trusted
> third-party for authentication exchanges.  Generally, users will
> know this key in the form of a password (there is a fixed
> password-to-key function, so the KDC stores the key and not the
> password), and service principals will just have the raw shared
> key(s).  Such raw shared keys are stored in a keytab file, which is
> used both for authentication to the KDC as you note, and also for
> decrypting and authentication authentication requests from other
> principals to the service in question.
>
> In order to be usable in the (traditional) kerberos ecosystem, each
> principal needs at least one of a password and a keytab file.  It's
> possible, but rare, to have both present for the same principal.
>
> I have been referring to "traditional kerberos", which is
> exclusively symmetric cryptography.  There are certain extensions to
> kerberos that use public-key cryptography, most notably PKINIT (RFC
> 4556), but at present such schemes are only used for the initial
> authentication to the KDC; subsequent protocol exchanges and
> authentication to other services still use symmetric cryptography.
>
> -Ben
>


More information about the Kerberos mailing list