System Administration Guide: Security Services
Previous Next

Administering Keytab Files

Every host that provides a service must have a local file, called a keytab (short for “key table”). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.

To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On the master KDC, the keytab file is located at /etc/krb5/kadm5.keytab, by default. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.

A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.

There is also a special instance in which to add a root principal to a host's keytab file. If you want a user on the Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter.


Note - When you set up a master KDC, you need to add the kadmind and changepw principals to the kadm5.keytab file.


Another command that you can use to administer keytab files is the ktutil command. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.


Note - When you change a principal in a keytab file using the ktadd command in kadmin, a new key is generated and added to the keytab file.


Administering Keytab Files (Task Map)

Task

Description

For Instructions

Add a service principal to a keytab file.

Use the ktadd command of kadmin to add a service principal to a keytab file.

How to Add a Kerberos Service Principal to a Keytab File

Remove a service principal from a keytab file.

Use the ktremove command of kadmin to remove a service from a keytab file.

How to Remove a Service Principal From a Keytab File

Display the keylist (list of principals) in a keytab file.

Use the ktutil command to display the keylist in a keytab file.

How to Display the Keylist (Principals) in a Keytab File

Temporarily disable authentication for a service on a host.

This procedure is a quick way to temporarily disable authentication for a service on a host without requiring kadmin privileges.

Before you use ktutil to delete the service principal from the server's keytab file, copy the original keytab file to a temporary location. When you want to enable the service again, copy the original keytab file back to its proper location.

How to Temporarily Disable Authentication for a Service on a Host

How to Add a Kerberos Service Principal to a Keytab File

  1. Make sure that the principal already exists in the Kerberos database.

    See How to View the List of Kerberos Principals for more information.

  2. Become superuser on the host that needs a principal added to its keytab file.
  3. Start the kadmin command.
    # /usr/sbin/kadmin
  4. Add a principal to a keytab file by using the ktadd command.
    kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]
    -e enctype

    Overrides the list of encryption types defined in the krb5.conf file.

    -k keytab

    Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

    -q

    Displays less verbose information.

    principal

    Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.

    -glob principal-exp

    Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.

  5. Quit the kadmin command.
    kadmin: quit
Example 25-16 Adding a Service Principal to a Keytab File

In the following example, the kadmin/kdc1.example.com and changepw/kdc1.example.com principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.

kdc1 # /usr/sbin/kadmin.local
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com changepw/kdc1.example.com
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type Triple DES cbc
          mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-128 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type Triple DES cbc
          mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode
          with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Remove a Service Principal From a Keytab File

  1. Become superuser on the host with a service principal that must be removed from its keytab file.
  2. Start the kadmin command.
    # /usr/sbin/kadmin
  3. (Optional) To display the current list of principals (keys) in the keytab file, use the ktutil command.

    See How to Display the Keylist (Principals) in a Keytab File for detailed instructions.

  4. Remove a principal from the keytab file by using the ktremove command.
    kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]
    -k keytab

    Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

    -q

    Displays less verbose information.

    principal

    Specifies the principal to be removed from the keytab file.

    kvno

    Removes all entries for the specified principal whose key version number matches kvno.

    all

    Removes all entries for the specified principal.

    old

    Removes all entries for the specified principal, except those principals with the highest key version number.

  5. Quit the kadmin command.
    kadmin: quit
Example 25-17 Removing a Service Principal From a Keytab File

In the following example, denver's host principal is removed from denver's keytab file.

denver # /usr/sbin/kadmin
kadmin: ktremove host/denver.example.com@EXAMPLE.COM
kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3
  removed from keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Display the Keylist (Principals) in a Keytab File

  1. Become superuser on the host with the keytab file.

    Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.


  2. Start the ktutil command.
    # /usr/bin/ktutil
  3. Read the keytab file into the keylist buffer by using the read_kt command.
    ktutil: read_kt keytab
  4. Display the keylist buffer by using the list command.
    ktutil: list

    The current keylist buffer is displayed.

  5. Quit the ktutil command.
    ktutil: quit
Example 25-18 Displaying the Keylist (Principals) in a Keytab File

The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.

denver # /usr/bin/ktutil
    ktutil: read_kt /etc/krb5/krb5.keytab
    ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
   1    5 host/denver@EXAMPLE.COM
    ktutil: quit

How to Temporarily Disable Authentication for a Service on a Host

At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.


Note - By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service still works, even if you disable authentication for the service.


  1. Become superuser on the host with the keytab file.

    Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.


  2. Save the current keytab file to a temporary file.
  3. Start the ktutil command.
    # /usr/bin/ktutil
  4. Read the keytab file into the keylist buffer by using the read_kt command.
    ktutil: read_kt keytab
  5. Display the keylist buffer by using the list command.
    ktutil: list

    The current keylist buffer is displayed. Note the slot number for the service that you want to disable.

  6. To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
    ktutil: delete_entry slot-number

    Where slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.

  7. Write the keylist buffer to a new keytab file by using the write_kt command.
    ktutil: write_kt new-keytab
  8. Quit the ktutil command.
    ktutil: quit
  9. Move the new keytab file.
    # mv new-keytab keytab
  10. When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.
Example 25-19 Temporarily Disabling a Service on a Host

In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
    ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/denver@EXAMPLE.COM
   2    5 host/denver@EXAMPLE.COM
    ktutil:delete_entry 2
    ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/denver@EXAMPLE.COM
    ktutil:write_kt /etc/krb5/new.krb5.keytab
    ktutil: quit
denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab
Previous Next