Administering Keytab Files

Every host that provides a service must have a local file, called a keytab (short for “key table”). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.

To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.

A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.

There is also a special instance in which to add a root principal to a host's keytab file. If you want a user on the Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter.

Another command that you can use to administer keytab files is the ktutil command. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.

Administering Keytab Files (Task Map)

How to Add a Kerberos Service Principal to a Keytab File

1. Make sure that the principal already exists in the Kerberos database.

   See How to View the List of Kerberos Principals for more information.

2. Assume the root role on the host that needs a principal added to its keytab file.
3. Start the kadmin command.

   # /usr/sbin/kadmin

4. Add a principal to a keytab file by using the ktadd command.

   kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]

   -e enctype

   Overrides the list of encryption types defined in the krb5.conf file.

   -k keytab

   Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

   -q

   Displays less verbose information.

   principal

   Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.

   -glob principal-exp

   Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.

5. Quit the kadmin command.

   kadmin: quit

Example 23-16 Adding a Service Principal to a Keytab File

In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode
          with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Remove a Service Principal From a Keytab File

1. Assume the root role on the host with a service principal that must be removed from its keytab file.
2. Start the kadmin command.

   # /usr/sbin/kadmin

3. (Optional) To display the current list of principals (keys) in the keytab file, use the ktutil command.

   See How to Display the Keylist (Principals) in a Keytab File for detailed instructions.

4. Remove a principal from the keytab file by using the ktremove command.

   kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]

   -k keytab

   Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

   -q

   Displays less verbose information.

   principal

   Specifies the principal to be removed from the keytab file.

   kvno

   Removes all entries for the specified principal whose key version number matches kvno.

   all

   Removes all entries for the specified principal.

   old

   Removes all entries for the specified principal, except those principals with the highest key version number.

5. Quit the kadmin command.

   kadmin: quit

Example 23-17 Removing a Service Principal From a Keytab File

In the following example, denver's host principal is removed from denver's keytab file.

denver # /usr/sbin/kadmin
kadmin: ktremove host/denver.example.com@EXAMPLE.COM
kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3
  removed from keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Display the Keylist (Principals) in a Keytab File

1. Assume the root role on the host with the keytab file.

   ---

   Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.

   ---

2. Start the ktutil command.

   # /usr/bin/ktutil

3. Read the keytab file into the keylist buffer by using the read_kt command.

   ktutil: read_kt keytab

4. Display the keylist buffer by using the list command.

   ktutil: list

   The current keylist buffer is displayed.

5. Quit the ktutil command.

   ktutil: quit

Example 23-18 Displaying the Keylist (Principals) in a Keytab File

The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.

denver # /usr/bin/ktutil
    ktutil: read_kt /etc/krb5/krb5.keytab
    ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
   1    5 host/denver@EXAMPLE.COM
    ktutil: quit

How to Temporarily Disable Authentication for a Service on a Host

At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.

1. Assume the root role on the host with the keytab file.

   ---

   Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.

   ---

2. Save the current keytab file to a temporary file.
3. Start the ktutil command.

   # /usr/bin/ktutil

4. Read the keytab file into the keylist buffer by using the read_kt command.

   ktutil: read_kt keytab

5. Display the keylist buffer by using the list command.

   ktutil: list

   The current keylist buffer is displayed. Note the slot number for the service that you want to disable.

6. To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.

   ktutil: delete_entry slot-number

   Where slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.

7. Write the keylist buffer to a new keytab file by using the write_kt command.

   ktutil: write_kt new-keytab

8. Quit the ktutil command.

   ktutil: quit

9. Move the new keytab file.

   # mv new-keytab keytab

10. When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.

Example 23-19 Temporarily Disabling a Service on a Host

In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
    ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/denver@EXAMPLE.COM
   2    5 host/denver@EXAMPLE.COM
    ktutil:delete_entry 2
    ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/denver@EXAMPLE.COM
    ktutil:write_kt /etc/krb5/new.krb5.keytab
    ktutil: quit
denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab