Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

What is a keytab, and how do I use one?

On this page:

Introduction

A keytab is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password. The most common personal use of keytab files is to allow scripts to authenticate to Kerberos without human interaction or store a password in a plaintext file. The acquired credentials can then be used by the script to gain access to files stored in the Research File System (RFS) or Massive Data Storage Service (MDSS), for example.

Warning: Anyone with read permission on a keytab can use all of the keys it contains, so you must restrict and monitor permissions on any keytab files you create.

Notes:

  • When you change your Kerberos password, you will need to recreate all your keytabs.
  • Enter the commands in the following examples exactly as they are shown.

Creating a keytab file

Creating a keytab file is a quick process you can do on any computer with Kerberos. The keytab file is computer independent, so you can use this process once and then copy the file to multiple computers. The following assumes you have access to a Kerberos client (either on your own workstation or on a UITS shared system, such as Quarry). You may need to modify your path to include the location of ktutil (e.g., /usr/sbin or /usr/kerberos/sbin).

An example of the keytab file creation process using MIT Kerberos (the most common) follows:

> ktutil ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e rc4-hmac Password for username@ADS.IU.EDU: [enter your password] ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e aes256-cts Password for username@ADS.IU.EDU: [enter your password] ktutil: wkt username.keytab ktutil: quit

Here is an example using Heimdal Kerberos instead:

> ktutil -k username.keytab add -p username@ADS.IU.EDU -e arcfour-hmac-md5 -V 1 If the keytab created in Heimdal does not work, it is possible that you will need an aes256-cts entry. In that case, you will need to find a computer with MIT Kerberos, and use that method instead.

Using a keytab to authenticate scripts

To execute a script so that it has valid Kerberos credentials, use the following command:

> kinit username@ADS.IU.EDU -k -t mykeytab; myscript

Replace username with your username, mykeytab with the name of your keytab file, and myscript with the name of your script.

Listing the keys in a keytab file

You can use the klist command to list the contents of a keytab file with MIT Kerberos. The output contains two columns listing version numbers and principal names. If multiple keys for a principal exist, the one with the highest version number will be used. An example follows:

> klist -k mykeytab version_number username@ADS.IU.EDU version_number username@ADS.IU.EDU

Replace mykeytab with the name of your keytab file.

With Heimdal, use the ktutil command instead:

> ktutil -k mykeytab list mykeytab: Vno Type Prinicpal 1 des3-cbc-md5 username@ADS.IU.EDU ...

Deleting a key from a keytab file

If you no longer need a keytab file, delete it immediately. If the keytab contains multiple keys, you can delete specific keys with the ktutil command. You can also use this procedure to remove old versions of a key. An example using MIT Kerberos follows:

> ktutil ktutil: read_kt mykeytab ktutil: list ... slot# version# username@ADS.IU.EDU version# ... ktutil: delent slot#

Replace mykeytab with the name of your keytab file, username with your username, and version# with the appropriate version number.

Verify that the version is gone, and then in ktutil enter:

quit

To do the same thing using Heimdal Kerberos:

> ktutil -k mykeytab list ... version# type username@ADS.IU.EDU ... > ktutil -k mykeytab remove -V version# -e type username@ADS.IU.EDU

Merging keytab files

If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command.

To merge keytab files using MIT Kerberos:

> ktutil ktutil: read_kt mykeytab-1 ktutil: read_kt mykeytab-2 ktutil: read_kt mykeytab-3 ktutil: write_kt krb5.keytab ktutil: quit

Replace mykeytab-(number) with the name of each keytab file. The final merged keytab would be krb5.keytab .

Verify that they are merged by issuing klist -k krb5.keytab .

To do the same thing using Heimdal Kerberos:

> ktutil copy mykeytab-1 krb5.keytab > ktutil copy mykeytab-2 krb5.keytab > ktutil copy mykeytab-3 krb5.keytab

You can then use ktutil -k krb5.keytab list to verify.

Copying a keytab file to another computer

The keytab file is independent of the computer it's created on, its filename, and its location in the file system. Once it's created, you can rename it, move it to another location on the same computer, or move it to another Kerberos computer, and it will still function. The keytab file is a binary file, so be sure to transfer it in a way that does not corrupt it.

If possible, use scp or another secure method to transfer the keytab between computers. If you have to use FTP, be sure to issue the bin command from your FTP client before transferring the file. This will set the transfer type to binary so that the keytab file is not corrupted.

This is document aumh in domain all.
Last modified on October 22, 2009.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.