Indiana University
University Information Technology Services
  
What are archived documents?

What is a keytab, and how do I use one?

On this page:


Introduction

A keytab is a file containing pairs of Kerberos principals and DES-encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password. The most common personal use of keytab files is to allow scripts to authenticate to Kerberos without human interaction or store a password in a plaintext file. The acquired credentials can then be used by the script to gain access to files stored in the Research File System (RFS) or Massive Data Storage Service (MDSS), for example.

Warning: Anyone with read permission on a keytab can use all of the keys it contains, so you must restrict and monitor permissions on any keytab files you create.

Note: When you change your Kerberos password, you will need to recreate all your keytabs.

Creating a keytab file

Creating a keytab file is a quick process you can do on any Kerberos computer. The keytab file is computer independent, so you can use this process once and then copy the file to multiple computers. The following assumes you have access to a Kerberos client (either on your own workstation or on a UITS shared system such as Quarry).

An example of the keytab file creation process follows:

> kinit username@IU.EDU Password for username@IU.EDU: > kvno username username@IU.EDU: kvno = 1 > kdestroy >ktutil ktutil: addent -password -p username -k 1 -e des-cbc-crc Password for username@IU.EDU: [enter your password] ktutil: addent -password -p username -k 1 -e des3-cbc-sha1 Password for username@IU.EDU: [enter your password] ktutil: wkt username.keytab ktutil: quit

Using a keytab to authenticate scripts

To execute a script so that it has valid Kerberos credentials, use the following command:

kinit username@IU.EDU -k -t mykeytab; myscript

Replace username with your username, mykeytab with the name of your keytab file, and myscript with the name of your script.

Listing the keys in a keytab file

You can use the klist command to list the contents of a keytab file. The output contains two columns listing version numbers and principal names. If multiple keys for a principal exist, the one with the highest version number will be used. An example follows:

klist -k mykeytab version_number username@IU.EDU version_number username@IU.EDU

Replace mykeytab with the name of your keytab file.

Deleting a key from a keytab file

If you no longer need a keytab file, delete it immediately. If the keytab contains multiple keys, you can delete specific keys with the ktutil command. You can also use this procedure to remove old versions of a key. An example follows:

ktutil ktutil: read_kt mykeytab ktutil: list ... slot# version# username@IU.EDU version# ... ktutil: delent slot#

Replace mykeytab with the name of your keytab file, username with your username, and version# with the appropriate version number.

Verify that the version is gone and then in ktutil enter:

quit

Copying a keytab file to another computer

The keytab file is independent of the computer it's created on, its filename, and its location in the file system. Once it's created, you can rename it, move it to another location on the same computer, or move it to another Kerberos computer, and it will still function. The keytab file is a binary file, so be sure to transfer it as such so it does not become corrupted.

If possible, use scp or another secure method to transfer the keytab between computers. If you have to use FTP, be sure to issue the bin command from your FTP client before transferring the file. This will set the transfer type to binary so that the keytab file is not corrupted.

This is document aumh in domain all.
Last modified on May 26, 2009.
Please tell us, did you find the answer to your question?