Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing, Configuring and Administering the Kerberos Server on HP-UX 11i: HP 9000 Networking > Chapter 4 Administration

Keytabs
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

A keytab is a host's copy of its own keylist, which is analogous to a user's password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs.

We recommend that you store keytab files on the local disk and make it readable only by root, and ensure that you never send a keytab file over the network in the clear.

Ideally, you should run the kadmin command to extract a key to a keytab file on the host on which it will reside.

Adding principals to Keytabs

The ktadd command creates a keytab file, which is needed to service principals. This command requires the "inquire" administrative privilege.

These principals are generally not associated with the user. When a service receives a request along with a Kerberos ticket, the service needs to decrypt that ticket, using a key. Since the password cannot be keyed in to obtain the key, the service instead reads the key from a special file, called a keytab file. The general syntax to create a keytab file is:

ktadd [-k keytab] [-q] principal | -glob princ_exp [..]

The ktadd command has the following options:

-k keytab

uses the keytab as the keytab file. The ktadd will use the default keytab file (/etc/krb5.keytab) if this option is not specified.

-q

runs in a quiet mode. This causes ktadd to display less verbose information.

principal | -glob principal expression


adds principal, or all principals matching principal expression to the keytab. Refer to “Retrieving a List of Principals”, as the same rules apply here.

A typical use of this command is to create a keytab file for the rlogin and telnet daemons.

For example, if you want to add the host key to the keytab for "kdc1". You should log in to kdc1 and type within the kadmin program:

ktadd -k /etc/krb5.keytab
host/kdc1.finance.bambi.com@BAMBI.COM

This creates a file called /etc/krb5.keytab.

NOTE: When you exit from kadmin.local, ensure that the keytab file is readable only by root.

The keytab is used by Kerberized servers to control access to various services on that host.

If no keytab is specified by using the -k option, the default keytab file, /etc/krb5.keytab is used. The -q option makes ktadd run in a quiet mode.

Removing Principals from a Keytab File

The ktremove command, removes the selected principal from the specified keytab file. If no keytab file is specified, the default keytab, /etc/krb5.keytab is used.

If you specify the kvno integer after the principal name, any entry for that principal matching the same key version number is deleted from the keytab file.

If you type, all after the principal name, all the entries for that principal will be removed from the keytab file. If you type, old, all but those with the highest key version number will be removed.

If the keytab you want to modify resides on a different machine from the Kerberos database, you can use the ktutil command.

Refer to the ktuil manpage for more information.



Policies
  		 


Setting up Cross-Realm Authentication  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.