I've have a keytab that is scheduled to run daily(just once) to renew it's ticket. However, I wanted to find out whether keytab itself has any lifetime? I assume it doesn't as the cron job has been configured to execute daily which i think will create a new ticket instead of renewing?
Keytab does expire, independently of Kerberos password. For example in Linux, the default lifespan of keytab is 24 hours. Once the keytab file expires, user has to request a new keytab file. See screenshot below. ManageEngine's Weekly IT Security Podcast series is now live.
A keytab (short for “key table”) stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain...
That being said, keytabs are subject to any password expiration policies that may be imposed on a principal. Thus, if a principal's password expires (or the password is changed), a keytab generated using that password will be rendered invalid.
Anyone who has access to a keytab can essentially impersonate the principal (s) contained within it. So its safe to say that keytabs should be protected just like passwords. A keytab can store any type of principal, including all the ones we have previously discussed.
Brought from mit kerberos: "A keytab (short for “key table”) stores long-term keys for one or more principals." The keytab file will store your key which allows you to automate your usage of the kerberos principals without any "human interaction". As you know the tickets are only valid between a somewhat short amount, typically between 12 and 24 hours, however the keytab is valid as long as you find it valid. By this i mean that if any third entity get hold of the keytab it loses all it's purpose.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With