Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Has keytab got a lifetime?

I've have a keytab that is scheduled to run daily(just once) to renew it's ticket. However, I wanted to find out whether keytab itself has any lifetime? I assume it doesn't as the cron job has been configured to execute daily which i think will create a new ticket instead of renewing?

like image 1000
RajK Avatar asked Nov 03 '14 13:11

RajK


People also ask

What is the lifespan of keytab?

Keytab does expire, independently of Kerberos password. For example in Linux, the default lifespan of keytab is 24 hours. Once the keytab file expires, user has to request a new keytab file. See screenshot below. ManageEngine's Weekly IT Security Podcast series is now live.

What is a keytab?

A keytab (short for “key table”) stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain...

What happens to a keytab when the password expires?

That being said, keytabs are subject to any password expiration policies that may be imposed on a principal. Thus, if a principal's password expires (or the password is changed), a keytab generated using that password will be rendered invalid.

Should keytabs be protected?

Anyone who has access to a keytab can essentially impersonate the principal (s) contained within it. So its safe to say that keytabs should be protected just like passwords. A keytab can store any type of principal, including all the ones we have previously discussed.


1 Answers

Brought from mit kerberos: "A keytab (short for “key table”) stores long-term keys for one or more principals." The keytab file will store your key which allows you to automate your usage of the kerberos principals without any "human interaction". As you know the tickets are only valid between a somewhat short amount, typically between 12 and 24 hours, however the keytab is valid as long as you find it valid. By this i mean that if any third entity get hold of the keytab it loses all it's purpose.

like image 166
Rafael Saraiva Avatar answered Oct 29 '22 01:10

Rafael Saraiva