I am trying to understand how Kerberos works and so came across this file called Keytab which, I believe, is used for authentication to the KDC server.
Just like every user and service(say Hadoop) in a kerberos realm has a service principal, does every user and service have a keytab file?
Also, does authentication using keytab work on symmetric key cryptography or public-private key?
The purpose of the Keytab file is to allow the user to access distinct Kerberos Services without being prompted for a password at each Service. Furthermore, it allows scripts and daemons to login to Kerberos Services without the need to store clear-text passwords or for human intervention.
On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5. keytab , by default. A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files.
A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. A keytab can be displayed using the klist command with the -k option.
The Kerberos keytab file is created for use with SPNEGO. Important: When you are mapping your SPN(s), map a maximum of 1 SPN to an individual AD user. If want to map multiple SPNs to an individual AD user, ensure that the Microsoft ktpass tool supports the steps that you are following.
To answer your two questions, every user and service does not need a keytab file and keytabs use symmetric key cryptography.
I'm going to explain a bit more based on my understanding on how keytabs are used in mixed networks of Windows and non-Windows systems using Active Directory as the directory service. If the directory service is something other than AD, which is the most popular directory service out there, then I am not as familiar with how the keytab would be used but I imagine the concepts would be the exact same since it is all based on Kerberos. Again, in enterprise networks, every user and service does not need a keytab file.
Keytabs are cryptographic files containing a representation of the service and its long-term key (what Samson referred to as the password) as it exists in the directory service. In an Active Directory realm, keytabs are especially useful for services running on a non-Windows platform protected by the Kerberos protocol.
Keytabs are used to either
Point #2 is especially useful, since as Samson said, a service cannot manually type in it's password to authenticate itself, so the long-term key is helpfully encoded into the file. This is why the keytab file itself is sensitive and needs to be protected.
For additional in-depth information regarding keytabs, you can read more about keytabs here: Kerberos Keytabs – Explained.
I frequently go back and edit it based on questions I see here in this forum.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With