Next: , Previous: Server Configuration Files, Up: UNIX Application Servers



4.3.3 The Keytab File

All Kerberos server machines need a keytab file, called /etc/krb5.keytab, to authenticate to the KDC. The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (Create the Database) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password itself.

In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in the “Adding or Modifying Principals” section of the Kerberos V5 System Administrator's Guide. See Create Host Keys for the Slave KDCs. for a brief description.) The keytab is generated by running kadmin and issuing the ktadd command.

For example, to generate a keytab file to allow the host trillium.mit.edu to authenticate for the services host, ftp, and pop, the administrator joeadmin would issue the command (on trillium.mit.edu):

     trillium% /usr/local/sbin/kadmin
     kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
     => pop/trillium.mit.edu
     kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
     kvno 3, encryption type DES-CBC-CRC added to keytab
     WRFILE:/etc/krb5.keytab.
     kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
     kvno 3, encryption type DES-CBC-CRC added to keytab
     WRFILE:/etc/krb5.keytab.
     kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
     kvno 3, encryption type DES-CBC-CRC added to keytab
     WRFILE:/etc/krb5.keytab.
     kadmin5: quit
     trillium%

If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (trillium, in the above example) without sending it unencrypted over the network. If you have installed the Kerberos V5 client programs, you can use encrypted rcp.