Describe Kerberos keytabs

24 March,2021 by Jack Vamvas

A keytab is a text file containing a table with user accounts - accompanied by an encrypted hash of the user account . Typically one account but can be more. 

A non - windows system, such as Linux, can't be configured to start up with a Windows service account, so if you require a process to logon to Active Directory than keytabs are very useful.

This is a more secure option than retaining a clear text configuration file - & then possibly encrypt this file. Whereas with keytabs you're storing a hash password in the keytab file. 

More detailed -  a keytab is a cryptographic file with a representation of a Kerberos-protected service and its key of its associated service principal name in the Key Distribution Center(KDC)

The KDC service which normally runs on a Domain Controller - in this case - the service exists as an SPN - which leads us to the second major use of the keytab file i.e decrypt the kerberos service ticket of an inbound directory user to the service

SPNs are central to this arrangement and the keytab binds these arrangments together .

In the Windows-only environment, keytabs will not ever be used, as the AD service account working  with the Windows Registry\security DLLs  provide the Kerberos SSO framework. It is only when the Active Directory-based enterprise is interoperating with non-Windows systems such as Containers on Linux keytabs are ever used.

The keytab doesn’t authenticate users coming into the Linux hosted application, that is the function of the Kerberos API, in conjunction with the application code. What the keytab does do is decrypt the Kerberos service ticket and “announce” to the Linux based host who the user is. This is the primary function of the keytab during Kerberos authentication.


Author: Jack Vamvas (http://www.dba-ninja.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Describe Kerberos keytabs


dba-ninja.com