[38021] in Kerberos
Re: Is a keytab file encrypted?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jul 18 14:13:08 2017
To: pratyush parimal <pratyush.parimal@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <e311ecb2-ca59-4931-0823-22716eba54bc@mit.edu>
Date: Tue, 18 Jul 2017 14:12:49 -0400
MIME-Version: 1.0
In-Reply-To: <CALvRNOGzQmqwT4LXP1d9=r5twvft97S77n6seEGVzetKNHOYnA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/18/2017 12:48 PM, pratyush parimal wrote:
> When I export a principal's key to a keytab file using the following
> command:
>
> ktadd -k keytabfile service/host@REALM
>
> (1) Does the keytabfile contain the key in encrypted form or as plaintext?
The keytab file contains the actual keys, unencrypted.
> (2) Is it possible to export the key in encrypted form? If so, then how
> does the service application open the encrypted keytab?
The keytab file does not have any way to represent encrypted keys, and
the kadmin protocol has no facility to export encrypted keys. One
could, in principle, design an out-of-band system which used
kadmin.local to create a keytab, encrypt the file, transmit the
encrypted kyetab file to the server, and then decrypt the file on the
server (into a memory filesystem, perhaps) before running the server
application, but I've never heard of anyone doing that.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
