[38023] in Kerberos
Re: Is a keytab file encrypted?
daemon@ATHENA.MIT.EDU (pratyush parimal)
Tue Jul 18 22:20:23 2017
MIME-Version: 1.0
In-Reply-To: <87wp75yxwy.fsf@hope.eyrie.org>
From: pratyush parimal <pratyush.parimal@gmail.com>
Date: Tue, 18 Jul 2017 22:20:12 -0400
Message-ID: <CALvRNOE5R5MSt1tt_0W_u80MR7LMFOEtuhGz0ueJHCwCxgtooQ@mail.gmail.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ah, I get it. It's much clearer now. Thanks guys!
On Jul 18, 2017 10:15 PM, "Russ Allbery" <eagle@eyrie.org> wrote:
> Greg Hudson <ghudson@mit.edu> writes:
> > On 07/18/2017 12:48 PM, pratyush parimal wrote:
>
> >> (2) Is it possible to export the key in encrypted form? If so, then how
> >> does the service application open the encrypted keytab?
>
> > The keytab file does not have any way to represent encrypted keys, and
> > the kadmin protocol has no facility to export encrypted keys. One
> > could, in principle, design an out-of-band system which used
> > kadmin.local to create a keytab, encrypt the file, transmit the
> > encrypted kyetab file to the server, and then decrypt the file on the
> > server (into a memory filesystem, perhaps) before running the server
> > application, but I've never heard of anyone doing that.
>
> You have kind of a chicken and an egg problem, since in a typical Kerberos
> environment the keytab *is* the core identity keys for an application. If
> it's encrypted, then you need some other unencrypted keys that *really*
> represent the application, at which point why not use those keys for
> Kerberos directly?
>
> That said, if you had a private key in a TPM or some other sort of
> tamper-resistent hardware, I could see wanting to hand out Kerberos
> keytabs encrypted to the public key of the server. But you'd have to
> build the service to do key issuance that way yourself. (It wouldn't be
> horribly hard to build if you'd already done the work to build out the PKI
> and its TPM component.)
>
> But, even in that case, it's not clear to me what the keytab is then doing
> for you versus just using the PKI and using PKINIT to get Kerberos
> tickets. There are probably some practical uses for introducing the extra
> layer of complexity, but it's not obviously necessary.
>
> --
> Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
