[38029] in Kerberos
Re: Is a keytab file encrypted?
daemon@ATHENA.MIT.EDU (Charles Hedrick)
Fri Jul 21 11:51:40 2017
From: Charles Hedrick <hedrick@rutgers.edu>
To: pratyush parimal <pratyush.parimal@gmail.com>
Date: Fri, 21 Jul 2017 15:13:54 +0000
Message-ID: <A6886DC9-B31F-466E-AAFD-C6C63515027A@rutgers.edu>
In-Reply-To: <CALvRNOE5R5MSt1tt_0W_u80MR7LMFOEtuhGz0ueJHCwCxgtooQ@mail.gmail.com>
Content-Language: en-US
Content-ID: <848F7AC86B86E64AA3049C9FD4EAFE5C@namprd14.prod.outlook.com>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
The argument makes sense.
However I am disturbed by the fact that a keytab can be used anywhere. If someone manages to become root on one machine, I’d like them not to be able to do things on other machines. I’m in an environment where we have systems administered by users, and unattended public workstations.
That makes me unwilling to tell users to create key tables for cron jobs.
> On Jul 18, 2017, at 10:20 PM, pratyush parimal <pratyush.parimal@gmail.com> wrote:
>
> Ah, I get it. It's much clearer now. Thanks guys!
>
> On Jul 18, 2017 10:15 PM, "Russ Allbery" <eagle@eyrie.org> wrote:
>
>> Greg Hudson <ghudson@mit.edu> writes:
>>> On 07/18/2017 12:48 PM, pratyush parimal wrote:
>>
>>>> (2) Is it possible to export the key in encrypted form? If so, then how
>>>> does the service application open the encrypted keytab?
>>
>>> The keytab file does not have any way to represent encrypted keys, and
>>> the kadmin protocol has no facility to export encrypted keys. One
>>> could, in principle, design an out-of-band system which used
>>> kadmin.local to create a keytab, encrypt the file, transmit the
>>> encrypted kyetab file to the server, and then decrypt the file on the
>>> server (into a memory filesystem, perhaps) before running the server
>>> application, but I've never heard of anyone doing that.
>>
>> You have kind of a chicken and an egg problem, since in a typical Kerberos
>> environment the keytab *is* the core identity keys for an application. If
>> it's encrypted, then you need some other unencrypted keys that *really*
>> represent the application, at which point why not use those keys for
>> Kerberos directly?
>>
>> That said, if you had a private key in a TPM or some other sort of
>> tamper-resistent hardware, I could see wanting to hand out Kerberos
>> keytabs encrypted to the public key of the server. But you'd have to
>> build the service to do key issuance that way yourself. (It wouldn't be
>> horribly hard to build if you'd already done the work to build out the PKI
>> and its TPM component.)
>>
>> But, even in that case, it's not clear to me what the keytab is then doing
>> for you versus just using the PKI and using PKINIT to get Kerberos
>> tickets. There are probably some practical uses for introducing the extra
>> layer of complexity, but it's not obviously necessary.
>>
>> --
>> Russ Allbery (eagle@eyrie.org) <https://na01.safelinks.protection.outlook.com/?url=http:%2F%2Fwww.eyrie.org%2F~eagle%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cd8fbc3140d2741aa9bce08d4ce4d0583%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636360277603180808&sdata=2Uw%2BnFuhcAIE2Dg%2BGDPrXN2lw8wed2FqCiyTf0DdFCM%3D&reserved=0>
>>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7Cd8fbc3140d2741aa9bce08d4ce4d0583%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636360277603180808&sdata=GaOrAUT3ukJJgW3X8l9nbRJHGkBah2K9VIeLXdiLpJo%3D&reserved=0
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
