The Kerberos Keytab file contains mappings between
Kerberos Principal names and DES-encrypted keys that are derived from
the password used to log into the Kerberos Key Distribution Center (KDC).
The purpose of the Keytab file is to allow the user to access distinct
Kerberos Services without being prompted for a password at each Service.
Furthermore, it allows scripts and daemons to login to Kerberos Services
without the need to store clear-text passwords or for human intervention.
Important Note:
Anyone with read access to the Keytab file has full control of all keys
contained in the file. For this reason, it is imperative that the Keytab
file is protected using very strict file-based access control.
The Keytab Entry dialog, which is available from the
Secret Key section on both the Kerberos Client and
Kerberos Service screens after clicking the Add Principal
button, is essentially a graphical interface to entries in a Kerberos
Keytab file.
This dialog enables you to generate keytab entries. You can remove entries
from the Keytab file by clicking the Delete Entry button
on the Kerberos Client and Kerberos Service screens. You can configure
Kerberos Clients and Kerberos Services under the External
Connections node in the Policy Studio tree.
Each key entry in the file is identified by a Kerberos Principal and an
encryption type. For this reason, the Keytab file may hold multiple keys
for the same principal where each key has a different encryption type.
It may also contain keys for several different Principals.
In cases where the Keytab file contains encryption keys for different
Principals, at runtime the Kerberos Client or Service only considers
keys mapped to the Principal name selected in the Kerberos
Principal drop-down list on their respective screens.
If the Keytab file contains several keys for the Principal, the Kerberos
Client or Service uses the key with the strongest encryption type
as agreed during the negotiation of previous messages with the Kerberos
Key Distribution Center (KDC).
|