Administering Keytabs
Every host providing a service must have a local file, called a keytab (short for key table), containing the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab that contains its nfs service principal.
To add a service key to a keytab, you add the appropriate service principal to a host's keytab by using the ktadd command of kadmin. And, because you are adding a service principal to a keytab, the principal must already exist in the Kerberos database so kadmin can verify its existence. On the master KDC, the keytab file is located at /etc/krb5/kadm5.keytab, by default. On application servers providing Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.
A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytabs. You should always store keytabs on a local disk, and make them readable only by root, and you should never send a keytab over an unsecured network.
There is also a special instance to add a root principal to a host's keytab. Basically, if you want a user on the SEAM client to mount Kerberized NFS file systems using Kerberos authentication automatically, you must add the client's root principal to the client's keytab. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system, even when using the automounter. See "Setting Up Root Authentication to Mount NFS File Systems" for detailed information.
Note -
When setting up a master KDC, you need to add the kadmind and changepw principals to the kadm5.keytab file, so the KDC can decrypt administrators' Kerberos tickets to determine whether or not it should give them access to the database.
Another command that you can use to administer keytabs with is the ktutil command. ktutil is an interactive command-line interface utility that enables you to manage a local host's keytab without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database like kadmin does. So, after a principal is added to a keytab, you can use ktutil to view the keylist in a keytab or to temporarily disable authentication for a service.
Administering Keytabs Task Map
Table 5-9 Administering Keytabs Task Map|
Task |
Description |
For Instructions, Go To ... |
|---|---|---|
|
Add a Service Principal to a Keytab |
Use the ktadd command of kadmin to add a service principal to a keytab. | |
|
Remove a Service Principal from a Keytab |
Use the ktremove command of kadmin to remove a service from a keytab. | |
|
Display the Keylist (Principals) in a Keytab |
Use the ktutil command to display the keylist in a keytab. | |
|
Temporarily Disable Authentication for a Service on a Host |
This procedure is a quick way to temporarily disable authentication for a service on a host without having to have kadmin privileges. Before using ktutil to delete the service principal from the server's keytab, copy the original keytab to a temporary location. When you want to enable the service again, copy the original keytab back. |
"How to Temporarily Disable Authentication for a Service on a Host" |
How to Add a Service Principal to a Keytab
-
Make sure the principal already exists in the Kerberos database.
See "How to View the List of Principals" for more information.
-
Become superuser on the host that needs a principal added to its keytab.
-
Start the kadmin command.
# /usr/krb5/sbin/kadmin
-
Add a principal to a keytab by using the ktadd command.
kadmin: ktadd [-k keytab] [-q] [principal | -glob principal_exp]
-k keytab
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.
-q
Displays less verbose information.
principal
Principal to be added to the keytab. You can add the following service principals: host, root, nfs, and ftp.
-glob principal_exp
All principals matching the principal expression are added to the keytab. The rules for principal expression are the same as for the list_principals command of kadmin.
-
Quit the kadmin command.
kadmin: quit
Example--Adding a Service Principal to a Keytab
The following example adds the kadmin/admin and kadmin/changepw principals to a master KDC's keytab. For this example, the keytab file must be the one specified in the kdc.conf file.
kdc1 # /usr/krb5/bin/kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin@ACME.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/changepw@ACME.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: quit |
The following example adds denver's host principal to denver's keytab file, so denver's network services can be authenticated by the KDC.
denver # /usr/krb5/bin/kadmin kadmin: ktadd host/denver@acme.com@ACME.COM kadmin: Entry for principal host/denver@acme.com@ACME.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
How to Remove a Service Principal From a Keytab
-
Become superuser on the host with a service principal that must be removed from its keytab.
-
Start the kadmin command.
# /usr/krb5/bin/kadmin
-
Optional. To display the current list of principals (keys) in the keytab, use the ktutil command.
See "How to Display the Keylist (Principals) in a Keytab" for detailed instructions.
-
Remove a principal from a keytab by using the ktremove command.
kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]
-k keytab
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.
-q
Displays less verbose information.
principal
Principal to be removed from the keytab.
kvno
Removes all entries for the specified principal whose kvno (key version number) matches kvno.
all
Removes all entries for the specified principal.
old
Removes all entries for the specified principal except those with the highest kvno.
-
Quit the kadmin command.
kadmin: quit
Example--Removing a Service Principal From a Keytab
The following example removes denver's host principal from denver's keytab file.
denver # /usr/krb5/bin/kadmin kadmin: ktremove host/denver.acme.com@ACME.COM kadmin: Entry for principal host/denver.acme.com@ACME.COM with kvno 3 removed from keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
How to Display the Keylist (Principals) in a Keytab
-
Become superuser on the host with the keytab.
Note -Although you can create keytabs owned by other users, the default location for the keytab requires root ownership.
-
Start the ktutil command.
# /usr/bin/ktutil
-
Read the keytab into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab
-
Display the keylist buffer by using the list command.
ktutil: list
The current keylist buffer is displayed.
-
Quit the ktutil command.
ktutil: quit
Example--Displaying the Keylist (Principals) in a Keytab
The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.
denver # /usr/bin/ktutil
ktutil: read_kt /etc/krb5/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
1 5 host/denver@ACME.COM
ktutil: quit
|
How to Temporarily Disable Authentication for a Service on a Host
You may find instances when you need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you may want to stop users from logging into a system while performing maintenance procedures. The ktutil command enables you to do this by removing the service principal from the server's keytab, without requiring kadmin privileges. To enable authentication again, all you need to do is copy the original keytab that you saved back to its original location.
Note -
Most services are set up by default to require authentication to work. If this is not the case, the service will still work even if you disable authentication for the service.
-
Become superuser on the host with the keytab.
Note -Although you can create keytabs owned by other users, the default location for the keytab requires root ownership.
-
Save the current keytab to a temporary file.
-
Start the ktutil command.
# /usr/bin/ktutil
-
Read the keytab into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab
-
Display the keylist buffer by using the list command.
ktutil: list
The current keylist buffer is displayed. Note the slot number for the service you want to disable.
-
To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
ktutil: delete_entry slot_number
slot_number
The slot number of the service principal to be deleted, which is displayed by the list command.
-
Write the keylist buffer to the keytab by using the write_kt command.
ktutil: write_kt keytab
-
Quit the ktutil command.
ktutil: quit
-
When you want to enable the service again, copy the temporary (original) keytab back to its original location.
Example--Temporarily Disabling a Service on a Host
The following example temporarily disables the host service on the denver host. To enable the host service back on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.
denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
ktutil:read_kt /etc/krb5/krb5.keytab
ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
1 8 root/denver@ACME.COM
2 5 host/denver@ACME.COM
ktutil:delete_entry 2
ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
1 8 root/denver@ACME.COM
ktutil:write_kt /etc/krb5/krb5.keytab
ktutil: quit
|
- © 2010, Oracle Corporation and/or its affiliates