Java Platform, Standard Edition Tools Reference
Contents    Previous    Next


Enables the user to manage the principal names and service keys stored in a local key table. Principal and key pairs listed in the keytab enables services running on a host to authenticate themselves to the Key Distribution Center (KDC). Before configuring a server to use Kerberos, you must setup a keytab on the host running the server. Note that any updates made to the keytab using the ktab tool do not affect the Kerberos database. If you change the keys in the keytab, you must also make the corresponding changes to the Kerberos database.


ktab -help

ktab -l [-e -t] [-k keytab_name]

ktab [-a principal_name password] [-k keytab_name]

ktab [-d principal_name] [etype]] [-k keytab_name]


The ktab tool manages principal name and key pairs in the key table. The ktab tool enables you to list, add, update or delete principal names and key pairs in the key table. None of these operations affect the Kerberos database.

A keytab is a host's copy of its own keylist, which is analogous to a user's password. An application server that needs to authenticate itself to the Key Distribution Center (KDC) must have a keytab which contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on the local disk and make them readable only by root. You should never send a keytab file over a network in the clear.


-l [-e -t]

List the keytab name and entries. When -e is specified, the encryption type for each entry is displayed. When -t is specified, timestamp for each entry is displayed.

-a principal_name password

Add an entry to the keytab. No changes are made to the Kerberos database. Do not specify the password on the command line or in a script.

-d principal_name [etype]

Delete one or more entries from the keytab. No changes are made to the Kerberos database. When etype is provided, only the entry matching this encryption type is deleted. Otherwise, all entries are deleted.

-k keytab_name

Specify keytab name and path with the FILE: prefix.


Displays instructions.


List all the entries in the default keytable:

ktab -l

Add a new principal to the key table (note that you will be prompted for your password):

ktab -a

Delete a principal from the key table:

ktab -d

Security Alert

Do not specify your password on the command line. Doing so is a security vulnerability. For example, an attacker could discover your password while running the UNIX ps command.

See Also

Contents    Previous    Next

Copyright © 1993, 2023, Oracle and/or its affiliates. All rights reserved.