Requesting Keytabs for use with MIT Kerberos

Note:

We are piloting (Q1 2016) using the CalNetAD CAMPUS.BERKELEY.EDU Kerberos domain as the source for host- and app-based principals and their keys stored in keytab files. See KeyTab Information for instructions.

Background

A Kerberos keytab is a representation of the secret key of a Kerberos principal (along with the name of the principal itself).  A keytab plays the role of a passphrase, for use by processes rather than people.

There are two kinds of keytabs:  server keytabs and client keytabs (our own terminology).  The former are used by application servers to verify authentication requests by their clients; the latter allow unattended user processes to obtain initial Kerberos credentials.

In general, server keytabs are for service principals, whose principal names are usually of the form <service>/<fqdn> where <fqdn> is the fully-qualified domain name of the host on which the keytab will be installed, as determined by gethostbyaddr(hostIP) on the host itself (i.e., not necessarily what's returned by a DNS lookup).  Client keytabs, on the other hand, can follow any naming convention.

To request a keytab

Send mail to calnet-admin@lists.berkeley.edu, including the following information:

  • The principal name, for example, servicename/host.berkeley.edu, or clientID, where clientID is a client's Kerberos ID for which an unattended process will be obtaining Kerberos credentials.
  • Who (which principal) should be given the ability to download the keytab.

Installing the keytab

A Kerberos administrator will register the principal and set permissions on the MIT KDC to allow you (or those you've designated for this purpose) to download the keytab. Once you've received notice that this has been done, the keytab may be downloaded and installed as follows, using an MIT Kerberos compatible kadmin client program:

kadmin -p <my_CalNetID>
ktadd -k <my_keytab_file> <principal name>
quit

This should be done on the host where the keytab file will reside. If the download must be done from a different host (e.g., because the target host does not have access to a suitable kadmin program), then once the keytab file is created/updated, move it securely to the target host.

Note 1: Keytab information should be treated as securely as a passphrase.  Accordingly, once you have populated your keytab file, you should give it appropriate permissions to make it read-only by the application that must use it and inaccessible by anyone else.

Note 2: If, for some reason, you need another copy of a keytab which has already been installed in a keytab file and is in use, do not download it again.  This will cause the key to be re-randomized in the KDC, thereby invalidating the keytab previously installed.  Instead, just copy the file securely from its current location.

Testing the keytab file

To validate that a keytab file is working, you can use it to obtain a TGT for one of the principals that it contains, for example:

klist -5etk keytab_file
kinit -k -t keytab_file service/hostname.berkeley.edu@BERKELEY.EDU
klist -5fea