Administering Keytab Files

Every host that provides a service must have a local file, called a keytab (short for “key table”). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.

To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On the master KDC, the keytab file is located at /etc/krb5/kadm5.keytab, by default. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.

A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.

There is also a special instance in which to add a root principal to a host's keytab file. If you want a user on the Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter.

Note - When you set up a master KDC, you need to add the kadmind and changepw principals to the kadm5.keytab file.

Another command that you can use to administer keytab files is the ktutil command. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.

Note - When you change a principal in a keytab file using the ktadd command in kadmin, a new key is generated and added to the keytab file.

Administering Keytab Files (Task Map)

Task	Description	For Instructions
Add a service principal to a keytab file.	Use the `ktadd` command of `kadmin` to add a service principal to a keytab file.	How to Add a Kerberos Service Principal to a Keytab File
Remove a service principal from a keytab file.	Use the `ktremove` command of `kadmin` to remove a service from a keytab file.	How to Remove a Service Principal From a Keytab File
Display the keylist (list of principals) in a keytab file.	Use the `ktutil` command to display the keylist in a keytab file.	How to Display the Keylist (Principals) in a Keytab File
Temporarily disable authentication for a service on a host.	This procedure is a quick way to temporarily disable authentication for a service on a host without requiring `kadmin` privileges. Before you use `ktutil` to delete the service principal from the server's keytab file, copy the original keytab file to a temporary location. When you want to enable the service again, copy the original keytab file back to its proper location.	How to Temporarily Disable Authentication for a Service on a Host

How to Add a Kerberos Service Principal to a Keytab File

Make sure that the principal already exists in the Kerberos database.
See How to View the List of Kerberos Principals for more information.
Become superuser on the host that needs a principal added to its keytab file.
Start the kadmin command.
```
# /usr/sbin/kadmin
```
Add a principal to a keytab file by using the ktadd command.
```
kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]
```
-e enctype

Overrides the list of encryption types defined in the krb5.conf file.

-k keytab

Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

-q

Displays less verbose information.

principal

Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.

-glob principal-exp

Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.
Quit the kadmin command.
```
kadmin: quit
```

Example 25-16 Adding a Service Principal to a Keytab File

In the following example, the kadmin/kdc1.example.com and changepw/kdc1.example.com principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.

kdc1 # /usr/sbin/kadmin.local
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com changepw/kdc1.example.com
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-256 CTS
mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-128 CTS
mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode
          with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Remove a Service Principal From a Keytab File

Become superuser on the host with a service principal that must be removed from its keytab file.
Start the kadmin command.
```
# /usr/sbin/kadmin
```
(Optional) To display the current list of principals (keys) in the keytab file, use the ktutil command.
See How to Display the Keylist (Principals) in a Keytab File for detailed instructions.
Remove a principal from the keytab file by using the ktremove command.
```
kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]
```
-k keytab

Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

-q

Displays less verbose information.

principal

Specifies the principal to be removed from the keytab file.

kvno

Removes all entries for the specified principal whose key version number matches kvno.

all

Removes all entries for the specified principal.

old

Removes all entries for the specified principal, except those principals with the highest key version number.
Quit the kadmin command.
```
kadmin: quit
```

Example 25-17 Removing a Service Principal From a Keytab File

In the following example, denver's host principal is removed from denver's keytab file.

denver # /usr/sbin/kadmin
kadmin: ktremove host/[email protected]
kadmin: Entry for principal host/[email protected] with kvno 3
  removed from keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Display the Keylist (Principals) in a Keytab File

Become superuser on the host with the keytab file.
Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.
Start the ktutil command.
```
# /usr/bin/ktutil
```
Read the keytab file into the keylist buffer by using the read_kt command.
```
ktutil: read_kt keytab
```
Display the keylist buffer by using the list command.
```
ktutil: list
```
The current keylist buffer is displayed.
Quit the ktutil command.
```
ktutil: quit
```

Example 25-18 Displaying the Keylist (Principals) in a Keytab File

The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.

denver # /usr/bin/ktutil
    ktutil: read_kt /etc/krb5/krb5.keytab
    ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
   1    5 host/[email protected]
    ktutil: quit

How to Temporarily Disable Authentication for a Service on a Host

At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.

Note - By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service still works, even if you disable authentication for the service.

Become superuser on the host with the keytab file.
Note - Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.
Save the current keytab file to a temporary file.
Start the ktutil command.
```
# /usr/bin/ktutil
```
Read the keytab file into the keylist buffer by using the read_kt command.
```
ktutil: read_kt keytab
```
Display the keylist buffer by using the list command.
```
ktutil: list
```
The current keylist buffer is displayed. Note the slot number for the service that you want to disable.
To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
```
ktutil: delete_entry slot-number
```
Where slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.
Write the keylist buffer to a new keytab file by using the write_kt command.
```
ktutil: write_kt new-keytab
```
Quit the ktutil command.
```
ktutil: quit
```
Move the new keytab file.
```
# mv new-keytab keytab
```
When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.

Example 25-19 Temporarily Disabling a Service on a Host

In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
    ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/[email protected]
   2    5 host/[email protected]
    ktutil:delete_entry 2
    ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/[email protected]
    ktutil:write_kt /etc/krb5/new.krb5.keytab
    ktutil: quit
denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab