How does Kerberos Keytab work?

How does Kerberos Keytab work?

The purpose of the Keytab file is to allow the user to access distinct Kerberos Services without being prompted for a password at each Service. Furthermore, it allows scripts and daemons to login to Kerberos Services without the need to store clear-text passwords or for human intervention.

What is Keytab principal?

A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). Keytab files are commonly used to allow scripts to automatically authenticate using Kerberos, without requiring human interaction or access to password stored in a plain-text file.

What is the Kerberos principal?

A Kerberos Principal represents a unique identity in a Kerberos system to which Kerberos can assign tickets to access Kerberos-aware services. Principal names are made up of several components separated by the “/” separator. You can also specify a realm as the last component of the name by using the “@” character.

How do I generate Kerberos Keytab?

Creating a Kerberos principal and keytab files

  1. Log on as theKerberos administrator (Admin) and create a principal in the KDC. You can use cluster-wide or host-based credentials.
  2. Obtain the key of the principal by running the subcommand getprinc principal_name .
  3. Create the keytab files, using the ktutil command:

Do Kerberos Keytabs expire?

Yes. As long as you do not change your password which would require you to generate a new key entry/keytab and as long as you save it in a safe environment(Assume no third party has access to your keytab, either remote or locally).

How do I get Keytab?

Procedure

  1. Log on as the Kerberos administrator (Admin) and create a principal in the KDC.
  2. Obtain the key of the principal by running the subcommand getprinc principal_name .
  3. Create the keytab files, using the ktutil command:

How do I get my Kerberos principal name?

Edit

  1. Configure NTP. First, it is quite common to have NTP clients configured in every system AD server, Apache server and Tomcat server.
  2. Create an AD principal for the server.
  3. Install and configure Kerberos on Apache server.
  4. Install and configure mod_auth_kerb.
  5. AJP Configuration.
  6. Web app authentication.

How long is a Keytab valid?

As you know the tickets are only valid between a somewhat short amount, typically between 12 and 24 hours, however the keytab is valid as long as you find it valid.

What is the format of a Kerberos principal?

The format of a typical Kerberos V5 principal is primary/instance@REALM. The primary is the first part of the principal. In the case of a user, it’s the same as your username. For a host, the primary is the word host.

What does a keytab do on a Kerberos server?

The keytab doesn’t authenticate the users coming into the app server, that is the function of the Kerberos API, typically GSSAPI, in concert with the application code. What the keytab does do is decrypt the Kerberos service ticket and “tell” the application server who the user is.

Can a Kerberos service key be moved to a different system?

If the Kerberos service key table is on the same system as the Kerberos client, you can move it. If the service key table is on a different system from the Kerberos client, you must transfer the file with a program such as FTP.

What is the name of the Kerberos realm?

A case-sensitive string that represents the Oracle service. This can be the same as the database service name. Typically the fully qualified DNS name of the system on which Oracle Database is running. The name of the Kerberos realm with which the service principal is registered. REALM must always be uppercase and is typically the DNS domain name.