Keytab

A keytab file can be used instead of a password to obtain a ticket granting ticket. The keytab file contains the already hashed password of a principal, one hash for each of the supported encryption types.

User Keytab

A keytab for a user account can be created with the user-keytab utility that can be downloaded from https://github.com/isginf/user-keytab.

To install it download the main script as root to /usr/local/bin/user-keytab:

wget https://raw.githubusercontent.com/isginf/user-keytab/master/user-keytab -O /usr/local/bin/user-keytab
chmod 755 /usr/local/bin/user-keytab

Please read the installation instructions at https://github.com/isginf/user-keytab and install the required software packages for your Linux distribution.

To create a keytab file run

user-keytab --user {your ETH user name}

On isginf managed systems the utility is installed ready-to-use as /usr/supp/tools/bin/user-keytab.

kinit with User Keytab

Run kinit as follows when using the user keytab instead of a password for athentication:

kinit -k -t {keytab file} {your ETH user name}

Machine Keytab

Typically the operating system has a system keytab for a principal to use when the system itself needs to obtain service tickets. This is required for kerberized NFS4 for instance.

For managed systems (also managed by ITCs) isginf provides a mechanism to join systems as computer objects with a host/ service principal for the respective DNS entry. ITCs can contact our service desk if they need this for multiple systems in their group.

A user keytab can also be used as a system keytab but there are downsides:

For personal Linux systems this is the recommended way.

Security Considerations

The keytab is equivalent to the user password but the actual password cannot be derived (unless it is simple and can be guessed with a brute-force attack). Whoever has the keytab can obtain a ticket granting ticket for the given principal and access kerberized services.

A keytab file must therefore be sufficiently secured. In the following scenarios it is reasonably secure to put a keytab on a system:

  • A personal computer where only the owner has access or at least root privileges. The keytab file must have an ownership that only a user account under sole control of the owner can access. Physical access to the computer must be taken into consideration, it should not be possible to get access to the data on the system drive.
  • Servers and workstations professionally managed by IT staff (isginf and some ITCs) where regular users have no root access.

Compromised Keytabs

A keytab should be considered compromised if

  • Another user had the opportunity to access it, e.g., by having root access.
  • The computer was stolen.
  • Somebody had physical access and could for instance boot a life OS from a USB stick.

If this happens then please contact our service desk immediately and we will help you to change all affected passwords.

Page URL: https://isg.inf.ethz.ch/bin/view/Main/HelpDesktopsAndLaptopsLinuxKerberosKeytab
2024-12-30
© 2024 Eidgenössische Technische Hochschule Zürich