|
Packit |
fd8b60 |
.. _keytab_definition:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
keytab
|
|
Packit |
fd8b60 |
======
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A keytab (short for "key table") stores long-term keys for one or more
|
|
Packit |
fd8b60 |
principals. Keytabs are normally represented by files in a standard
|
|
Packit |
fd8b60 |
format, although in rare cases they can be represented in other ways.
|
|
Packit |
fd8b60 |
Keytabs are used most often to allow server applications to accept
|
|
Packit |
fd8b60 |
authentications from clients, but can also be used to obtain initial
|
|
Packit |
fd8b60 |
credentials for client applications.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Keytabs are named using the format *type*\ ``:``\ *value*. Usually
|
|
Packit |
fd8b60 |
*type* is ``FILE`` and *value* is the absolute pathname of the file.
|
|
Packit |
fd8b60 |
The other possible value for *type* is ``MEMORY``, which indicates a
|
|
Packit |
fd8b60 |
temporary keytab stored in the memory of the current process.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A keytab contains one or more entries, where each entry consists of a
|
|
Packit |
fd8b60 |
timestamp (indicating when the entry was written to the keytab), a
|
|
Packit |
fd8b60 |
principal name, a key version number, an encryption type, and the
|
|
Packit |
fd8b60 |
encryption key itself.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A keytab can be displayed using the :ref:`klist(1)` command with the
|
|
Packit |
fd8b60 |
``-k`` option. Keytabs can be created or appended to by extracting
|
|
Packit |
fd8b60 |
keys from the KDC database using the :ref:`kadmin(1)` :ref:`ktadd`
|
|
Packit |
fd8b60 |
command. Keytabs can be manipulated using the :ref:`ktutil(1)` and
|
|
Packit |
fd8b60 |
:ref:`k5srvutil(1)` commands.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Default keytab
|
|
Packit |
fd8b60 |
--------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default keytab is used by server applications if the application
|
|
Packit |
fd8b60 |
does not request a specific keytab. The name of the default keytab is
|
|
Packit |
fd8b60 |
determined by the following, in decreasing order of preference:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#. The **KRB5_KTNAME** environment variable.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#. The **default_keytab_name** profile variable in :ref:`libdefaults`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#. The hardcoded default, |keytab|.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Default client keytab
|
|
Packit |
fd8b60 |
---------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default client keytab is used, if it is present and readable, to
|
|
Packit |
fd8b60 |
automatically obtain initial credentials for GSSAPI client
|
|
Packit |
fd8b60 |
applications. The principal name of the first entry in the client
|
|
Packit |
fd8b60 |
keytab is used by default when obtaining initial credentials. The
|
|
Packit |
fd8b60 |
name of the default client keytab is determined by the following, in
|
|
Packit |
fd8b60 |
decreasing order of preference:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#. The **KRB5_CLIENT_KTNAME** environment variable.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#. The **default_client_keytab_name** profile variable in
|
|
Packit |
fd8b60 |
:ref:`libdefaults`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#. The hardcoded default, |ckeytab|.
|