A keytab is simply a file that stores authentication credentials information to help users access remote systems easily.
The file contains Kerberos principals along with encrypted keys. Keep in mind that the keys are automatically generated from the Kerberos password.
Thereore, the encrypted keys will change whenever you change the Kerberos password.
How to create a keytab file ?
- Install a Kerberos Client.
- Run the command
Ktutil
in a terminal, and follow the instructions
> ktutil
ktutil: addent -password -p username@YOUR.DOMAIN.COM -k 1 -e aes256-cts
Password for username@YOUR.DOMAIN.COM: [enter your password]
ktutil: wkt username.keytab
ktutil: quit
- In Line 2, **aes256-cts** is the encryption algoritm used. You can change it.
- Line 4 allows you to create the keytab file with your username.
How to Use a keytab file to authenticate scripts ?
> kinit username@YOUR.DOMAIN.COM -k -t username.keytab; myscript
How to list keys in a keytab file ?
> kinit -k username.keytab
Outputs:
version_number username@YOUR.DOMAIN.COM
version_number username@YOUR.DOMAIN.COM
How to delete a key from a keytab file ?
> ktutil
ktutil: read_kt username.keytab
ktutil: list
...
slot# version# username@YOUR.DOMAIN.COM version#
...
ktutil: delent slot#
ktutil: quit
How to merge keytab files ?
> ktutil
ktutil: read_kt mykeytab1.keytab
ktutil: read_kt mykeytab2.keytab
ktutil: read_kt mykeytab3.keytab
ktutil: read_kt mykeytab4.keytab
ktutil: write_kt merged.keytab
ktutil: quit
To verify the merge :
klist -k merged.keytab