Thank you for replying. I understood that it is a symmetric key which is shared with the KDC. So, is it in binary format or is there some other format which is used, generally? And what if(hypothetically) you don't have a password for some user, how is the key generated in such a case? Like you have mentioned that the services only have the raw key..
On Tue, May 9, 2017 at 9:29 PM, Benjamin Kaduk <ka...@mit.edu> wrote: > On Tue, May 09, 2017 at 01:02:08PM +0530, Abhishek Kaushik wrote: > > Hello, > > > > I am trying to understand how Kerberos works and so came across this file > > called Keytab which, I believe, is used for authentication to the KDC > > server. > > > > Just like every user and service(say Hadoop) in a kerberos realm has a > > service principal, does every user and service have a keytab file? > > > > Also, does authentication using keytab work on symmetric key cryptography > > or public-private key? > > For traditional kerberos, each principal (user or service) shares a > symmetric key with the KDC, and the KDC acts as a trusted > third-party for authentication exchanges. Generally, users will > know this key in the form of a password (there is a fixed > password-to-key function, so the KDC stores the key and not the > password), and service principals will just have the raw shared > key(s). Such raw shared keys are stored in a keytab file, which is > used both for authentication to the KDC as you note, and also for > decrypting and authentication authentication requests from other > principals to the service in question. > > In order to be usable in the (traditional) kerberos ecosystem, each > principal needs at least one of a password and a keytab file. It's > possible, but rare, to have both present for the same principal. > > I have been referring to "traditional kerberos", which is > exclusively symmetric cryptography. There are certain extensions to > kerberos that use public-key cryptography, most notably PKINIT (RFC > 4556), but at present such schemes are only used for the initial > authentication to the KDC; subsequent protocol exchanges and > authentication to other services still use symmetric cryptography. > > -Ben > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
