On 07/18/2017 12:48 PM, pratyush parimal wrote: > When I export a principal's key to a keytab file using the following > command: > > ktadd -k keytabfile service/host@REALM > > (1) Does the keytabfile contain the key in encrypted form or as plaintext?
The keytab file contains the actual keys, unencrypted. > (2) Is it possible to export the key in encrypted form? If so, then how > does the service application open the encrypted keytab? The keytab file does not have any way to represent encrypted keys, and the kadmin protocol has no facility to export encrypted keys. One could, in principle, design an out-of-band system which used kadmin.local to create a keytab, encrypt the file, transmit the encrypted kyetab file to the server, and then decrypt the file on the server (into a memory filesystem, perhaps) before running the server application, but I've never heard of anyone doing that. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
