Keytab stands for key table. It is a file which stores one or more Kerberos principals with corresponding encrypted keys. Encrypted keys are generated based on user passwords. It allows to secure storing of passwords and authenticate users without entering of passwords. The current version of the Kerberos protocol is 5.

The article is sampled in CentOS / RHEL and Ubuntu distributions.

1. Validate that Kerberos 5 client is installed


Kerberos 5 client is installed as default. There are two packages.

yum list installed | grep 'krb5-workstation\|krb5-libs'


krb5-libs.x86_64                        1.15.1-46.el7                  @base
krb5-workstation.x86_64                 1.15.1-46.el7                  @base

If not installed, Kerberos 5 client installation.

sudo yum install krb5-workstation krb5-libs


Find out if Kerberos 5 client is installed.

apt list --installed krb5-user


Listing... Done
krb5-user/jammy,now 1.19.2-2 amd64 [installed]

If not installed, Kerberos 5 client installation.

sudo apt install krb5-user

2. Create a folder to store keytab file

mkdir ~/kerberos

3. Create keytab file

The tool to generate keytab file is interactive one and you need to type in the commands.

  • Add a new principal to keylist.
  • Type the principal password.
  • Store the principal or principals in a keytab file.
  • Show the principal entity.

An important parameter is -e encryption type. A list of values is here.

ktutil: addent -password -p username@SAMPLE.COM -k 1 -e RC4-HMAC 
Password for username@SAMPLE.COM: 
ktutil: wkt /home/username/kerberos/username.keytab 
ktutil: l -e
slot KVNO Principal
---- ---- ----------------------------------------------- 
   1    1             username@SAMPLE.COM (arcfour-hmac)
ktutil: exit

4. Validate keytab file

klist -e -k -t ~/kerberos/username.keytab


comments powered by Disqus