Home

keytab

A keytab, in the context of Kerberos authentication, is a file that stores pairs of Kerberos principals and their associated encrypted keys. It enables non-interactive authentication by letting services and daemon processes obtain Kerberos service tickets from the Key Distribution Center (KDC) without prompting for a password.

Keytabs contain entries that specify a principal name, a key version number (KVNO), an encryption type (etype),

Usage scenarios include web servers, database services, or other daemons that must access protected resources without

Security considerations are central to using keytabs. They store long-lived keys, making improper access potentially harmful.

See also Kerberos, Key Distribution Center, principals, and kvno.

and
the
corresponding
key
material.
The
file
is
typically
binary
and
commonly
located
at
/etc/krb5.keytab
on
Unix-like
systems.
Keytabs
are
created
and
managed
with
Kerberos
tools
such
as
ktutil
or
kadmin,
and
they
may
be
used
by
clients
or
services
to
acquire
tickets
via
commands
like
kinit
-kt.
human
intervention.
A
service
can
load
its
keytab
at
startup
and
request
a
ticket
on
demand,
or
periodically
renew
tickets
as
needed.
Administrators
often
create
keytabs
for
specific
principals
(for
example,
host-based
service
principals)
to
isolate
credentials
and
simplify
automated
maintenance.
Keytab
contents
can
be
listed
or
inspected
with
tools
such
as
klist
(for
keys)
and
ktutil
(for
editing),
and
keytabs
are
kept
in
sync
with
the
corresponding
principals
in
the
Kerberos
realm.
Access
should
be
restricted
to
the
service
account,
with
strict
file
permissions
(often
readable
only
by
root
or
the
service
user),
and
the
keytab
should
be
protected
against
tampering.
Regular
key
rotation
via
won
KVNO
updates
and
per-service
keytabs
are
common
best
practices;
keytabs
should
be
stored
securely
and
auditable.