Keytabgen

The keytab generator is an online, self-service method for users to generate kerberos keytabs for use with the Penn State Access Account (dce.psu.edu) kerberos realm.

What is a keytab file? What is the Keytab Generator?

Keytab (key table) files store an encrypted (hashed) form of one or more Kerberos passwords. The Keytab Generator application creates service principals and corresponding keytab files which can be used to enable servers to authenticate users via kerberos tickets from the Penn State Kerberos servers.

Keep keytab files safe!

Even though the password(s) in a keytab file are encrypted in a way that is virtually impossible to decrypt to obtain the original password, the keytab files can be used to authenticate to the Kerberos Servers in place of the password. The same care must be used with keytab files as that must be used to protect the passwords: Do not disclose keytab files to unauthorized parties, secure the file with proper encryption while transmitting over the network and use proper permissions while stored on a computer.

What is a Kerberos Service Principal?

A service principal is a special kerberos account (or principal) which is used to identify a computer service. This is in contrast to a kerberos user principal, which is used to identify a computer user.

An example user principal name would look like:

  • xyz123

An example service principal name would look like:

  • cifs/win.pass.psu.edu

The corresponding service principal keytab file created by the Keytab Generator would use the name:

  • cifs.win.pass.psu.edu.keytab

Types of service principals

Services that can be “kerberized” (configured to accept kerberos tickets) include:

  • cifs: Common Internet File Service, also known as the Windows file sharing protocol, or smb
  • afpserver: Apple Filing Protocol
  • nfs: Network File Service
  • ldap: Lightweight Directory Access Protocol
  • smtp: Simple Mail Transfer Protocol
  • pop: Post Office Protocol
  • imap: Internet Message Access Protocol
  • host: generic host identity, used by sshd, as well as clients
  • HTTP: Hyper-Text Transfer Protocol, some systems prefer lowercase “http” service name
  • vnc: Virtual Network Computing, remote computer desktop management
  • vpn: Virtual Private Networking
  • xgrid: Apple’s distributed (grid) computing
  • ipp: Internet Printing Protocol
  • xmpp: Extensible Messaging and Presence Protocol, used by Jabber; some servers prefer upper case “XMPP”
  • ftp: File Transfer Protocol
  • pcast: Podcast Producer

These service principal types describe the first part of the name before the slash. The computer’s fully qualified DNS domain name is used as the latter part of the name. A given server may host multiple services and thus use more than one service principal name.

In addition to server keytabs, which identify servers to clients and verify user authentication credentials on the server, a service principal may be used to identify a client. Usually this is the host principal, however some clients may use other service principals, such as nfs for the Linux NFS client.

Who can use the Keytab Generator?

The current version of the Keytab Generator provides access to two types of keytabs:

  • Personal Keytabs – Keytab files for Linux NFS clients, allowed to everyone with an Access Account
  • Server Keytabs – Keytab files for both clients and servers, restricted to authorized IT staff

IT staff are authorized to request Server Keytabs by their department head and vetted by the department’s designated ITS Consultant. Contact your designated ITS Consultant for further instructions. Some additional information about the use of keytabs is described in the Access Account Integration wiki (restricted to Penn State full-time faculty/staff).

How does a “Server Keytab” differ from a service principal keytab?

A “Server Keytab” is any service principal keytab that matches a real DNS name. Only authorized IT staff may request them.

A “Personal Keytab” is a special service principal keytab which is restricted in name to type/userid.keytab.psu.edu where type can be only either nfs or host and userid must match the requesting user’s userid.

Encryption Types

Currently, the Kerberos Keytab Generator allows service principals and corresponding keytabs to be created using the following encryption types:

  • des-cbc-crc
  • des3-cbc-sha1
  • rc4-hmac
  • aes128-cts-hmac-sha1-96
  • aes256-cts-hmac-sha1-96

More about encryption types…

Keytab Generator URL

Access the Keytab Generator.

Roadmap

Previous or current versions:

  • Phase 1: Server Keytabs only, pilot version
  • Phase 2: released Feb 18, 2010: Initial production release, introduce Personal Keytabs
  • Phase 3: support to select optional encryption types to provide more compatibility with servers, add support for AES and RC4 encryption types in keytabs

Future revisions for the keytab generator will allow for:

  • Later Phases:
    • Request existing Server Keytabs to be rekeyed or deleted
    • Bulk keytab requests