Can you share some thoughts on whether a Kerberos keytab should be readable only by root – under all circumstances? Or are there exceptions to this rule?
I am setting up a Squid proxy on Debian Jessie for Kerberos authentication with Active Directory. Most documentation advises to create a keytab for Squid containing an entry for the "HTTP" Service Principal.
However, if I join my system to an Active Directory domain, e.g., with realmd, this will already create a keytab, namely /etc/krb5.keytab
. I can even make sure this keytab contains the necessary entry for the "HTTP" Service Principal:
# adcli preset-computer -D mydomain.org --service-name HOST --service-name HTTP proxy.mydomain.org
# realm join mydomain.org
So instead of creating a second keytab for Squid I could simply give read permissions for /etc/krb5.keytab
to the process running Squid (which is the user proxy on Debian).
I am aware that it is considered a security issue if any user but root has access to the system keytab /etc/krb5.keytab
. However, if my server hosts no services but the Squid proxy a keytab specifically created for Squid (e.g., with net ads keytab create && net ads keytab add HTTP
) would contain more or less the same information as the system keytab anyway. (Or wouldn't it?)
So will I leap into any security holes when setting it up this way?
Best Answer
I think I should rephrase my question, thereby answering it: How do I create a keytab that contains only entries for the HTTP SPN?
If I create a new keytab for Squid with the following commands as it is described in the Squid wiki
then the new keytab
/etc/squid3/HTTP.keytab
will contain entries for the same SPNs as the system keytab plus entries for the HTTP SPN:This is why I did not see the point in denying Squid read permissions for the system keytab
/etc/krb5.keytab
- it had the same SPNs in its own keytab anyway.However, if I make
HTTP.keytab
contain only HTTP entries the different permissions will make sense: Then Squid can only use the HTTP SPNs it actually needs - but no other SPNs that may be contained in the system keytab. That can be done as follows:This adds the HTTP SPN to the system keytab. Then we create a new keytab based on the system keytab and in this new keytab delete all but the HTTP SPNs:
Repeat the last step until only entries are left that start with
http
orHTTP
. Then write the result to a new file and set the permissions:The resulting keytab now contains only HTTP SPNs:
Works for me :-)