Kerberos Keytab File – What It Means to Add a Principal

kerberosmitkerberos

In this documentatation they mention that you can use the ktadd command that "add a principal to an existing keytab". Does adding a principal mean that the principal now has access to that host (in which ktadd was run) or that the host (in which ktadd was run) now have access to that principal (host/somehost-example).

http://web.mit.edu/Kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Adding-Principals-to-Keytabs.html

This is a fairly simple question, but it's not very clear from the documentation I've read.

Best Answer

A key table (keytab) file contains pairs of Kerberos principal identities and a corresponding encrypted key for that principal. It is as good as a password (and should be secured as such), and can be used to authenticate as one of the named principals against the Kerberos realm.

Keytabs are commonly used in instances where passwords are unsuitable; for example, where a host machine or automated process must authenticate to access a network resource. They also play an important rule in mutual authentication between a server and a client (especially in the server to client direction).

Concrete effect: Adding an entry to a keytab using ktadd means adding an entry to the key table with a principal and an encryption key to facilitate the encryption & decryption of tickets generated in exchange with the KDC.

Abstract effect: Adding a principal means the keytab can be used by any entity in control of it (such as a host) to obtain a ticket as that principal.