Obtaining Kerberos keys for SNC decryption

A keytab file containing pairs of Kerberos principals and encrypted keys can be created on any computer with Kerberos.

Before you begin

To create a keytab file you need the kutil utility and you need to know your Kerberos password. The ktutil utility is present on any workstation using the Kerberos system for network security. It is, for example, part of the MIT Kerberos tools in the Kerberos workstation package. You do not need to log into the actual Kerberos server to generate your keytab file.

Creating the keytab file

The following procedure demonstrates the creation of the keytab file using MIT Kerberos. A corresponding example using Heimdal Kerberos is also given below. The examples assume that you are logged into a Linux-based Kerberos workstation.

Ensure that the ktutil utility is on your command execution PATH.

For Unix/Linux systems this could be for example /usr/sbin or /usr/kerberos/sbin . The command type ktutil should tell you where the executable ktutil file resides. If the type command fails, you will need to find the location of the executable ktutil file and make sure that it is on your execution PATH.

Start the ktutil utility.

On your command prompt, type
ktutil
This should result in thektutil: prompt being displayed as shown on the example output.

 > ktutil
ktutil:

Use the addent command to instruct the ktutil utility to add a principal key to the keytab file.

The following syntax uses the -password option to gain appropriate permissions, though you can also use the -key option. For full details of ktutil command syntax, refer to Kerberos documentation. Note that you can specify all of the required options to the addent command or only some. Options that are required but not supplied will be prompted for. In the example below, the user is prompted for the password

addent -password -p principal -k kvno -e enctype

where principal is the principal ID, kvno is the key version number, and enctype is the encryption type. For example:

 ktutil: addent -password -p myName@ABC.XX.YYY -k 1 -e rc4-hmac
  Password for myName@ABC.XX.YYY: qVnlfc587

Repeat adding new keys as required.

Use thewrite_kt (alias wkt) command to write the current keylist to a Kerberos keytab file.

For example:

 ktutil: wkt myfile.keytab

Use the quit command to exit ktutil.

 ktutil: quit

View the created keytab file.

The keytab file will have been created in the current working directory. You can list it using the ls command.

Example for MIT Kerberos

The following example summarizes the example input and output from the above procedure, while adding an additional key with different encryption type:

 > ktutil
ktutil:
ktutil: addent -password -p myName@ABC.XX.YYY -k 1 -e rc4-hmac
  Password for myName@ABC.XX.YYY: qVnlfc587
ktutil: addent -password -p joe@ABC.XX.YYY -k 1 -e aes256-cts
  Password for myName@ABC.XX.YYY: Pagod005
ktutil: wkt myfile.keytab
ktutil: quit

Example for Heimdal Kerberos

You should use Heimdal Kerberos version 1.5 or older.


> ktutil -k myfile.keytab add -p username@ABC.XX.YYY -e arcfour-hmac-md5 -V 1
> ktutil -k myfile.keytab add -p username@ABC.XX.YYY -e aes256-cts-hmac-sha1-96 -V 1

What to do next

Store the created keytab file securely in preparation for copying it to the NAM Probe. Remember that the keytab file is not encrypted. If you are transferring it using network, make sure that the network is secure. Once the file has been transferred to the NAM Probe, it needs to be encrypted for security reasons. For more information, see Encrypting Kerberos SNC keys for secure storage on NAM Probe.