Greg Hudson <ghud...@mit.edu> writes: > On 07/18/2017 12:48 PM, pratyush parimal wrote:
>> (2) Is it possible to export the key in encrypted form? If so, then how >> does the service application open the encrypted keytab? > The keytab file does not have any way to represent encrypted keys, and > the kadmin protocol has no facility to export encrypted keys. One > could, in principle, design an out-of-band system which used > kadmin.local to create a keytab, encrypt the file, transmit the > encrypted kyetab file to the server, and then decrypt the file on the > server (into a memory filesystem, perhaps) before running the server > application, but I've never heard of anyone doing that. You have kind of a chicken and an egg problem, since in a typical Kerberos environment the keytab *is* the core identity keys for an application. If it's encrypted, then you need some other unencrypted keys that *really* represent the application, at which point why not use those keys for Kerberos directly? That said, if you had a private key in a TPM or some other sort of tamper-resistent hardware, I could see wanting to hand out Kerberos keytabs encrypted to the public key of the server. But you'd have to build the service to do key issuance that way yourself. (It wouldn't be horribly hard to build if you'd already done the work to build out the PKI and its TPM component.) But, even in that case, it's not clear to me what the keytab is then doing for you versus just using the PKI and using PKINIT to get Kerberos tickets. There are probably some practical uses for introducing the extra layer of complexity, but it's not obviously necessary. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos