Ah, I get it. It's much clearer now. Thanks guys! On Jul 18, 2017 10:15 PM, "Russ Allbery" <ea...@eyrie.org> wrote:
> Greg Hudson <ghud...@mit.edu> writes: > > On 07/18/2017 12:48 PM, pratyush parimal wrote: > > >> (2) Is it possible to export the key in encrypted form? If so, then how > >> does the service application open the encrypted keytab? > > > The keytab file does not have any way to represent encrypted keys, and > > the kadmin protocol has no facility to export encrypted keys. One > > could, in principle, design an out-of-band system which used > > kadmin.local to create a keytab, encrypt the file, transmit the > > encrypted kyetab file to the server, and then decrypt the file on the > > server (into a memory filesystem, perhaps) before running the server > > application, but I've never heard of anyone doing that. > > You have kind of a chicken and an egg problem, since in a typical Kerberos > environment the keytab *is* the core identity keys for an application. If > it's encrypted, then you need some other unencrypted keys that *really* > represent the application, at which point why not use those keys for > Kerberos directly? > > That said, if you had a private key in a TPM or some other sort of > tamper-resistent hardware, I could see wanting to hand out Kerberos > keytabs encrypted to the public key of the server. But you'd have to > build the service to do key issuance that way yourself. (It wouldn't be > horribly hard to build if you'd already done the work to build out the PKI > and its TPM component.) > > But, even in that case, it's not clear to me what the keytab is then doing > for you versus just using the PKI and using PKINIT to get Kerberos > tickets. There are probably some practical uses for introducing the extra > layer of complexity, but it's not obviously necessary. > > -- > Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos