How does keytab work exactly?

dorothy picture dorothy · Aug 7, 2014 · Viewed 7.9k times · Source

i have some questions on using keytab for Authentication hope the kind people here can enlightend me

Say, i have userA who is going to use a service running at port 1010. First, userA will login to Active Directory to authenticate himself.

enter image description here

After login, userA will try to connect to the server to use its service 1010. In order for the server to verify that UserA is who he is, I need to use setspn to register SPN at the Active Directory. eg

setspn -s service1010/mydomain.com serviceaccount1

Then need to generate ktab file at Active directory, eg

ktab -a serviceprincal1010/[email protected] -k mykeytab.keytab

and then bring mykeytab.keytab to the server.

At the server, I would use JAAS with a login config to query the KDC eg

ServicePrincipalLoginContext
{
  com.sun.security.auth.module.Krb5LoginModule required    
  principal=serviceprincal1010/[email protected] 
  doNotPrompt=true useKeyTab=true keyTab=mykeytab.keytab storeKey=true;

};

From this point on, I am confused. How does userA get verified (ie, userA is actually who he is? ).

Answer

Fred the Magic Wonder Dog picture Fred the Magic Wonder Dog · Aug 12, 2014

Your diagram is wrong. You have a basic misunderstanding about how kerberos works. ( It's fairly common by the way). A service that uses kerberos for authentication NEVER talks to the kdc. All it ever does is use it's secret key ( keytab ) to decrypt blobs that are presented by the user.

The only part of kerberos that ever talks to the KDC is the client or user side. When it attempts to access the service at port 1010, it first asks the KDC for a service ticket for that service. This is a blob encrypted with the service's secret key that has the user's identity inside it. ( plus a bunch of other protocol related stuff ).

If you have an GSS based api inside your service on port 1010, all you need to do is tell that API where the keytab is and then ask it what the userid is on the connection. You never need to make any other connections to external services. I am not familiar with the Java API's, but there should only be one or two calls required to verify the user credentials.

While this dialogue doesn't exactly match the version of Kerberos currently in use, it will help you understand the basic principals.

http://web.mit.edu/kerberos/dialogue.html