Kerberos keytab files are located at /etc/krb5/krb5.keytab by convention, which is a non-user-specific location. That keytab (and all keytabs) can contain multiple entries.
Let's suppose a computer has three users: Alice, Bob, and Eve. They each add an entry to the shared keytab through the following process, but with their respective names:
$ ktutil
ktutil: addent -password -p [email protected] -e aes256-cts -k 1
Password for [email protected]:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 [email protected] (aes256-cts-hmac-sha1-96)
ktutil: wkt krb5.keytab
Later on, Alice, Bob, and Eve can all use their keytab entry to authenticate a script like so, respectively:
> kinit [email protected] -k -t mykeytab; myscript
What keeps Eve from using Alice or Bob's entries in the keytab? I haven't found anything explicitly covering how to keep keytabs with multiple entries secure. If we don't want Eve using Alice's entry, should they have separate keytabs protected by file permissions?
Or, is this the Kerberos trust model? If they each have access to this keytab, then we implicitly trust them to use any entry? Should we only have trusted services sharing a keytab?
Thanks in advance for tips. Just want to make sure I'm understanding the trust model correctly.
/etc/krb5.keytab(on RedHat) is the default location for authentication services (e.g. SSSD) to get their pwd and authenticate against a Kerberos KDC, and manage the security of the whole Linux system. Onlyrootshould have access. - Samson Scharfrichter