https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218206#M79443 <BR /><P></P><P><A href="https://community.hortonworks.com/users/1271/sheltong.html">Geoffrey Shelton Okot</A></P>Thanks for your answer.<BR /><BR />Unfortunately for me, it leads to more (inner) questions <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /><BR />1) While the client/Kerberos dialogs are well-described with a non-encrypted secret key for the client (described in Wikipedia), I have not found yet a description explaining how parties agree to work together, when the client side has only an encrypted secret key in a keytab.<BR /><BR />2) I don't see why things are improved after encrypting the secret key in a keytab. AFAIU one identity could be stolen when copying a keytab, and then, in that case, having, inside the keytab, a secret key, encrypted or not, does not look like to change anything related to keytab copy protection.<BR /><BR />Some things are still obscure for me.<BR /><BR />About (1) : do you have any link pointing to a protocol detail description when working with an encrypted secret key in a keytab ?<BR /><BR />Thanks again. Mon, 18 Jun 2018 21:51:57 GMT ddv36a78 2018-06-18T21:51:57Z https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218204#M79441 <P>Hi,</P><P>I have not yet kerberized my Hadoop cluster yet. But, I am wondering about keytab (content).</P><P>Originally, I thought a keytab entry is just 1..to..N couples (principal name, secret key <EM>unencrypted</EM>).</P><P>But, recently, while trying to validate that point of view, I have read, <A href="https://kb.iu.edu/d/aumh" target="_blank">here</A> for example, that the secret key is stored <EM>encrypted</EM>. So, it means then that there should be somewhere a master key to store the keytab's secret in an encrypted form.</P><P>So, my (simple) questions:</P><P>- How a secret key is stored inside a keytab ? raw (uncrypted) ? encrypted ? </P><P>- If stored encrypted, what is the master key to crypt keytab's secret ?</P><P>Thanks.</P> Fri, 16 Sep 2022 13:19:49 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218204#M79441 ddv36a78 2022-09-16T13:19:49Z https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218205#M79442 <P><EM><A href="@Dominique De Vito"> @Dominique De Vito</A><BR /></EM></P><P>When creating the KDC server the database holds the Master key</P><UL><LI><I>The keytab contains pairs of Kerberos principals and keys in the encrypted form </I></LI><LI><I>The Keytab is authenticated the against the Master key in KDC server which is generated using<STRONG> kdb5_util</STRONG></I></LI></UL><P><EM>HTH</EM></P> Mon, 11 Jun 2018 16:57:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218205#M79442 Shelton 2018-06-11T16:57:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218206#M79443 <BR /><P></P><P><A href="https://community.hortonworks.com/users/1271/sheltong.html">Geoffrey Shelton Okot</A></P>Thanks for your answer.<BR /><BR />Unfortunately for me, it leads to more (inner) questions <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /><BR />1) While the client/Kerberos dialogs are well-described with a non-encrypted secret key for the client (described in Wikipedia), I have not found yet a description explaining how parties agree to work together, when the client side has only an encrypted secret key in a keytab.<BR /><BR />2) I don't see why things are improved after encrypting the secret key in a keytab. AFAIU one identity could be stolen when copying a keytab, and then, in that case, having, inside the keytab, a secret key, encrypted or not, does not look like to change anything related to keytab copy protection.<BR /><BR />Some things are still obscure for me.<BR /><BR />About (1) : do you have any link pointing to a protocol detail description when working with an encrypted secret key in a keytab ?<BR /><BR />Thanks again. Mon, 18 Jun 2018 21:51:57 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/question-about-keytab-content/m-p/218206#M79443 ddv36a78 2018-06-18T21:51:57Z