Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

question about keytab content

Labels:
avatar
author-rank ddv36a78
New Member

Created on ‎06-11-2018 09:21 AM - edited ‎09-16-2022 06:19 AM

Hi,

I have not yet kerberized my Hadoop cluster yet. But, I am wondering about keytab (content).

Originally, I thought a keytab entry is just 1..to..N couples (principal name, secret key unencrypted).

But, recently, while trying to validate that point of view, I have read, here for example, that the secret key is stored encrypted. So, it means then that there should be somewhere a master key to store the keytab's secret in an encrypted form.

So, my (simple) questions:

- How a secret key is stored inside a keytab ? raw (uncrypted) ? encrypted ?

- If stored encrypted, what is the master key to crypt keytab's secret ?

Thanks.

2,408 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎06-11-2018 09:57 AM

@Dominique De Vito

When creating the KDC server the database holds the Master key

  • The keytab contains pairs of Kerberos principals and keys in the encrypted form
  • The Keytab is authenticated the against the Master key in KDC server which is generated using kdb5_util

HTH

View solution in original post

2,314 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created ‎06-11-2018 09:57 AM

@Dominique De Vito

When creating the KDC server the database holds the Master key

  • The keytab contains pairs of Kerberos principals and keys in the encrypted form
  • The Keytab is authenticated the against the Master key in KDC server which is generated using kdb5_util

HTH

2,315 Views
0 Kudos

avatar
author-rank ddv36a78
New Member

Created ‎06-18-2018 02:51 PM


Geoffrey Shelton Okot

Thanks for your answer.

Unfortunately for me, it leads to more (inner) questions 😉

1) While the client/Kerberos dialogs are well-described with a non-encrypted secret key for the client (described in Wikipedia), I have not found yet a description explaining how parties agree to work together, when the client side has only an encrypted secret key in a keytab.

2) I don't see why things are improved after encrypting the secret key in a keytab. AFAIU one identity could be stolen when copying a keytab, and then, in that case, having, inside the keytab, a secret key, encrypted or not, does not look like to change anything related to keytab copy protection.

Some things are still obscure for me.

About (1) : do you have any link pointing to a protocol detail description when working with an encrypted secret key in a keytab ?

Thanks again.
2,314 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements