Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

question about keytab content

Labels:
avatar
author-rank ddv36a78
Explorer

Created on ‎06-11-2018 09:21 AM - edited ‎09-16-2022 06:19 AM

Hi,

I have not yet kerberized my Hadoop cluster yet. But, I am wondering about keytab (content).

Originally, I thought a keytab entry is just 1..to..N couples (principal name, secret key unencrypted).

But, recently, while trying to validate that point of view, I have read, here for example, that the secret key is stored encrypted. So, it means then that there should be somewhere a master key to store the keytab's secret in an encrypted form.

So, my (simple) questions:

- How a secret key is stored inside a keytab ? raw (uncrypted) ? encrypted ?

- If stored encrypted, what is the master key to crypt keytab's secret ?

Thanks.

1,069 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎06-11-2018 09:57 AM

@Dominique De Vito

When creating the KDC server the database holds the Master key

  • The keytab contains pairs of Kerberos principals and keys in the encrypted form
  • The Keytab is authenticated the against the Master key in KDC server which is generated using kdb5_util

HTH

View solution in original post

975 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created ‎06-11-2018 09:57 AM

@Dominique De Vito

When creating the KDC server the database holds the Master key

  • The keytab contains pairs of Kerberos principals and keys in the encrypted form
  • The Keytab is authenticated the against the Master key in KDC server which is generated using kdb5_util

HTH

976 Views
0 Kudos

avatar
author-rank ddv36a78
Explorer

Created ‎06-18-2018 02:51 PM


Geoffrey Shelton Okot

Thanks for your answer.

Unfortunately for me, it leads to more (inner) questions 😉

1) While the client/Kerberos dialogs are well-described with a non-encrypted secret key for the client (described in Wikipedia), I have not found yet a description explaining how parties agree to work together, when the client side has only an encrypted secret key in a keytab.

2) I don't see why things are improved after encrypting the secret key in a keytab. AFAIU one identity could be stolen when copying a keytab, and then, in that case, having, inside the keytab, a secret key, encrypted or not, does not look like to change anything related to keytab copy protection.

Some things are still obscure for me.

About (1) : do you have any link pointing to a protocol detail description when working with an encrypted secret key in a keytab ?

Thanks again.
975 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements