ktab - Unix, Linux Command
ktab - Kerberos key table manager
ktab allows the user to manage the principal names
and service keys stored in a
local key table. Principal and key
pairs listed in the keytab allow services running
on a host to authenticate themselves to the
Key Distribution Center (KDC). Before
a server can be setup to use Kerberos, the
user must setup a keytab on the host
running the server. Note that any updates
made to the keytab using ktab do not
affect the Kerberos database. If you change the
keys in the keytab, you must also
make the corresponding changes to the Kerberos database.
ktab manages principal name and key pairs
in the key table.
ktab allows the user to list, add, update
or delete principal names and key pairs in
the key table. None of these operations
affect the Kerberos database.
A keytab is a hosts copy of its own
keylist, which is analogous to a
users password. An application
server that needs to authenticate itself
to the Key Distribution Center (KDC)
must have a keytab which
contains its own principal and key.
Just as it is important for users to
protect their passwords, it is equally
important for hosts to protect
their keytabs. You should always store
keytab files on the local disk
and make them readable only by root.
You should never send a keytab
file over a network in the clear.
Usage: The command line options are not case
ktab -l [-k <keytab_name>]
ktab [-a <principal_name> <password>] [-k <keytab_name>]
ktab [-d <principal_name>] [-k <keytab_name>]
List the keytab name and entries.
Add an entry to the keytab. No changes are made
to the Kerberos database. (DO NOT SPECIFY YOUR
PASSWORD ON COMMAND LINE OR IN A SCRIPT.)
Delete an entry from the keytab. No changes are
made to the Kerberos database.
Specify keytab name and path with prefix FILE:
To list all the entries in the default keytable:
To add a new principal to the key table (note
that you will be prompted for your password):
To delete a principal from the key table:
Do not specify your password on the command line.
Doing so is a security hole. For example, an
attacker could discover your password while
running the Unix