4 A keytab is a host's copy of its own keylist, which is analogous to a
5 user's password. An application server that needs to authenticate
6 itself to the KDC has to have a keytab that contains its own principal
7 and key. Just as it is important for users to protect their
8 passwords, it is equally important for hosts to protect their keytabs.
9 You should always store keytab files on local disk, and make them
10 readable only by root, and you should never send a keytab file over a
11 network in the clear. Ideally, you should run the :ref:`kadmin(1)`
12 command to extract a keytab on the host on which the keytab is to
18 Adding principals to keytabs
19 ----------------------------
21 To generate a keytab, or to add a principal to an existing keytab, use
22 the **ktadd** command from kadmin.
24 .. include:: ../admin_commands/kadmin_local.rst
26 :end-before: _ktadd_end:
28 .. note:: Alternatively, the keytab can be generated using
29 :ref:`ktutil(1)` **add_entry -password** and **write_kt**
36 Here is a sample session, using configuration files that enable only
37 *des-cbc-crc* encryption::
39 kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU
40 kadmin: Entry for principal host/daffodil.mit.edu@ATHENA.MIT.EDU with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
43 kadmin: ktadd -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin kadmin/changepw
44 kadmin: Entry for principal kadmin/admin@ATHENA.MIT.EDU with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
48 Removing principals from keytabs
49 ---------------------------------
51 To remove a principal from an existing keytab, use the kadmin
54 .. include:: ../admin_commands/kadmin_local.rst
55 :start-after: _ktremove:
56 :end-before: _ktremove_end:
62 Please, provide your feedback at
63 krb5-bugs@mit.edu?subject=Documentation___appl_servers