How is the password encrypted in the keytab file?

Question

How is the password encrypted in the keytab file?

I am using keytab files for Linux systems to authenticate services with kerberos. I am wondering how this password is actually stored in this keytab file. As we know in / etc / passwd, passwords are saved after applying the one-way hashing method - therefore, it is impossible to calculate the plaintext password from it.

But how is this done in the keytab file? Does the process using keytab somehow need to know the password for user authentication ?! Is it encrypted with a master password, so can it be decrypted?

I use this to create a keytab file:

$ ktutil
ktutil:  addent -password -p my_user@MYREALM -k 1 -e rc4-hmac
Password for my_user@MYREALM:
ktutil:  wkt my_user.keytab
ktutil:  quit

With this keytab, I can get krbtgt without entering a password. When creating keytab, there is no connection with AD / KDC (therefore, there is no common secret that could be added for signing or something else).

So how is the password encrypted in keytab? If this is not a hashing algorithm, is it possible to decrypt it?

+4

authentication passwords encryption kerberos keytab

slash4 Nov 18 '15 at 15:46

source share

1 answer

frasertweedale · Accepted Answer · 2015-11-19T06:20:13+0000

In general, a password-based Kerberos key comes from applying the key derivation function to a particular algorithm with a user-provided password and uses the user principal name as a salt (so that two principals with the same password will not have the same key). The actual key derivation functions used are defined in RFC 3961 and RFC 3962 however the RC4 profile is defined elsewhere (from Microsoft).

- , "" .

How is the password encrypted in the keytab file?

More articles: