Reputation: 4010
It might be a silly question but i want to know why its happening...
I have a keytab file for kerberos authentication. I want to list out the kvno and principal name which contained in a keytab file using ktab command. Assume my keytab file is kumar.keytab
ktab -l -k kumar.keytab
When execute the above command, it displays kvno and principal 5 times.
Keytab name: kumar.keytab
KVNO Principal
---- ----------------------------
3 Kumar/[email protected]
3 Kumar/[email protected]
3 Kumar/[email protected]
3 Kumar/[email protected]
3 Kumar/[email protected]
My question is why its displaying the same value for 5 times?
Help would be Appreciated.
Thanks,
Upvotes: 6
Views: 15976
Reputation: 1
Each line represents a key for the desired encryption as defined in the krb5 file. Example (rc4-hmac, des3-cdc-sha1, etc).
Upvotes: 0
Reputation: 2261
Using Java's ktab you can specify the "-e" and "-t" arguments to let it show the encryption types and the timestamps. The "-help" argument will show more info.
C:\Users\test>ktab -l -e -t
Keytab name: C:\Users\test\krb5.keytab
KVNO Timestamp Principal
---- -------------- ---------------------------------------------------
4 25/05/17 07:56 [email protected] (17:AES128 CTS mode with HMAC SHA1-96)
4 25/05/17 07:56 [email protected] (16:DES3 CBC mode with SHA1-KD)
4 25/05/17 07:56 [email protected] (23:RC4 with HMAC)
Upvotes: 6
Reputation: 9109
My experience has been that the java kerberos tools are often incomplete and/or broken. If you use the kerberos tools from either the MIT or Heimdal libraries, you'll see exactly what those 4 versions are.
For example, using the ktutil list
command from the Heimdal Kerberos libraries you get:
FILE:/etc/krb5.keytab:
Vno Type Principal Aliases
6 aes256-cts-hmac-sha1-96 host/[email protected]
6 arcfour-hmac-md5 host/[email protected]
A keytab contains an entry for each Key version number, encryption type and principal name. All 3 have to be in agreement for the kerberos protocol to work. Kerberos supports multiple encryption types and part of the protocol is negotiating which encryption type to use. This allows newer versions of the software to support older clients that don't have all the latest encryption.
Upvotes: 4