Reputation: 141
Is it safe to place a keytab on a external server
I wonder if we could place a keytab from our internal active-directory on a web-server out in the wild.
If I'm not completely wrong, there is no direct communication between the web-server and the active directory. SPNEGO does any negotiation across the client connection. Therefore this should work, but is it secure ?
Let's assume, the web server gets hacked, and the attacker can access the keytab file. May/does this affect the security of our internal active-directory or do I "only" have a compromised web-server ? Can the keytab file be used to figure out some internals of our network ?
Edit: to clarify, wikipedia provides a good article to better describe the situation. I'm talking about the Kc-s where we share a keytab between TGS and SS
Kerberos protocol by Jeran Renz, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons https://en.wikipedia.org/wiki/Kerberos_(protocol)
Upvotes: 0
Views: 1021
Answers (1)
Reputation: 4623
The keytab file is just a mapping of SPNs to keys. The keys are the literal keys used to authenticate the service into Active Directory, or to verify tickets from Active Directory to the service.
So this is therefore equivalent to an attacker getting ahold of the service SPN and their password. Whether that's really bad or only kinda bad is something only you can decide.
Upvotes: 3
Related Questions
- spring-security-kerberos can't read keytab?
- If a Kerberos keytab has multiple entries, how keep wrong person from using an entry?
- Creating a keytab to use with kinit in Windows
- What goes on when using kinit with a keytab file
- Has keytab got a lifetime?
- Kerberos - SPN and keytabs
- Spnego keytab test gives a java security exception
- Why does the Server need access to Kerberos?
- Kerberos Authentication keytab KVNO
- Can I use two Kerberos Keytabs from a single host?