I am attempting to make a keytab using ktutil. I get to choose the encryption type, but the ktutil man page does not offer a list of possible choices. I also don't know which encryption method is the best! How can I find out both of these? I want the strongest encryption available.
$ ktutil
> add_entry -password -p me@DOMAIN.COM -k 1 -e [what goes here?!]
The ktutil solution provided by 84104 is correct if you are trying to make a keytab for a service. It's a terrible idea for a keytab that you want to use for some automated process as it will randomize the password and make the account unusable without the keytab.
If you are using the keytab as a password store to feed to kinit to automate a process, I would suggest you use whatever enctype that you get when you run kinit using a password.
klist -e
will list out a bunch of stuff the line you want is this one. Use the etype listed with ktutil.
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Be warned, this use of ktutil is exactly the same as storing your password in a clear text file, anybody that can read the keytab can impersonate your identity to the system. Also these commands are the MIT version, heimdal ktutil and klist are somewhat different.( Heimdal is the kerberos version used on recent versions of OS X )
Don't use ktutil unless you're trying to make a keytab from an existing keytab. Use kadmin instead.
# kadmin -p user/admin
Password for user/admin@EXAMPLE.COM:
kadmin: add_principal -randkey service/server.example.com
WARNING: no policy specified for service/server.example.com@EXAMPLE.COM; defaulting to no policy
Principal "service/server.example.com@EXAMPLE.COM" created.
kadmin: ktadd -k /etc/service/service.keytab service/server.example.com
Entry for principal service/server.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab
Entry for principal service/server.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab
kadmin: quit
Depending on your kdc's kdc.conf you may end up with different encryption:salt types. The default list is:
aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal
des3-cbc-sha1:normal
arc‐four-hmac-md5:normal
You can also limit (or expand) the enctypes used in the keytab when creating it by using -e and specifying the desired types.
If you are trying to make a keytab from an existing keytab:
# kutil
ktutil: read_kt /etc/krb5.keytab
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 6 host/server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
3 3 HTTP/server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
4 3 HTTP/server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
ktutil: delete_entry 1
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
2 3 HTTP/server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
3 3 HTTP/server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
ktutil: delete_entry 1
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 3 HTTP/server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
ktutil: write_kt /etc/httpd/http.keytab
ktutil: quit
# klist -ke /etc/httpd/http.keytab
Keytab name: FILE:/etc/httpd/http.keytab
KVNO Principal
---- ---------------------------------------------------------------------
3 HTTP/server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
3 HTTP/server.example.com@EXAMPLE.COM (camellia256-cts-cmac)
