I am trying to setup a simple Kerberos environment in which a client server authenticates to a webservice (in my case OpenSSH) via a Kerberos server.
I generated a keytab file on the KDC but am not quite sure which servers to copy the file to. Do I only need to copy it to the machine that is offering the service or also to the client machine that wants to authenticate to the service?
in a normal situation, the keytab file you created (usually, using a service account principal (or instance), for example ssh/hostname) should be placed on the "client" of that kerberos service.
and on this client, you will use this keytab (caching the account credentials) to authenticate your service against the KDC, with a command like this one (in the case of a service, this is usually done by the service, in its code or via a script, at boot time) :
kinit -kt /path/to/keytab.file principal/name
keytabs somehow contain your account (or service account) credentials (e.g principal & password) so that you don't have to authenticate manually but you can do it automatically using this keytab (and the keytab should have strict permissions,naturly)
hope that helps
note : the KDC also uses keytabs, be careful not to upload this keytab to your client! it contains KDC/kadmin information !
to be sure that you are using the right one, you can connect to your KDC from the client using kadmin and create the keytab from there, for example:
client$ kadmin -p your_admin_login/admin # login to the KDC
client$ kadmin> ktadd -kt /path/to/keytab.keytab <principal_name> # generate a keytab locally for account principal_name
client$ kadmin> exit
client$ kinit -kt /path/to/keytab.keytab <principal_name> # test it
client$ <configure the keytab path in your app>
regards,
