密钥表到底是什么? [英] What is a keytab exactly?
问题描述
我试图了解Kerberos的工作原理,因此遇到了称为Keytab的文件,我相信该文件用于对KDC服务器的身份验证.
I am trying to understand how Kerberos works and so came across this file called Keytab which, I believe, is used for authentication to the KDC server.
就像kerberos领域中的每个用户和服务(例如Hadoop)都具有服务主体一样,每个用户和服务都具有keytab文件吗?
Just like every user and service(say Hadoop) in a kerberos realm has a service principal, does every user and service have a keytab file?
此外,使用keytab进行的身份验证是否可用于对称密钥加密或公有私钥?
Also, does authentication using keytab work on symmetric key cryptography or public-private key?
推荐答案
要回答您的两个问题,每个用户和服务都不需要密钥表文件,密钥表使用对称密钥加密.
To answer your two questions, every user and service does not need a keytab file and keytabs use symmetric key cryptography.
我将基于我对如何使用Active Directory作为目录服务的Windows和非Windows系统的混合网络中使用keytab的理解进行更多的解释.如果目录服务不是AD(这是目前最受欢迎的目录服务)以外的东西,那么我对keytab的使用方式并不熟悉,但是我想概念会完全相同,因为它们全部基于Kerberos. .同样,在企业网络中,每个用户和服务都不需要密钥表文件.
I'm going to explain a bit more based on my understanding on how keytabs are used in mixed networks of Windows and non-Windows systems using Active Directory as the directory service. If the directory service is something other than AD, which is the most popular directory service out there, then I am not as familiar with how the keytab would be used but I imagine the concepts would be the exact same since it is all based on Kerberos. Again, in enterprise networks, every user and service does not need a keytab file.
密钥表是包含目录服务中存在的服务及其长期密钥(称为Samson的密码)的表示形式的加密文件.在Active Directory领域中,键表对于在受Kerberos协议保护的非Windows平台上运行 的服务特别有用.
Keytabs are cryptographic files containing a representation of the service and its long-term key (what Samson referred to as the password) as it exists in the directory service. In an Active Directory realm, keytabs are especially useful for services running on a non-Windows platform protected by the Kerberos protocol.
键标签用于
- 将入站AD用户的Kerberos服务票证解密为服务
- 或向网络上的另一服务验证服务本身.
第2点特别有用,因为正如Samson所说,服务不能手动输入其密码来进行身份验证,因此长期密钥将很有帮助地编码到文件中.这就是为什么keytab文件本身是敏感的并且需要受到保护的原因.
Point #2 is especially useful, since as Samson said, a service cannot manually type in it's password to authenticate itself, so the long-term key is helpfully encoded into the file. This is why the keytab file itself is sensitive and needs to be protected.
有关键表的其他深入信息,您可以在此处阅读有关键表的更多信息:
For additional in-depth information regarding keytabs, you can read more about keytabs here: Kerberos Keytabs – Explained.
我经常回去根据我在此论坛上看到的问题进行编辑.
I frequently go back and edit it based on questions I see here in this forum.
这篇关于密钥表到底是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
