Create a keytab file for automated access to DartFS

Tags Kerberos

A keytab file can contain the encrypted password for a user in Dartmouth's Active Directory (i.e. a NetID).  Thus a keytab can be used for automated processes which need access to services like DartFS without requiring that the password be stored somewhere in plain text.  

Important: It is almost never a good idea to create a keytab file for your real NetID because if anyone else read it then they would have access to everything that your NetID does: email, canvas, DartFS storage, etc.  By obtaining a "service account", and creating a keytab for that, you can restrict the keytab's access to only what it really needs.  Request a service account at https://services.dartmouth.edu/TDClient/1806/Portal/Requests/ServiceDet?ID=30581

Use the ktutil tool in Linux to create a keytab file (we have not figured out how to make this work on Mac/Windows).  You will need to know the following four things to proceed. 

  • the netid for your service account
  • the password for the service account
  • the encryption type you want to use (this is always aes256-cts-hmac-sha1-96 for DartFS)
  • "key version number" (kvno) for your service account (basically a count of how many times the password has been changed.

The Research Computing Linux systems named Polaris, Andes and Discovery have everything you need.  You likely already have an account on them and can login to any one of them with your personal NetID and password (not the service account) to get started.  If not, you can request access at https://rcweb.dartmouth.edu/accounts/

  • ssh to polaris
  • Use the kinit command to create a ticket cache called "temp_ticket_cache" for your service account.  You need to do this to look up the kvno number so you can pass that to ktutil in a later step.
$ kinit -c temp_ticket_cache serviceaccount_netid 
$ kvno -c temp_ticket_cache krbtgt/KIEWIT.DARTMOUTH.EDU@KIEWIT.DARTMOUTH.EDU
krbtgt/KIEWIT.DARTMOUTH.EDU@KIEWIT.DARTMOUTH.EDU: kvno = 3
$ rm temp_ticket_cache
  • Now run ktutil which is an interactive program.  Its prompt is "ktutil: ".   You are going to use its "add_entry" and "write_kt" commands before quitting.  Note the "-k 3" argument to add_entry.  3 is the kvno number you found in the previous step.  The "add_entry" command is all one line - it may be shown split below.
$ ktutil
ktutil: add_entry -password -p serviceaccount_netid@KIEWIT.DARTMOUTH.EDU -e aes256-cts-hmac-sha1-96 -k 3
  (enter password at the prompt)
ktutil: write_kt ./mykey 
ktutil: quit
  • Now you have a file "mykey" (the name is unimportant) containing an encrypted  password.  Copy the file to where it is needed and try it out - but be sure to carefully protect it because it *is* the password to your service account!

Note: ktutil does not check that the password is correct.  If you typed it wrong (or later change the password) this keytab file won't work.  As long as you know the password, you can always create a new keytab file.  An easy way to validate the keytab file is to create a ticket cache using it.  You will get an error if the pasword is wrong.

$ kinit -c temp_ticket_cache -k -t mykey serviceaccount_netid@KIEWIT.DARTMOUTH.EDU
  (no output here is good)
$ rm temp_ticket_cache

 

 

Details

Article ID: 81309
Created
Wed 6/19/19 7:11 PM
Modified
Wed 7/8/20 11:02 AM