Kerberos keytab

[Da Rock]

On Mon, 2008-11-10 at 07:18 -0500, Ansar Mohammed wrote:
> Does anyone know what is the actual purpose of the Kerberos krb5.keytab
> file?
> 
>  
> 
>  I have a freebsd 7 configured to authenticate users via Kerberos (both
> apache and ssh).
> 
>  
> 
> Although the authentication between apache and browser is still basic and
> between the ssh client and server is still keyboard interactive. FreeBSD
> validates the account in the background using Kerberos to AD. 

Actually from my understanding (which may very well be basic, but I have
done some very extensive research) browser auth with kerberos and apache
may be possible on firefox 2 and IE6. The older browsers are a dead
loss, but it will fallback gracefully I've read. One thing that makes
this possible is navigating to about:config in firefox and updating
negotiate uri's. In IE6 you don't need to do anything, but that does
increase the security risk (ergo the firefox method of negotiate).

The keytab file (again, only from my understanding) contains the current
keys in use mapped to the users. These change as per the kerberos ttl
settings for tickets.

Check the kerberos site for further, more accurate info, and run a
google search for browser kerberos auth with apache. You do need the
right module for apache to achieve this though- mod_auth_kerb. Some only
offer a link between apache and kdc with base64 encryption.

I'm pretty sure of my facts here, but I'll appreciate a correction of my
comments.