<html lang="en">
<head>
<title>Kerberos V5 System Administrator's Guide</title>
<meta http-equiv="Content-Type" content="text/html">
<meta name="description" content="Kerberos V5 System Administrator's Guide">
<meta name="generator" content="makeinfo 4.5">
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
</head>
<body>
<div class="node">
<p>
Node:<a name="Keytabs">Keytabs</a>,
Next:<a rel="next" accesskey="n" href="Clock-Skew.html#Clock%20Skew">Clock Skew</a>,
Previous:<a rel="previous" accesskey="p" href="Application-Servers.html#Application%20Servers">Application Servers</a>,
Up:<a rel="up" accesskey="u" href="Application-Servers.html#Application%20Servers">Application Servers</a>
<hr><br>
</div>

<h3 class="section">Keytabs</h3>

<p>A <dfn>keytab</dfn> is a host's copy of its own keylist, which is analogous
to a user's password.  An application server that needs to authenticate
itself to the KDC has to have a keytab that contains its own principal
and key.  Just as it is important for users to protect their passwords,
it is equally important for hosts to protect their keytabs.  You should
always store keytab files on local disk, and make them readable only by
root, and you should never send a keytab file over a network in the
clear.  Ideally, you should run the <code>kadmin</code> command to extract a
keytab on the host on which the keytab is to reside.

<ul class="menu">
<li><a accesskey="1" href="Adding-Principals-to-Keytabs.html#Adding%20Principals%20to%20Keytabs">Adding Principals to Keytabs</a>: 
<li><a accesskey="2" href="Removing-Principals-from-Keytabs.html#Removing%20Principals%20from%20Keytabs">Removing Principals from Keytabs</a>: 
</ul>

</body></html>