Skip to main content

Keytabs and Wallet

Introduction

The Wallet system manages keys and other secure data used by services. One of the most common types of secure data managed by Wallet is Kerberos keytabs. At Stanford, Wallet is the standard method used to manage keytabs for service principals.

Before following these instructions, review An Introduction to Keytabs, which explains principal naming and how keytabs are used.

Before using the Wallet client, ensure Kerberos is installed and configured on your system. You will need the Kerberos software and a valid krb5.conf configuration file.

Wallet is a free software project. Source code and documentation are available from the wallet distribution page. Wallet uses the remctl protocol, which relies on GSSAPI and Kerberos v5 to authenticate and encrypt a command/response network protocol.

Obtaining the wallet client

Debian / Ubuntu systems

You can install wallet-client from the Stanford Debian repository. Add the following line to /etc/apt/sources.list:

deb http://debian.stanford.edu/debian-stanford stable main

Add the following to /etc/apt/preferences (create the file if it does not exist):

Package: *
Pin: release o=Stanford
Pin-Priority: 200

Package: libremctl1
Pin: release o=Stanford
Pin-Priority: 600

Update package indexes:

aptitude update

Install the wallet client:

aptitude install wallet-client

This may install a newer version of the remctl libraries required by Wallet. The repository may not currently be signed, so you may see warnings about unsigned packages.

RHEL 8 and RHEL 9 systems

You can obtain the wallet-client packages from Stanford's yum repository. Access requires being on the Stanford network or connected through VPN.

RHEL 9 / Rocky Linux 9 / AlmaLinux 9

Download and install the repository configuration:

curl -o /etc/yum.repos.d/stanford-EL9.repo \
https://yum.stanford.edu/repos/stanford/stanford-EL9/stanford-EL9-x86_64.repo

Install the wallet client:

dnf install wallet-client

RHEL 8 / Rocky Linux 8 / AlmaLinux 8

Download and install the repository configuration:

curl -o /etc/yum.repos.d/stanford-EL8.repo \
https://yum.stanford.edu/repos/stanford/stanford-EL8/stanford-EL8-x86_64.repo

Install the wallet client:

dnf install wallet-client

This automatically installs the required remctl-client dependency.

Verify installation

dnf repolist | grep stanford

Other systems

For other systems, you may need to build the wallet client from source. You will need Kerberos development packages and will need to build and install both remctl and wallet.

Install remctl first since Wallet depends on its libraries.

Alternatively, you can log in to a system in the Remote Computing Facility and run Wallet there, then securely copy the keytab to the destination system.

When doing this, treat keytabs carefully since they are password-equivalent secrets.

  • Create a secure directory:
mkdir /tmp/keytab-work
chmod 700 /tmp/keytab-work
  • Run Wallet from that directory.
  • Copy the keytab using encrypted transfer such as scp or sftp.

Configuring the wallet client

Configure the Wallet server in your krb5.conf file. Add the following to the [appdefaults] section:

wallet = {
    wallet_server = wallet.stanford.edu
}

The standard Stanford krb5.conf already includes this configuration.

Alternatively, you can specify the server manually when running Wallet:

wallet -s wallet.stanford.edu

Creating keytabs with wallet

First ensure that you have permission to create the keytab. For host-based service principals, Wallet uses NetDB for authorization.

You must be listed in NetDB as:

  • User of the system
  • Administrator of the system
  • Member of an admin team for that system

If you are not listed, request that an administrator update the NetDB record.

Downloading a keytab

kinit <sunetid>
wallet -f <file> get keytab <principal>

Example:

kinit sunetid
wallet -f keytab get keytab webauth/example.stanford.edu

Do not include the realm (@stanford.edu) in the principal.

For host principals, the keytab should normally be stored at:

/etc/krb5.keytab

You can also authenticate directly with Wallet:

wallet -u <user> -f <file> get keytab <principal>

This performs the kinit internally. Each time this command runs, any existing keytabs for that principal are invalidated.

Viewing keytab information

View keytab metadata:

wallet show keytab <principal>

View the complete keytab history:

wallet history keytab <principal>

Rekeying keytabs

Rekeying generates new keys while keeping existing keys so running services are not interrupted.

wallet-rekey <keytab>

If errors occur, Wallet continues rekeying remaining principals and creates a backup:

<keytab>.old

Restricting encryption types

Some older applications cannot handle modern Kerberos encryption types. You can restrict the encryption types used in a keytab:

wallet setattr keytab <principal> enctypes <enctype> ...

Supported encryption types include:

  • aes256-cts
  • des3-cbc-sha1
  • des-cbc-crc

Avoid using DES if possible since it is deprecated.

Troubleshooting

Verify Kerberos authentication

kinit
klist

If this fails, check your Kerberos configuration (especially /etc/krb5.conf).

Firewall restrictions

Wallet requires outbound access to:

  • wallet.stanford.edu:4373

Verify system clock

Kerberos requires clocks to be within five minutes.

ntpdate time.stanford.edu

Check ticket address restrictions

klist -a

Tickets should show:

Addresses: (none)

If not, request address-less tickets:

kinit -A

Host-based principal issues

Use a fully-qualified hostname when downloading host-based principals.

Correct:

host/example.stanford.edu

Incorrect:

host/example

Verify NetDB permissions using:

whois -h whois.stanford.edu <system>.

(The trailing period is required.)

Last modified