Kerberos ktutil, what kinds of encryption are available?

The ktutil solution provided by 84104 is correct if you are trying to make a keytab for a service. It's a terrible idea for a keytab that you want to use for some automated process as it will randomize the password and make the account unusable without the keytab.

If you are using the keytab as a password store to feed to kinit to automate a process, I would suggest you use whatever enctype that you get when you run kinit using a password.

klist -e

will list out a bunch of stuff the line you want is this one. Use the etype listed with ktutil.

    Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Be warned, this use of ktutil is exactly the same as storing your password in a clear text file, anybody that can read the keytab can impersonate your identity to the system. Also these commands are the MIT version, heimdal ktutil and klist are somewhat different.( Heimdal is the kerberos version used on recent versions of OS X )


Don't use ktutil unless you're trying to make a keytab from an existing keytab. Use kadmin instead.

# kadmin -p user/admin
Password for user/[email protected]:
kadmin: add_principal -randkey service/server.example.com
WARNING: no policy specified for service/[email protected]; defaulting to no policy
Principal "service/[email protected]" created.
kadmin:  ktadd -k /etc/service/service.keytab service/server.example.com
Entry for principal service/server.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab
Entry for principal service/server.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab
kadmin: quit

Depending on your kdc's kdc.conf you may end up with different encryption:salt types. The default list is:

aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal
des3-cbc-sha1:normal
arc‐four-hmac-md5:normal

You can also limit (or expand) the enctypes used in the keytab when creating it by using -e and specifying the desired types.


If you are trying to make a keytab from an existing keytab:

# kutil
ktutil: read_kt /etc/krb5.keytab
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6   host/[email protected] (aes256-cts-hmac-sha1-96)
   2    6   host/[email protected] (camellia256-cts-cmac)
   3    3   HTTP/[email protected] (aes256-cts-hmac-sha1-96)
   4    3   HTTP/[email protected] (camellia256-cts-cmac)
ktutil: delete_entry 1
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6   host/[email protected] (camellia256-cts-cmac)
   2    3   HTTP/[email protected] (aes256-cts-hmac-sha1-96)
   3    3   HTTP/[email protected] (camellia256-cts-cmac)
ktutil: delete_entry 1
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3   HTTP/[email protected] (aes256-cts-hmac-sha1-96)
   2    3   HTTP/[email protected] (camellia256-cts-cmac)
ktutil: write_kt /etc/httpd/http.keytab
ktutil: quit
# klist -ke /etc/httpd/http.keytab
Keytab name: FILE:/etc/httpd/http.keytab
KVNO Principal
---- ---------------------------------------------------------------------
    3   HTTP/[email protected] (aes256-cts-hmac-sha1-96)
    3   HTTP/[email protected] (camellia256-cts-cmac)