ktab - Kerberos key table manager

ktab allows the user to manage the principal names and service keys stored in a local key table. Principal and key pairs listed in the keytab allow services running on a host to authenticate themselves to the Key Distribution Center (KDC). Before a server can be setup to use Kerberos, the user must setup a keytab on the host running the server. Note that any updates made to the keytab using ktab do not affect the Kerberos database. If you change the keys in the keytab, you must also make the corresponding changes to the Kerberos database.


ktab [ commands ]


ktab manages principal name and key pairs in the key table. ktab allows the user to list, add, update or delete principal names and key pairs in the key table. None of these operations affect the Kerberos database.


Usage: The command line options are not case-sensitive.

ktab -help

ktab -l [-k <keytab_name>]

ktab [-a <principal_name> <password>] [-k <keytab_name>]

ktab [-d <principal_name>] [-k <keytab_name>]

Command Option Description
-l List the keytab name and entries.
-a <principal_name> <password> Add an entry to the keytab. No changes are made to the Kerberos database. (DO NOT SPECIFY YOUR PASSWORD ON COMMAND LINE OR IN A SCRIPT.)
-d <principal_name> Delete an entry from the keytab. No changes are made to the Kerberos database.
-k <keytab_name> Specify keytab name and path with the prefix FILE:
-help Displays instructions.


To list all the entries in the default keytable:
ktab -l
To add a new principal to the key table (note that you will be prompted for your password):
ktab -a duke@java.sun.com
To delete a principal from the key table:
ktab -d duke@java.sun.com


Do not specify your password on the command line. Doing so is a security hole. For example, an attacker could discover your password while running the Unix ps command.