Rate this page

Create a host principal using MIT Kerberos

Tested on

Debian (Lenny, Squeeze)
Ubuntu (Lucid)


To create a host principal using MIT Kerberos


A principal is an identity that Kerberos is able to authenticate. Principals may represent users, network hosts, or network services. A principal that corresponds to a network host is called a host principal and has a name of the form:


Host principals are needed for two reasons:

In this respect it serves essentially the same function as a service principal, except that it refers to the host as a whole as opposed to any specific network service. Services that authenticate using the host principal include OpenSSH and the Kerberos V PAM module (pam_krb5).


Suppose you wish to allow users to log in to the machine www.example.com using SSH with GSSAPI authentication, so that those with a suitable Kerberos ticket need not supply a password. The machine belongs to the Kerberos realm EXAMPLE.COM.

In order to achieve this it is necessary for the machine to have a host principal, which should be named host/www.example.com@EXAMPLE.COM.


The method described here assumes that you already have:


Host principals can be created using the addprinc command of kadmin in much the same way as user or service principals:

kadmin -q "addprinc -randkey host/www.example.com"

The -q option specifies a kadmin command to be executed, in this case addprinc.

The -randkey option of addprinc specifies that the encryption key should be chosen at random instead of being derived from a password. Hosts normally authenticate using a keytab, so have no need for a password.

By default kadmin appends /admin to your default principal or username and attempts to authenticate to the admin server using that. You can specify an alternative admin principal using the -p if required.

You do not need to be root to run kadmin, however if you are not root then it will probably not be on your path. A common location for the executable is /usr/sbin/kadmin.

It is often convenient to run kadmin on the machine for which the host principal is needed, particularly if you also intend to create a keytab, however you should do this only if you are willing to trust that machine with administrative rights to the realm as a whole. Otherwise, choose a machine that you do trust (such as the KDC).

On Debian-based systems kadmin is provided by the krb5-user package, whereas on Red Hat-based systems it is provided by the krb5-workstation package.


You can check that the host principal exists using the getprinc command of kadmin:

kadmin -q "getprinc host/www.example.com"

If the principal exists then you should see output similar to the following:

Principal: host/www.example.com@EXAMPLE.COM
Expiration date: [never]
Last password change: Mon Mar 12 21:18:37 GMT 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Mar 12 21:18:37 GMT 2012 (bofh/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Policy: [none]

If it does not then you should see an error of the form:

get_principal: Principal does not exist while retrieving "host/www.example.com@EXAMPLE.COM".

Next steps

Having created a host principal, you will normally want to add it to the default keytab (/etc/krb5.keytab). See Add a host or service principal to a keytab using MIT Kerberos for instructions.

See also

Further reading

Tags: kerberos