3.67.3. KrbKeyTab Previous topic Parent topic Child topic Next topic

This optional parameter provides the path to a Kerberos keytab file. When this option is present, a service ticket will be obtained as part of each Kerberos authentication attempt to guard against Key Distribution Center spoofing. By default, the keytab is examined to locate the key for the service radius/server@realm where server is the fully qualified domain name of the machine running Radiator and realm is the Kerberos realm used during authentication. The name of the service may be overridden with the KrbService parameter, the fully qualified domain name with the KrbServer parameter and the realm with the KrbRealm parameter.
# Enable KDC spoof detection using service ticket
KrbKeyTab /etc/krb5-radius.keytab