|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
Packit |
fd8b60 |
<head>
|
|
Packit |
fd8b60 |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
Packit |
fd8b60 |
<title>Ticket management — MIT Kerberos Documentation</title>
|
|
Packit |
fd8b60 |
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
|
|
Packit |
fd8b60 |
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
|
|
Packit |
fd8b60 |
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
|
|
Packit |
fd8b60 |
<script type="text/javascript">
|
|
Packit |
fd8b60 |
var DOCUMENTATION_OPTIONS = {
|
|
Packit |
fd8b60 |
URL_ROOT: '../',
|
|
Packit |
fd8b60 |
VERSION: '1.18.2',
|
|
Packit |
fd8b60 |
COLLAPSE_INDEX: false,
|
|
Packit |
fd8b60 |
FILE_SUFFIX: '.html',
|
|
Packit |
fd8b60 |
HAS_SOURCE: true,
|
|
Packit |
fd8b60 |
SOURCELINK_SUFFIX: '.txt'
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
</script>
|
|
Packit |
fd8b60 |
<script type="text/javascript" src="../_static/jquery.js"></script>
|
|
Packit |
fd8b60 |
<script type="text/javascript" src="../_static/underscore.js"></script>
|
|
Packit |
fd8b60 |
<script type="text/javascript" src="../_static/doctools.js"></script>
|
|
Packit |
fd8b60 |
<link rel="author" title="About these documents" href="../about.html" />
|
|
Packit |
fd8b60 |
<link rel="index" title="Index" href="../genindex.html" />
|
|
Packit |
fd8b60 |
<link rel="search" title="Search" href="../search.html" />
|
|
Packit |
fd8b60 |
<link rel="copyright" title="Copyright" href="../copyright.html" />
|
|
Packit |
fd8b60 |
<link rel="next" title="User config files" href="user_config/index.html" />
|
|
Packit |
fd8b60 |
<link rel="prev" title="Password management" href="pwd_mgmt.html" />
|
|
Packit |
fd8b60 |
</head>
|
|
Packit |
fd8b60 |
<body>
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="C">Contents |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="P">previous |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="N">next |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="I">index |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="S">Search |
|
|
Packit |
fd8b60 |
feedback
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Ticket management¶
|
|
Packit |
fd8b60 |
On many systems, Kerberos is built into the login program, and you get
|
|
Packit |
fd8b60 |
tickets automatically when you log in. Other programs, such as ssh,
|
|
Packit |
fd8b60 |
can forward copies of your tickets to a remote host. Most of these
|
|
Packit |
fd8b60 |
programs also automatically destroy your tickets when they exit.
|
|
Packit |
fd8b60 |
However, MIT recommends that you explicitly destroy your Kerberos
|
|
Packit |
fd8b60 |
tickets when you are through with them, just to be sure. One way to
|
|
Packit |
fd8b60 |
help ensure that this happens is to add the kdestroy command
|
|
Packit |
fd8b60 |
to your .logout file. Additionally, if you are going to be away from
|
|
Packit |
fd8b60 |
your machine and are concerned about an intruder using your
|
|
Packit |
fd8b60 |
permissions, it is safest to either destroy all copies of your
|
|
Packit |
fd8b60 |
tickets, or use a screensaver that locks the screen.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Kerberos ticket properties¶
|
|
Packit |
fd8b60 |
There are various properties that Kerberos tickets can have:
|
|
Packit |
fd8b60 |
If a ticket is forwardable, then the KDC can issue a new ticket
|
|
Packit |
fd8b60 |
(with a different network address, if necessary) based on the
|
|
Packit |
fd8b60 |
forwardable ticket. This allows for authentication forwarding without
|
|
Packit |
fd8b60 |
requiring a password to be typed in again. For example, if a user
|
|
Packit |
fd8b60 |
with a forwardable TGT logs into a remote system, the KDC could issue
|
|
Packit |
fd8b60 |
a new TGT for that user with the network address of the remote system,
|
|
Packit |
fd8b60 |
allowing authentication on that host to work as though the user were
|
|
Packit |
fd8b60 |
logged in locally.
|
|
Packit |
fd8b60 |
When the KDC creates a new ticket based on a forwardable ticket, it
|
|
Packit |
fd8b60 |
sets the forwarded flag on that new ticket. Any tickets that are
|
|
Packit |
fd8b60 |
created based on a ticket with the forwarded flag set will also have
|
|
Packit |
fd8b60 |
their forwarded flags set.
|
|
Packit |
fd8b60 |
A proxiable ticket is similar to a forwardable ticket in that it
|
|
Packit |
fd8b60 |
allows a service to take on the identity of the client. Unlike a
|
|
Packit |
fd8b60 |
forwardable ticket, however, a proxiable ticket is only issued for
|
|
Packit |
fd8b60 |
specific services. In other words, a ticket-granting ticket cannot be
|
|
Packit |
fd8b60 |
issued based on a ticket that is proxiable but not forwardable.
|
|
Packit |
fd8b60 |
A proxy ticket is one that was issued based on a proxiable ticket.
|
|
Packit |
fd8b60 |
A postdated ticket is issued with the invalid flag set. After the
|
|
Packit |
fd8b60 |
starting time listed on the ticket, it can be presented to the KDC to
|
|
Packit |
fd8b60 |
obtain valid tickets.
|
|
Packit |
fd8b60 |
Ticket-granting tickets with the postdateable flag set can be used
|
|
Packit |
fd8b60 |
to obtain postdated service tickets.
|
|
Packit |
fd8b60 |
Renewable tickets can be used to obtain new session keys without
|
|
Packit |
fd8b60 |
the user entering their password again. A renewable ticket has two
|
|
Packit |
fd8b60 |
expiration times. The first is the time at which this particular
|
|
Packit |
fd8b60 |
ticket expires. The second is the latest possible expiration time for
|
|
Packit |
fd8b60 |
any ticket issued based on this renewable ticket.
|
|
Packit |
fd8b60 |
A ticket with the initial flag set was issued based on the
|
|
Packit |
fd8b60 |
authentication protocol, and not on a ticket-granting ticket.
|
|
Packit |
fd8b60 |
Application servers that wish to ensure that the user’s key has been
|
|
Packit |
fd8b60 |
recently presented for verification could specify that this flag must
|
|
Packit |
fd8b60 |
be set to accept the ticket.
|
|
Packit |
fd8b60 |
An invalid ticket must be rejected by application servers.
|
|
Packit |
fd8b60 |
Postdated tickets are usually issued with this flag set, and must be
|
|
Packit |
fd8b60 |
validated by the KDC before they can be used.
|
|
Packit |
fd8b60 |
A preauthenticated ticket is one that was only issued after the
|
|
Packit |
fd8b60 |
client requesting the ticket had authenticated itself to the KDC.
|
|
Packit |
fd8b60 |
The hardware authentication flag is set on a ticket which required
|
|
Packit |
fd8b60 |
the use of hardware for authentication. The hardware is expected to
|
|
Packit |
fd8b60 |
be possessed only by the client which requested the tickets.
|
|
Packit |
fd8b60 |
If a ticket has the transit policy checked flag set, then the KDC
|
|
Packit |
fd8b60 |
that issued this ticket implements the transited-realm check policy
|
|
Packit |
fd8b60 |
and checked the transited-realms list on the ticket. The
|
|
Packit |
fd8b60 |
transited-realms list contains a list of all intermediate realms
|
|
Packit |
fd8b60 |
between the realm of the KDC that issued the first ticket and that of
|
|
Packit |
fd8b60 |
the one that issued the current ticket. If this flag is not set, then
|
|
Packit |
fd8b60 |
the application server must check the transited realms itself or else
|
|
Packit |
fd8b60 |
reject the ticket.
|
|
Packit |
fd8b60 |
The okay as delegate flag indicates that the server specified in
|
|
Packit |
fd8b60 |
the ticket is suitable as a delegate as determined by the policy of
|
|
Packit |
fd8b60 |
that realm. Some client applications may use this flag to decide
|
|
Packit |
fd8b60 |
whether to forward tickets to a remote host, although many
|
|
Packit |
fd8b60 |
applications do not honor it.
|
|
Packit |
fd8b60 |
An anonymous ticket is one in which the named principal is a
|
|
Packit |
fd8b60 |
generic principal for that realm; it does not actually specify the
|
|
Packit |
fd8b60 |
individual that will be using the ticket. This ticket is meant only
|
|
Packit |
fd8b60 |
to securely distribute a session key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Obtaining tickets with kinit¶
|
|
Packit |
fd8b60 |
If your site has integrated Kerberos V5 with the login system, you
|
|
Packit |
fd8b60 |
will get Kerberos tickets automatically when you log in. Otherwise,
|
|
Packit |
fd8b60 |
you may need to explicitly obtain your Kerberos tickets, using the
|
|
Packit |
fd8b60 |
kinit program. Similarly, if your Kerberos tickets expire,
|
|
Packit |
fd8b60 |
use the kinit program to obtain new ones.
|
|
Packit |
fd8b60 |
To use the kinit program, simply type kinit and then type your
|
|
Packit |
fd8b60 |
password at the prompt. For example, Jennifer (whose username is
|
|
Packit |
fd8b60 |
jennifer) works for Bleep, Inc. (a fictitious company with the
|
|
Packit |
fd8b60 |
domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would
|
|
Packit |
fd8b60 |
type:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.]
|
|
Packit |
fd8b60 |
shell%
|