Ticket forwarding failure

Douglas E. Engert deengert at anl.gov
Tue May 23 09:50:19 EDT 2006



Mike Dopheide wrote:
> In my experience only your TGT will be forwarded, not every ticket in your 
> credentials cache.  The tickets have your IP address encoded in them so 
> during the forwarding process you're actually getting a new TGT with the 
> IP address of the remote system you're telnetting into.

Although addresses are not used in tickets that much, now that we have
NAT changing addreses, the intent it to get a new ticket to forward which
would only be usable from the server's location. There is also the possibility
of adding restrictions into the ticket, that would limit how it could be used.
Although not done today, it could be a very useful in the future.

I see that you have AFS. Your question should now be how do a get
an AFS token during login given the single forwarded TGT.


> 
> -Mike
> 
> 
>>*NOW* what am I doing wrong? :)  Why are my other
>>tickets not being forwarded?  MIT Kerberos 1.4.3
>>telnet and telnetd in use.
>>
>>jblaine > klist -f
>>Ticket cache: FILE:/tmp/krb5cc_p11561
>>Default principal: jblaine at JBTEST
>>
>>Valid starting     Expires            Service principal
>>05/22/06 15:20:08  05/23/06 01:20:08  krbtgt/JBTEST at JBTEST
>>        renew until 05/22/06 15:20:08, Flags: FRI
>>05/22/06 15:22:03  05/23/06 01:20:08  host/noodle.foo.com at JBTEST
>>        renew until 05/22/06 15:20:08, Flags: FRT
>>05/22/06 15:22:20  05/23/06 01:20:08  afs/jbtest at JBTEST
>>        renew until 05/22/06 15:20:08, Flags: FRT
>>
>>
>>Kerberos 4 ticket cache: /tmp/tkt26560
>>klist: You have no tickets cached
>>
>>jblaine > telnet -a -F 192.168.168.3
>>Trying 192.168.168.3...
>>Connected to noodle.foo.com (192.168.168.3).
>>Escape character is '^]'.
>>[ Kerberos V5 accepts you as ``jblaine at JBTEST'' ]
>>[ Kerberos V5 accepted forwarded credentials ]
>>Last login: Mon May 22 15:22:03 from noodle
>>Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
>>jblaine > klist -f
>>Ticket cache: FILE:/tmp/krb5cc_p11616
>>Default principal: jblaine at JBTEST
>>
>>Valid starting     Expires            Service principal
>>05/22/06 15:22:28  05/23/06 01:20:08  krbtgt/JBTEST at JBTEST
>>        renew until 05/22/06 15:20:08, Flags: FfRT
>>
>>
>>Kerberos 4 ticket cache: /tmp/tkt26560
>>klist: You have no tickets cached
>>jblaine >
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list