[32682] in Kerberos
Forwardable tickets - need help
daemon@ATHENA.MIT.EDU (egrama)
Fri Sep 17 15:17:23 2010
From: egrama <egrama@gmail.com>
Date: Fri, 17 Sep 2010 10:40:19 -0700 (PDT)
Message-ID: <193d4e7b-a1d6-49b1-9c14-8119e38f1f1c@g10g2000vbc.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi guys,
I am new to Kerberos so please bear with me and help we with this:
I am using MIT's kerberos that came with RHEL.
I want all the tickets for a particular principal to be non-
forwardable. I modified the principal accordingly using "modprinc -
allow_forrwardable <principal>"
On host A, I get a ticket with kinit and then issue a klist -f and i
have "Flags: RIA". So this ticket is not forwardable, right?
I take the ticket cache from /tmp/krb5cc_<uid> and move it to host B
in /tmp/krb5cc_<uid>. After this step, from host B I can authenticate
to other hosts without password, using only the cached ticket.
Shouldn't a non-forwardable ticket be good only on the host to which
it was issued to (host A in our example)?
The MIT website states that:
"If a ticket is forwardable, then the KDC can issue a new ticket with
a different network address based on the forwardable ticket. This
allows for authentication forwarding without requiring a password to
be typed in again."
Is there an error in my implementation, or am I not understanding the
way kerberos authentication should work?
Thanks,
Emil
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
