diff options
Diffstat (limited to 'doc/html/user/tkt_mgmt.html')
| -rw-r--r-- | doc/html/user/tkt_mgmt.html | 459 |
1 files changed, 459 insertions, 0 deletions
diff --git a/doc/html/user/tkt_mgmt.html b/doc/html/user/tkt_mgmt.html new file mode 100644 index 000000000000..e53d41cd43db --- /dev/null +++ b/doc/html/user/tkt_mgmt.html @@ -0,0 +1,459 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>Ticket management — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="For users" href="index.html" /> + <link rel="next" title="User config files" href="user_config/index.html" /> + <link rel="prev" title="Password management" href="pwd_mgmt.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="pwd_mgmt.html" title="Password management" + accesskey="P">previous</a> | + <a href="user_config/index.html" title="User config files" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Ticket management">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="ticket-management"> +<h1>Ticket management<a class="headerlink" href="#ticket-management" title="Permalink to this headline">¶</a></h1> +<p>On many systems, Kerberos is built into the login program, and you get +tickets automatically when you log in. Other programs, such as ssh, +can forward copies of your tickets to a remote host. Most of these +programs also automatically destroy your tickets when they exit. +However, MIT recommends that you explicitly destroy your Kerberos +tickets when you are through with them, just to be sure. One way to +help ensure that this happens is to add the <a class="reference internal" href="user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a> command +to your .logout file. Additionally, if you are going to be away from +your machine and are concerned about an intruder using your +permissions, it is safest to either destroy all copies of your +tickets, or use a screensaver that locks the screen.</p> +<div class="section" id="kerberos-ticket-properties"> +<h2>Kerberos ticket properties<a class="headerlink" href="#kerberos-ticket-properties" title="Permalink to this headline">¶</a></h2> +<p>There are various properties that Kerberos tickets can have:</p> +<p>If a ticket is <strong>forwardable</strong>, then the KDC can issue a new ticket +(with a different network address, if necessary) based on the +forwardable ticket. This allows for authentication forwarding without +requiring a password to be typed in again. For example, if a user +with a forwardable TGT logs into a remote system, the KDC could issue +a new TGT for that user with the network address of the remote system, +allowing authentication on that host to work as though the user were +logged in locally.</p> +<p>When the KDC creates a new ticket based on a forwardable ticket, it +sets the <strong>forwarded</strong> flag on that new ticket. Any tickets that are +created based on a ticket with the forwarded flag set will also have +their forwarded flags set.</p> +<p>A <strong>proxiable</strong> ticket is similar to a forwardable ticket in that it +allows a service to take on the identity of the client. Unlike a +forwardable ticket, however, a proxiable ticket is only issued for +specific services. In other words, a ticket-granting ticket cannot be +issued based on a ticket that is proxiable but not forwardable.</p> +<p>A <strong>proxy</strong> ticket is one that was issued based on a proxiable ticket.</p> +<p>A <strong>postdated</strong> ticket is issued with the invalid flag set. After the +starting time listed on the ticket, it can be presented to the KDC to +obtain valid tickets.</p> +<p>Ticket-granting tickets with the <strong>postdateable</strong> flag set can be used +to obtain postdated service tickets.</p> +<p><strong>Renewable</strong> tickets can be used to obtain new session keys without +the user entering their password again. A renewable ticket has two +expiration times. The first is the time at which this particular +ticket expires. The second is the latest possible expiration time for +any ticket issued based on this renewable ticket.</p> +<p>A ticket with the <strong>initial flag</strong> set was issued based on the +authentication protocol, and not on a ticket-granting ticket. +Application servers that wish to ensure that the user’s key has been +recently presented for verification could specify that this flag must +be set to accept the ticket.</p> +<p>An <strong>invalid</strong> ticket must be rejected by application servers. +Postdated tickets are usually issued with this flag set, and must be +validated by the KDC before they can be used.</p> +<p>A <strong>preauthenticated</strong> ticket is one that was only issued after the +client requesting the ticket had authenticated itself to the KDC.</p> +<p>The <strong>hardware authentication</strong> flag is set on a ticket which required +the use of hardware for authentication. The hardware is expected to +be possessed only by the client which requested the tickets.</p> +<p>If a ticket has the <strong>transit policy</strong> checked flag set, then the KDC +that issued this ticket implements the transited-realm check policy +and checked the transited-realms list on the ticket. The +transited-realms list contains a list of all intermediate realms +between the realm of the KDC that issued the first ticket and that of +the one that issued the current ticket. If this flag is not set, then +the application server must check the transited realms itself or else +reject the ticket.</p> +<p>The <strong>okay as delegate</strong> flag indicates that the server specified in +the ticket is suitable as a delegate as determined by the policy of +that realm. Some client applications may use this flag to decide +whether to forward tickets to a remote host, although many +applications do not honor it.</p> +<p>An <strong>anonymous</strong> ticket is one in which the named principal is a +generic principal for that realm; it does not actually specify the +individual that will be using the ticket. This ticket is meant only +to securely distribute a session key.</p> +</div> +<div class="section" id="obtaining-tickets-with-kinit"> +<span id="obtain-tkt"></span><h2>Obtaining tickets with kinit<a class="headerlink" href="#obtaining-tickets-with-kinit" title="Permalink to this headline">¶</a></h2> +<p>If your site has integrated Kerberos V5 with the login system, you +will get Kerberos tickets automatically when you log in. Otherwise, +you may need to explicitly obtain your Kerberos tickets, using the +<a class="reference internal" href="user_commands/kinit.html#kinit-1"><em>kinit</em></a> program. Similarly, if your Kerberos tickets expire, +use the kinit program to obtain new ones.</p> +<p>To use the kinit program, simply type <tt class="docutils literal"><span class="pre">kinit</span></tt> and then type your +password at the prompt. For example, Jennifer (whose username is +<tt class="docutils literal"><span class="pre">jennifer</span></tt>) works for Bleep, Inc. (a fictitious company with the +domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would +type:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kinit +Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] +shell% +</pre></div> +</div> +<p>If you type your password incorrectly, kinit will give you the +following error message:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kinit +Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] +kinit: Password incorrect +shell% +</pre></div> +</div> +<p>and you won’t get Kerberos tickets.</p> +<p>By default, kinit assumes you want tickets for your own username in +your default realm. Suppose Jennifer’s friend David is visiting, and +he wants to borrow a window to check his mail. David needs to get +tickets for himself in his own realm, EXAMPLE.COM. He would type:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kinit david@EXAMPLE.COM +Password for david@EXAMPLE.COM: <-- [Type david's password here.] +shell% +</pre></div> +</div> +<p>David would then have tickets which he could use to log onto his own +machine. Note that he typed his password locally on Jennifer’s +machine, but it never went over the network. Kerberos on the local +host performed the authentication to the KDC in the other realm.</p> +<p>If you want to be able to forward your tickets to another host, you +need to request forwardable tickets. You do this by specifying the +<strong>-f</strong> option:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kinit -f +Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] +shell% +</pre></div> +</div> +<p>Note that kinit does not tell you that it obtained forwardable +tickets; you can verify this using the <a class="reference internal" href="user_commands/klist.html#klist-1"><em>klist</em></a> command (see +<a class="reference internal" href="#view-tkt"><em>Viewing tickets with klist</em></a>).</p> +<p>Normally, your tickets are good for your system’s default ticket +lifetime, which is ten hours on many systems. You can specify a +different ticket lifetime with the <strong>-l</strong> option. Add the letter +<strong>s</strong> to the value for seconds, <strong>m</strong> for minutes, <strong>h</strong> for hours, or +<strong>d</strong> for days. For example, to obtain forwardable tickets for +<tt class="docutils literal"><span class="pre">david@EXAMPLE.COM</span></tt> that would be good for three hours, you would +type:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kinit -f -l 3h david@EXAMPLE.COM +Password for david@EXAMPLE.COM: <-- [Type david's password here.] +shell% +</pre></div> +</div> +<div class="admonition note"> +<p class="first admonition-title">Note</p> +<p class="last">You cannot mix units; specifying a lifetime of 3h30m would +result in an error. Note also that most systems specify a +maximum ticket lifetime. If you request a longer ticket +lifetime, it will be automatically truncated to the maximum +lifetime.</p> +</div> +</div> +<div class="section" id="viewing-tickets-with-klist"> +<span id="view-tkt"></span><h2>Viewing tickets with klist<a class="headerlink" href="#viewing-tickets-with-klist" title="Permalink to this headline">¶</a></h2> +<p>The <a class="reference internal" href="user_commands/klist.html#klist-1"><em>klist</em></a> command shows your tickets. When you first obtain +tickets, you will have only the ticket-granting ticket. The listing +would look like this:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% klist +Ticket cache: /tmp/krb5cc_ttypa +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +shell% +</pre></div> +</div> +<p>The ticket cache is the location of your ticket file. In the above +example, this file is named <tt class="docutils literal"><span class="pre">/tmp/krb5cc_ttypa</span></tt>. The default +principal is your Kerberos principal.</p> +<p>The “valid starting” and “expires” fields describe the period of time +during which the ticket is valid. The “service principal” describes +each ticket. The ticket-granting ticket has a first component +<tt class="docutils literal"><span class="pre">krbtgt</span></tt>, and a second component which is the realm name.</p> +<p>Now, if <tt class="docutils literal"><span class="pre">jennifer</span></tt> connected to the machine <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>, +and then typed “klist” again, she would have gotten the following +result:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% klist +Ticket cache: /tmp/krb5cc_ttypa +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU +shell% +</pre></div> +</div> +<p>Here’s what happened: when <tt class="docutils literal"><span class="pre">jennifer</span></tt> used ssh to connect to the +host <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>, the ssh program presented her +ticket-granting ticket to the KDC and requested a host ticket for the +host <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>. The KDC sent the host ticket, which ssh +then presented to the host <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>, and she was allowed +to log in without typing her password.</p> +<p>Suppose your Kerberos tickets allow you to log into a host in another +domain, such as <tt class="docutils literal"><span class="pre">trillium.example.com</span></tt>, which is also in another +Kerberos realm, <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>. If you ssh to this host, you will +receive a ticket-granting ticket for the realm <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>, plus +the new host ticket for <tt class="docutils literal"><span class="pre">trillium.example.com</span></tt>. klist will now +show:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% klist +Ticket cache: /tmp/krb5cc_ttypa +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU +06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU +06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM +shell% +</pre></div> +</div> +<p>Depending on your host’s and realm’s configuration, you may also see a +ticket with the service principal <tt class="docutils literal"><span class="pre">host/trillium.example.com@</span></tt>. If +so, this means that your host did not know what realm +trillium.example.com is in, so it asked the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> KDC for +a referral. The next time you connect to <tt class="docutils literal"><span class="pre">trillium.example.com</span></tt>, +the odd-looking entry will be used to avoid needing to ask for a +referral again.</p> +<p>You can use the <strong>-f</strong> option to view the flags that apply to your +tickets. The flags are:</p> +<table border="1" class="docutils"> +<colgroup> +<col width="17%" /> +<col width="83%" /> +</colgroup> +<tbody valign="top"> +<tr class="row-odd"><td>F</td> +<td>Forwardable</td> +</tr> +<tr class="row-even"><td>f</td> +<td>forwarded</td> +</tr> +<tr class="row-odd"><td>P</td> +<td>Proxiable</td> +</tr> +<tr class="row-even"><td>p</td> +<td>proxy</td> +</tr> +<tr class="row-odd"><td>D</td> +<td>postDateable</td> +</tr> +<tr class="row-even"><td>d</td> +<td>postdated</td> +</tr> +<tr class="row-odd"><td>R</td> +<td>Renewable</td> +</tr> +<tr class="row-even"><td>I</td> +<td>Initial</td> +</tr> +<tr class="row-odd"><td>i</td> +<td>invalid</td> +</tr> +<tr class="row-even"><td>H</td> +<td>Hardware authenticated</td> +</tr> +<tr class="row-odd"><td>A</td> +<td>preAuthenticated</td> +</tr> +<tr class="row-even"><td>T</td> +<td>Transit policy checked</td> +</tr> +<tr class="row-odd"><td>O</td> +<td>Okay as delegate</td> +</tr> +<tr class="row-even"><td>a</td> +<td>anonymous</td> +</tr> +</tbody> +</table> +<p>Here is a sample listing. In this example, the user <em>jennifer</em> +obtained her initial tickets (<strong>I</strong>), which are forwardable (<strong>F</strong>) +and postdated (<strong>d</strong>) but not yet validated (<strong>i</strong>):</p> +<div class="highlight-python"><div class="highlight"><pre>shell% klist -f +Ticket cache: /tmp/krb5cc_320 +Default principal: jennifer@ATHENA.MIT.EDU + +Valid starting Expires Service principal +31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU + Flags: FdiI +shell% +</pre></div> +</div> +<p>In the following example, the user <em>david</em>‘s tickets were forwarded +(<strong>f</strong>) to this host from another host. The tickets are reforwardable +(<strong>F</strong>):</p> +<div class="highlight-python"><div class="highlight"><pre>shell% klist -f +Ticket cache: /tmp/krb5cc_p11795 +Default principal: david@EXAMPLE.COM + +Valid starting Expires Service principal +07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM + Flags: Ff +07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM + Flags: Ff +shell% +</pre></div> +</div> +</div> +<div class="section" id="destroying-tickets-with-kdestroy"> +<h2>Destroying tickets with kdestroy<a class="headerlink" href="#destroying-tickets-with-kdestroy" title="Permalink to this headline">¶</a></h2> +<p>Your Kerberos tickets are proof that you are indeed yourself, and +tickets could be stolen if someone gains access to a computer where +they are stored. If this happens, the person who has them can +masquerade as you until they expire. For this reason, you should +destroy your Kerberos tickets when you are away from your computer.</p> +<p>Destroying your tickets is easy. Simply type kdestroy:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kdestroy +shell% +</pre></div> +</div> +<p>If <a class="reference internal" href="user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a> fails to destroy your tickets, it will beep and +give an error message. For example, if kdestroy can’t find any +tickets to destroy, it will give the following message:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kdestroy +kdestroy: No credentials cache file found while destroying cache +shell% +</pre></div> +</div> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Ticket management</a><ul> +<li><a class="reference internal" href="#kerberos-ticket-properties">Kerberos ticket properties</a></li> +<li><a class="reference internal" href="#obtaining-tickets-with-kinit">Obtaining tickets with kinit</a></li> +<li><a class="reference internal" href="#viewing-tickets-with-klist">Viewing tickets with klist</a></li> +<li><a class="reference internal" href="#destroying-tickets-with-kdestroy">Destroying tickets with kdestroy</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For users</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="pwd_mgmt.html">Password management</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">Ticket management</a><ul class="simple"> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="user_config/index.html">User config files</a></li> +<li class="toctree-l2"><a class="reference internal" href="user_commands/index.html">User commands</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="pwd_mgmt.html" title="Password management" + >previous</a> | + <a href="user_config/index.html" title="User config files" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Ticket management">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |