[platform/upstream/krb5.git] / doc / html / user / tkt_mgmt.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Ticket management &mdash; MIT Kerberos Documentation</title>
    
    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.15.2',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="author" title="About these documents" href="../about.html" />
    <link rel="copyright" title="Copyright" href="../copyright.html" />
    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
    <link rel="up" title="For users" href="index.html" />
    <link rel="next" title="User config files" href="user_config/index.html" />
    <link rel="prev" title="Password management" href="pwd_mgmt.html" /> 
  </head>
  <body>
    <div class="header-wrapper">
        <div class="header">
            
            
            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
            
            <div class="rel">
                
        <a href="../index.html" title="Full Table of Contents"
            accesskey="C">Contents</a> |
        <a href="pwd_mgmt.html" title="Password management"
            accesskey="P">previous</a> |
        <a href="user_config/index.html" title="User config files"
            accesskey="N">next</a> |
        <a href="../genindex.html" title="General Index"
            accesskey="I">index</a> |
        <a href="../search.html" title="Enter search criteria"
            accesskey="S">Search</a> |
    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Ticket management">feedback</a>
            </div>
        </div>
    </div>

    <div class="content-wrapper">
      <div class="content">
        <div class="document">
            
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body">
            
  <div class="section" id="ticket-management">
<h1>Ticket management<a class="headerlink" href="#ticket-management" title="Permalink to this headline">¶</a></h1>
<p>On many systems, Kerberos is built into the login program, and you get
tickets automatically when you log in.  Other programs, such as ssh,
can forward copies of your tickets to a remote host.  Most of these
programs also automatically destroy your tickets when they exit.
However, MIT recommends that you explicitly destroy your Kerberos
tickets when you are through with them, just to be sure.  One way to
help ensure that this happens is to add the <a class="reference internal" href="user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a> command
to your .logout file.  Additionally, if you are going to be away from
your machine and are concerned about an intruder using your
permissions, it is safest to either destroy all copies of your
tickets, or use a screensaver that locks the screen.</p>
<div class="section" id="kerberos-ticket-properties">
<h2>Kerberos ticket properties<a class="headerlink" href="#kerberos-ticket-properties" title="Permalink to this headline">¶</a></h2>
<p>There are various properties that Kerberos tickets can have:</p>
<p>If a ticket is <strong>forwardable</strong>, then the KDC can issue a new ticket
(with a different network address, if necessary) based on the
forwardable ticket.  This allows for authentication forwarding without
requiring a password to be typed in again.  For example, if a user
with a forwardable TGT logs into a remote system, the KDC could issue
a new TGT for that user with the network address of the remote system,
allowing authentication on that host to work as though the user were
logged in locally.</p>
<p>When the KDC creates a new ticket based on a forwardable ticket, it
sets the <strong>forwarded</strong> flag on that new ticket.  Any tickets that are
created based on a ticket with the forwarded flag set will also have
their forwarded flags set.</p>
<p>A <strong>proxiable</strong> ticket is similar to a forwardable ticket in that it
allows a service to take on the identity of the client.  Unlike a
forwardable ticket, however, a proxiable ticket is only issued for
specific services.  In other words, a ticket-granting ticket cannot be
issued based on a ticket that is proxiable but not forwardable.</p>
<p>A <strong>proxy</strong> ticket is one that was issued based on a proxiable ticket.</p>
<p>A <strong>postdated</strong> ticket is issued with the invalid flag set.  After the
starting time listed on the ticket, it can be presented to the KDC to
obtain valid tickets.</p>
<p>Ticket-granting tickets with the <strong>postdateable</strong> flag set can be used
to obtain postdated service tickets.</p>
<p><strong>Renewable</strong> tickets can be used to obtain new session keys without
the user entering their password again.  A renewable ticket has two
expiration times.  The first is the time at which this particular
ticket expires.  The second is the latest possible expiration time for
any ticket issued based on this renewable ticket.</p>
<p>A ticket with the <strong>initial flag</strong> set was issued based on the
authentication protocol, and not on a ticket-granting ticket.
Application servers that wish to ensure that the user&#8217;s key has been
recently presented for verification could specify that this flag must
be set to accept the ticket.</p>
<p>An <strong>invalid</strong> ticket must be rejected by application servers.
Postdated tickets are usually issued with this flag set, and must be
validated by the KDC before they can be used.</p>
<p>A <strong>preauthenticated</strong> ticket is one that was only issued after the
client requesting the ticket had authenticated itself to the KDC.</p>
<p>The <strong>hardware authentication</strong> flag is set on a ticket which required
the use of hardware for authentication.  The hardware is expected to
be possessed only by the client which requested the tickets.</p>
<p>If a ticket has the <strong>transit policy</strong> checked flag set, then the KDC
that issued this ticket implements the transited-realm check policy
and checked the transited-realms list on the ticket.  The
transited-realms list contains a list of all intermediate realms
between the realm of the KDC that issued the first ticket and that of
the one that issued the current ticket.  If this flag is not set, then
the application server must check the transited realms itself or else
reject the ticket.</p>
<p>The <strong>okay as delegate</strong> flag indicates that the server specified in
the ticket is suitable as a delegate as determined by the policy of
that realm.  Some client applications may use this flag to decide
whether to forward tickets to a remote host, although many
applications do not honor it.</p>
<p>An <strong>anonymous</strong> ticket is one in which the named principal is a
generic principal for that realm; it does not actually specify the
individual that will be using the ticket.  This ticket is meant only
to securely distribute a session key.</p>
</div>
<div class="section" id="obtaining-tickets-with-kinit">
<span id="obtain-tkt"></span><h2>Obtaining tickets with kinit<a class="headerlink" href="#obtaining-tickets-with-kinit" title="Permalink to this headline">¶</a></h2>
<p>If your site has integrated Kerberos V5 with the login system, you
will get Kerberos tickets automatically when you log in.  Otherwise,
you may need to explicitly obtain your Kerberos tickets, using the
<a class="reference internal" href="user_commands/kinit.html#kinit-1"><em>kinit</em></a> program.  Similarly, if your Kerberos tickets expire,
use the kinit program to obtain new ones.</p>
<p>To use the kinit program, simply type <tt class="docutils literal"><span class="pre">kinit</span></tt> and then type your
password at the prompt. For example, Jennifer (whose username is
<tt class="docutils literal"><span class="pre">jennifer</span></tt>) works for Bleep, Inc. (a fictitious company with the
domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU).  She would
type:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kinit
Password for jennifer@ATHENA.MIT.EDU: &lt;-- [Type jennifer&#39;s password here.]
shell%
</pre></div>
</div>
<p>If you type your password incorrectly, kinit will give you the
following error message:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kinit
Password for jennifer@ATHENA.MIT.EDU: &lt;-- [Type the wrong password here.]
kinit: Password incorrect
shell%
</pre></div>
</div>
<p>and you won&#8217;t get Kerberos tickets.</p>
<p>By default, kinit assumes you want tickets for your own username in
your default realm.  Suppose Jennifer&#8217;s friend David is visiting, and
he wants to borrow a window to check his mail.  David needs to get
tickets for himself in his own realm, EXAMPLE.COM.  He would type:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kinit david@EXAMPLE.COM
Password for david@EXAMPLE.COM: &lt;-- [Type david&#39;s password here.]
shell%
</pre></div>
</div>
<p>David would then have tickets which he could use to log onto his own
machine.  Note that he typed his password locally on Jennifer&#8217;s
machine, but it never went over the network.  Kerberos on the local
host performed the authentication to the KDC in the other realm.</p>
<p>If you want to be able to forward your tickets to another host, you
need to request forwardable tickets.  You do this by specifying the
<strong>-f</strong> option:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kinit -f
Password for jennifer@ATHENA.MIT.EDU: &lt;-- [Type your password here.]
shell%
</pre></div>
</div>
<p>Note that kinit does not tell you that it obtained forwardable
tickets; you can verify this using the <a class="reference internal" href="user_commands/klist.html#klist-1"><em>klist</em></a> command (see
<a class="reference internal" href="#view-tkt"><em>Viewing tickets with klist</em></a>).</p>
<p>Normally, your tickets are good for your system&#8217;s default ticket
lifetime, which is ten hours on many systems.  You can specify a
different ticket lifetime with the <strong>-l</strong> option.  Add the letter
<strong>s</strong> to the value for seconds, <strong>m</strong> for minutes, <strong>h</strong> for hours, or
<strong>d</strong> for days.  For example, to obtain forwardable tickets for
<tt class="docutils literal"><span class="pre">david&#64;EXAMPLE.COM</span></tt> that would be good for three hours, you would
type:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kinit -f -l 3h david@EXAMPLE.COM
Password for david@EXAMPLE.COM: &lt;-- [Type david&#39;s password here.]
shell%
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">You cannot mix units; specifying a lifetime of 3h30m would
result in an error.  Note also that most systems specify a
maximum ticket lifetime.  If you request a longer ticket
lifetime, it will be automatically truncated to the maximum
lifetime.</p>
</div>
</div>
<div class="section" id="viewing-tickets-with-klist">
<span id="view-tkt"></span><h2>Viewing tickets with klist<a class="headerlink" href="#viewing-tickets-with-klist" title="Permalink to this headline">¶</a></h2>
<p>The <a class="reference internal" href="user_commands/klist.html#klist-1"><em>klist</em></a> command shows your tickets.  When you first obtain
tickets, you will have only the ticket-granting ticket.  The listing
would look like this:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
shell%
</pre></div>
</div>
<p>The ticket cache is the location of your ticket file. In the above
example, this file is named <tt class="docutils literal"><span class="pre">/tmp/krb5cc_ttypa</span></tt>. The default
principal is your Kerberos principal.</p>
<p>The &#8220;valid starting&#8221; and &#8220;expires&#8221; fields describe the period of time
during which the ticket is valid.  The &#8220;service principal&#8221; describes
each ticket.  The ticket-granting ticket has a first component
<tt class="docutils literal"><span class="pre">krbtgt</span></tt>, and a second component which is the realm name.</p>
<p>Now, if <tt class="docutils literal"><span class="pre">jennifer</span></tt> connected to the machine <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>,
and then typed &#8220;klist&#8221; again, she would have gotten the following
result:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
shell%
</pre></div>
</div>
<p>Here&#8217;s what happened: when <tt class="docutils literal"><span class="pre">jennifer</span></tt> used ssh to connect to the
host <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>, the ssh program presented her
ticket-granting ticket to the KDC and requested a host ticket for the
host <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>.  The KDC sent the host ticket, which ssh
then presented to the host <tt class="docutils literal"><span class="pre">daffodil.mit.edu</span></tt>, and she was allowed
to log in without typing her password.</p>
<p>Suppose your Kerberos tickets allow you to log into a host in another
domain, such as <tt class="docutils literal"><span class="pre">trillium.example.com</span></tt>, which is also in another
Kerberos realm, <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>.  If you ssh to this host, you will
receive a ticket-granting ticket for the realm <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>, plus
the new host ticket for <tt class="docutils literal"><span class="pre">trillium.example.com</span></tt>.  klist will now
show:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  host/trillium.example.com@EXAMPLE.COM
shell%
</pre></div>
</div>
<p>Depending on your host&#8217;s and realm&#8217;s configuration, you may also see a
ticket with the service principal <tt class="docutils literal"><span class="pre">host/trillium.example.com&#64;</span></tt>.  If
so, this means that your host did not know what realm
trillium.example.com is in, so it asked the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> KDC for
a referral.  The next time you connect to <tt class="docutils literal"><span class="pre">trillium.example.com</span></tt>,
the odd-looking entry will be used to avoid needing to ask for a
referral again.</p>
<p>You can use the <strong>-f</strong> option to view the flags that apply to your
tickets.  The flags are:</p>
<table border="1" class="docutils">
<colgroup>
<col width="17%" />
<col width="83%" />
</colgroup>
<tbody valign="top">
<tr class="row-odd"><td>F</td>
<td>Forwardable</td>
</tr>
<tr class="row-even"><td>f</td>
<td>forwarded</td>
</tr>
<tr class="row-odd"><td>P</td>
<td>Proxiable</td>
</tr>
<tr class="row-even"><td>p</td>
<td>proxy</td>
</tr>
<tr class="row-odd"><td>D</td>
<td>postDateable</td>
</tr>
<tr class="row-even"><td>d</td>
<td>postdated</td>
</tr>
<tr class="row-odd"><td>R</td>
<td>Renewable</td>
</tr>
<tr class="row-even"><td>I</td>
<td>Initial</td>
</tr>
<tr class="row-odd"><td>i</td>
<td>invalid</td>
</tr>
<tr class="row-even"><td>H</td>
<td>Hardware authenticated</td>
</tr>
<tr class="row-odd"><td>A</td>
<td>preAuthenticated</td>
</tr>
<tr class="row-even"><td>T</td>
<td>Transit policy checked</td>
</tr>
<tr class="row-odd"><td>O</td>
<td>Okay as delegate</td>
</tr>
<tr class="row-even"><td>a</td>
<td>anonymous</td>
</tr>
</tbody>
</table>
<p>Here is a sample listing.  In this example, the user <em>jennifer</em>
obtained her initial tickets (<strong>I</strong>), which are forwardable (<strong>F</strong>)
and postdated (<strong>d</strong>) but not yet validated (<strong>i</strong>):</p>
<div class="highlight-python"><div class="highlight"><pre>shell% klist -f
Ticket cache: /tmp/krb5cc_320
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting      Expires             Service principal
31/07/05 19:06:25  31/07/05 19:16:25  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
        Flags: FdiI
shell%
</pre></div>
</div>
<p>In the following example, the user <em>david</em>&#8216;s tickets were forwarded
(<strong>f</strong>) to this host from another host.  The tickets are reforwardable
(<strong>F</strong>):</p>
<div class="highlight-python"><div class="highlight"><pre>shell% klist -f
Ticket cache: /tmp/krb5cc_p11795
Default principal: david@EXAMPLE.COM

Valid starting     Expires            Service principal
07/31/05 11:52:29  07/31/05 21:11:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        Flags: Ff
07/31/05 12:03:48  07/31/05 21:11:23  host/trillium.example.com@EXAMPLE.COM
        Flags: Ff
shell%
</pre></div>
</div>
</div>
<div class="section" id="destroying-tickets-with-kdestroy">
<h2>Destroying tickets with kdestroy<a class="headerlink" href="#destroying-tickets-with-kdestroy" title="Permalink to this headline">¶</a></h2>
<p>Your Kerberos tickets are proof that you are indeed yourself, and
tickets could be stolen if someone gains access to a computer where
they are stored.  If this happens, the person who has them can
masquerade as you until they expire.  For this reason, you should
destroy your Kerberos tickets when you are away from your computer.</p>
<p>Destroying your tickets is easy.  Simply type kdestroy:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kdestroy
shell%
</pre></div>
</div>
<p>If <a class="reference internal" href="user_commands/kdestroy.html#kdestroy-1"><em>kdestroy</em></a> fails to destroy your tickets, it will beep and
give an error message.  For example, if kdestroy can&#8217;t find any
tickets to destroy, it will give the following message:</p>
<div class="highlight-python"><div class="highlight"><pre>shell% kdestroy
kdestroy: No credentials cache file found while destroying cache
shell%
</pre></div>
</div>
</div>
</div>


          </div>
        </div>
      </div>
        </div>
        <div class="sidebar">
    <h2>On this page</h2>
    <ul>
<li><a class="reference internal" href="#">Ticket management</a><ul>
<li><a class="reference internal" href="#kerberos-ticket-properties">Kerberos ticket properties</a></li>
<li><a class="reference internal" href="#obtaining-tickets-with-kinit">Obtaining tickets with kinit</a></li>
<li><a class="reference internal" href="#viewing-tickets-with-klist">Viewing tickets with klist</a></li>
<li><a class="reference internal" href="#destroying-tickets-with-kdestroy">Destroying tickets with kdestroy</a></li>
</ul>
</li>
</ul>

    <br/>
    <h2>Table of contents</h2>
    <ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For users</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="pwd_mgmt.html">Password management</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="">Ticket management</a><ul class="simple">
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="user_config/index.html">User config files</a></li>
<li class="toctree-l2"><a class="reference internal" href="user_commands/index.html">User commands</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>

    <br/>
    <h4><a href="../index.html">Full Table of Contents</a></h4>
    <h4>Search</h4>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" size="18" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
        </div>
        <div class="clearer"></div>
      </div>
    </div>

    <div class="footer-wrapper">
        <div class="footer" >
            <div class="right" ><i>Release: 1.15.2</i><br />
                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
            </div>
            <div class="left">
                
        <a href="../index.html" title="Full Table of Contents"
            >Contents</a> |
        <a href="pwd_mgmt.html" title="Password management"
            >previous</a> |
        <a href="user_config/index.html" title="User config files"
            >next</a> |
        <a href="../genindex.html" title="General Index"
            >index</a> |
        <a href="../search.html" title="Enter search criteria"
            >Search</a> |
    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Ticket management">feedback</a>
            </div>
        </div>
    </div>

  </body>
</html>