3 Viewing tickets with *klist*
4 ================================
7 The klist command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this::
10 Ticket cache: /tmp/krb5cc_ttypa
11 Default principal: jennifer@ATHENA.MIT.EDU
13 Valid starting Expires Service principal
14 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
17 The ticket cache is the location of your ticket file. In the above example, this file is named */tmp/krb5cc_ttypa*. The default principal is your kerberos principal.
19 The *valid starting* and *expires* fields describe the period of time during which the ticket is valid. The service principal describes each ticket. The ticket-granting ticket has the primary *krbtgt*, and the instance is the realm name.
21 Now, if *jennifer* connected to the machine *daffodil.mit.edu*, and then typed *klist* again, she would have gotten the following result::
24 Ticket cache: /tmp/krb5cc_ttypa
25 Default principal: jennifer@ATHENA.MIT.EDU
27 Valid starting Expires Service principal
28 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
29 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU
32 Here's what happened: when *jennifer* used telnet to connect to the host *daffodil.mit.edu*, the telnet program presented her ticket-granting ticket to the KDC and requested a host ticket for the host *daffodil.mit.edu*. The KDC sent the host ticket, which telnet then presented to the host *daffodil.mit.edu*, and she was allowed to log in without typing her password.
34 Suppose your Kerberos tickets allow you to log into a host in another domain, such as *trillium.example.com*, which is also in another Kerberos realm, *EXAMPLE.COM*. If you telnet to this host, you will receive a ticket-granting ticket for the realm *EXAMPLE.COM*, plus the new host ticket for *trillium.example.com*. *klist* will now show::
37 Ticket cache: /tmp/krb5cc_ttypa
38 Default principal: jennifer@ATHENA.MIT.EDU
40 Valid starting Expires Service principal
41 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
42 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU
43 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
44 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM
47 You can use the **-f** option to view the flags that apply to your tickets. The flags are:
49 ===== =========================
59 H Hardware authenticated
61 T Transit policy checked
64 ===== =========================
66 Here is a sample listing. In this example, the user *jennifer* obtained her initial tickets (**I**), which are forwardable (**F**) and postdated (**d**) but not yet validated (**i**)::
69 Ticket cache: /tmp/krb5cc_320
70 Default principal: jennifer@ATHENA.MIT.EDU
72 Valid starting Expires Service principal
73 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
78 In the following example, the user *david*'s tickets were forwarded (**f**) to this host from another host. The tickets are reforwardable (**F**)::
81 Ticket cache: /tmp/krb5cc_p11795
82 Default principal: david@EXAMPLE.COM
84 Valid starting Expires Service principal
85 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
87 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM
95 Please, provide your feedback at krb5-bugs@mit.edu?subject=Documentation___users_tkt_mgmt