PreviousNext

Forwarding Tickets

Service ticket credentials that a user obtains are for accessing a remote system. What if, however, the user wants to use a secure service to access a remote system and then run a secure service from that remote system to a second remote system? This can be risky because it would require possession of a valid TGT for the first remote system. Therefore, running kinit on the first remote system to obtain a TGT would cause the user's password to be transmitted in a readable form over the network.

To avoid this problem and provide more security, Kerberos offers the option to create TGTs that have special attributes allowing the TGTs to be forwarded to remote systems within the realm.

The rlogin and rsh utilities offer TGT forwarding options -f and -F. Before the forwarding options can be recognized, two prerequisite flags must be enabled.

· First, the KDC's forwardable ticket option must be enabled. For the DCE Security Server, use the dcecp account modify command to set the forwardabletkt account attribute.

· Second, kinit must be invoked with the forwardable flag (-f) enabled. If the -f option is selected when kinit is run, the TGT for the local system can be forwarded to the remote system and clients will not need to reauthenticate themselves from the remote system to the KDC.

DCE clients must use kinit -f to enable forwarding because the dce_login utility does not have options for ticket attributes.

Provided these two flags are enabled, the forwarding options of rlogin and rsh can take effect. When the rlogin or rsh client invokes the -f option, forwarding of the TGT occurs to only one remote system (one free hop). When the rlogin or rsh client invokes the -F option, forwarding the TGT can continue to more than one system (potentially unlimited free hops).

Multiple free hops are possible because using the -F option leaves the forwardable attribute enabled in the forwarded TGT ticket, whereas using the -f option does not. Thus, the client can forward the TGT to an unlimited number of remote systems if the -F option is used every time. Once the -f option is used, the forwarding chain stops at the next node.

If the Kerberos V5 credentials are forwarded to a DCE client, they will be promoted to DCE credentials, allowing the user to run DCE applications on that remote host. The k5dcelogin utility, which is invoked by rlogind on the remote host, converts the Kerberos V5 credentials to DCE credentials without prompting for a password. See the k5dcelogin reference page for syntax information.