Re: how to forward tickets

[Love <lha@stacken.kth.se>]

Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com> writes:

> How to forward the tgt from one host to another. If I telnet to one
> host, then I wan to telnet from that host to another without
> authenticating my self. It doesn't work for me and I don't know how to
> get it to work. I tried to modify the attribute for principals in
> kadmin, it doesn't have an option to turn on forwading. anyways I have
> heimdal 0.4e on a RedHat 7.2 (x86)as kdc and RedHat 9(x86) is my
> servers and client.

First you get a ticket with forwarding turned on:

	$ kinit -f lha@E.KTH.SE
	lha@E.KTH.SE's Password: 
	$ klist -v
	Credentials cache: FILE:/tmp/krb5cc_913.console
	        Principal: lha@E.KTH.SE
	    Cache version: 4
	
	Server: krbtgt/E.KTH.SE@E.KTH.SE
	Ticket etype: des3-cbc-sha1, kvno 3
	Auth time:  Nov 13 23:09:28 2003
	End time:   Nov 14 09:09:23 2003
	Ticket flags: forwardable, initial
	Addresses: IPv4:130.129.128.242, IPv6:2001:468:19ff:80:205:3cff:fe07:bc0e

Then you tell telnet you want to forward the ticket.

	$ telnet -f shell.e.kth.se 
	Trying 130.237.48.174...
	Connected to quetzalcoatlite.e.kth.se.
	Escape character is '^]'.
	Waiting for encryption to be negotiated...
	[ Trying mutual KERBEROS5 (host/quetzalcoatlite.e.kth.se@E.KTH.SE)... ]
	[ Kerberos V5 accepts you as ``lha@E.KTH.SE'' ]
	[ Kerberos V5 accepted forwarded credentials ]
	Encryption negotiated.
	
	$ klist
	Credentials cache: FILE:/tmp/krb5cc_913
	        Principal: lha@E.KTH.SE
	    Cache version: 4
	
	Server: krbtgt/E.KTH.SE@E.KTH.SE
	Ticket etype: des-cbc-md5, kvno 3
	Auth time:  Nov 13 23:09:28 2003
	Start time: Nov 13 23:10:25 2003
	End time:   Nov 14 09:09:23 2003
	Ticket flags: forwarded, transited-policy-checked
	Addresses: IPv4:130.237.48.174, IPv4:130.237.48.174

telnet -F forwards a forwardable ticket.

You can also add options to the krb5.conf file, see the manpage.

Love

PGP signature