1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>Ticket management — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> 13 <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> 14 <script src="../_static/jquery.js"></script> 15 <script src="../_static/underscore.js"></script> 16 <script src="../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../about.html" /> 18 <link rel="index" title="Index" href="../genindex.html" /> 19 <link rel="search" title="Search" href="../search.html" /> 20 <link rel="copyright" title="Copyright" href="../copyright.html" /> 21 <link rel="next" title="User config files" href="user_config/index.html" /> 22 <link rel="prev" title="Password management" href="pwd_mgmt.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="pwd_mgmt.html" title="Password management" 35 accesskey="P">previous</a> | 36 <a href="user_config/index.html" title="User config files" 37 accesskey="N">next</a> | 38 <a href="../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Ticket management">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="ticket-management"> 56<h1>Ticket management<a class="headerlink" href="#ticket-management" title="Permalink to this headline">¶</a></h1> 57<p>On many systems, Kerberos is built into the login program, and you get 58tickets automatically when you log in. Other programs, such as ssh, 59can forward copies of your tickets to a remote host. Most of these 60programs also automatically destroy your tickets when they exit. 61However, MIT recommends that you explicitly destroy your Kerberos 62tickets when you are through with them, just to be sure. One way to 63help ensure that this happens is to add the <a class="reference internal" href="user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a> command 64to your .logout file. Additionally, if you are going to be away from 65your machine and are concerned about an intruder using your 66permissions, it is safest to either destroy all copies of your 67tickets, or use a screensaver that locks the screen.</p> 68<section id="kerberos-ticket-properties"> 69<h2>Kerberos ticket properties<a class="headerlink" href="#kerberos-ticket-properties" title="Permalink to this headline">¶</a></h2> 70<p>There are various properties that Kerberos tickets can have:</p> 71<p>If a ticket is <strong>forwardable</strong>, then the KDC can issue a new ticket 72(with a different network address, if necessary) based on the 73forwardable ticket. This allows for authentication forwarding without 74requiring a password to be typed in again. For example, if a user 75with a forwardable TGT logs into a remote system, the KDC could issue 76a new TGT for that user with the network address of the remote system, 77allowing authentication on that host to work as though the user were 78logged in locally.</p> 79<p>When the KDC creates a new ticket based on a forwardable ticket, it 80sets the <strong>forwarded</strong> flag on that new ticket. Any tickets that are 81created based on a ticket with the forwarded flag set will also have 82their forwarded flags set.</p> 83<p>A <strong>proxiable</strong> ticket is similar to a forwardable ticket in that it 84allows a service to take on the identity of the client. Unlike a 85forwardable ticket, however, a proxiable ticket is only issued for 86specific services. In other words, a ticket-granting ticket cannot be 87issued based on a ticket that is proxiable but not forwardable.</p> 88<p>A <strong>proxy</strong> ticket is one that was issued based on a proxiable ticket.</p> 89<p>A <strong>postdated</strong> ticket is issued with the invalid flag set. After the 90starting time listed on the ticket, it can be presented to the KDC to 91obtain valid tickets.</p> 92<p>Ticket-granting tickets with the <strong>postdateable</strong> flag set can be used 93to obtain postdated service tickets.</p> 94<p><strong>Renewable</strong> tickets can be used to obtain new session keys without 95the user entering their password again. A renewable ticket has two 96expiration times. The first is the time at which this particular 97ticket expires. The second is the latest possible expiration time for 98any ticket issued based on this renewable ticket.</p> 99<p>A ticket with the <strong>initial flag</strong> set was issued based on the 100authentication protocol, and not on a ticket-granting ticket. 101Application servers that wish to ensure that the user’s key has been 102recently presented for verification could specify that this flag must 103be set to accept the ticket.</p> 104<p>An <strong>invalid</strong> ticket must be rejected by application servers. 105Postdated tickets are usually issued with this flag set, and must be 106validated by the KDC before they can be used.</p> 107<p>A <strong>preauthenticated</strong> ticket is one that was only issued after the 108client requesting the ticket had authenticated itself to the KDC.</p> 109<p>The <strong>hardware authentication</strong> flag is set on a ticket which required 110the use of hardware for authentication. The hardware is expected to 111be possessed only by the client which requested the tickets.</p> 112<p>If a ticket has the <strong>transit policy</strong> checked flag set, then the KDC 113that issued this ticket implements the transited-realm check policy 114and checked the transited-realms list on the ticket. The 115transited-realms list contains a list of all intermediate realms 116between the realm of the KDC that issued the first ticket and that of 117the one that issued the current ticket. If this flag is not set, then 118the application server must check the transited realms itself or else 119reject the ticket.</p> 120<p>The <strong>okay as delegate</strong> flag indicates that the server specified in 121the ticket is suitable as a delegate as determined by the policy of 122that realm. Some client applications may use this flag to decide 123whether to forward tickets to a remote host, although many 124applications do not honor it.</p> 125<p>An <strong>anonymous</strong> ticket is one in which the named principal is a 126generic principal for that realm; it does not actually specify the 127individual that will be using the ticket. This ticket is meant only 128to securely distribute a session key.</p> 129</section> 130<section id="obtaining-tickets-with-kinit"> 131<span id="obtain-tkt"></span><h2>Obtaining tickets with kinit<a class="headerlink" href="#obtaining-tickets-with-kinit" title="Permalink to this headline">¶</a></h2> 132<p>If your site has integrated Kerberos V5 with the login system, you 133will get Kerberos tickets automatically when you log in. Otherwise, 134you may need to explicitly obtain your Kerberos tickets, using the 135<a class="reference internal" href="user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> program. Similarly, if your Kerberos tickets expire, 136use the kinit program to obtain new ones.</p> 137<p>To use the kinit program, simply type <code class="docutils literal notranslate"><span class="pre">kinit</span></code> and then type your 138password at the prompt. For example, Jennifer (whose username is 139<code class="docutils literal notranslate"><span class="pre">jennifer</span></code>) works for Bleep, Inc. (a fictitious company with the 140domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would 141type:</p> 142<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> 143<span class="n">Password</span> <span class="k">for</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><--</span> <span class="p">[</span><span class="n">Type</span> <span class="n">jennifer</span><span class="s1">'s password here.]</span> 144<span class="n">shell</span><span class="o">%</span> 145</pre></div> 146</div> 147<p>If you type your password incorrectly, kinit will give you the 148following error message:</p> 149<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> 150<span class="n">Password</span> <span class="k">for</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><--</span> <span class="p">[</span><span class="n">Type</span> <span class="n">the</span> <span class="n">wrong</span> <span class="n">password</span> <span class="n">here</span><span class="o">.</span><span class="p">]</span> 151<span class="n">kinit</span><span class="p">:</span> <span class="n">Password</span> <span class="n">incorrect</span> 152<span class="n">shell</span><span class="o">%</span> 153</pre></div> 154</div> 155<p>and you won’t get Kerberos tickets.</p> 156<p>By default, kinit assumes you want tickets for your own username in 157your default realm. Suppose Jennifer’s friend David is visiting, and 158he wants to borrow a window to check his mail. David needs to get 159tickets for himself in his own realm, EXAMPLE.COM. He would type:</p> 160<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> <span class="n">david</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 161<span class="n">Password</span> <span class="k">for</span> <span class="n">david</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> <span class="o"><--</span> <span class="p">[</span><span class="n">Type</span> <span class="n">david</span><span class="s1">'s password here.]</span> 162<span class="n">shell</span><span class="o">%</span> 163</pre></div> 164</div> 165<p>David would then have tickets which he could use to log onto his own 166machine. Note that he typed his password locally on Jennifer’s 167machine, but it never went over the network. Kerberos on the local 168host performed the authentication to the KDC in the other realm.</p> 169<p>If you want to be able to forward your tickets to another host, you 170need to request forwardable tickets. You do this by specifying the 171<strong>-f</strong> option:</p> 172<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> <span class="o">-</span><span class="n">f</span> 173<span class="n">Password</span> <span class="k">for</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> <span class="o"><--</span> <span class="p">[</span><span class="n">Type</span> <span class="n">your</span> <span class="n">password</span> <span class="n">here</span><span class="o">.</span><span class="p">]</span> 174<span class="n">shell</span><span class="o">%</span> 175</pre></div> 176</div> 177<p>Note that kinit does not tell you that it obtained forwardable 178tickets; you can verify this using the <a class="reference internal" href="user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> command (see 179<a class="reference internal" href="#view-tkt"><span class="std std-ref">Viewing tickets with klist</span></a>).</p> 180<p>Normally, your tickets are good for your system’s default ticket 181lifetime, which is ten hours on many systems. You can specify a 182different ticket lifetime with the <strong>-l</strong> option. Add the letter 183<strong>s</strong> to the value for seconds, <strong>m</strong> for minutes, <strong>h</strong> for hours, or 184<strong>d</strong> for days. For example, to obtain forwardable tickets for 185<code class="docutils literal notranslate"><span class="pre">david@EXAMPLE.COM</span></code> that would be good for three hours, you would 186type:</p> 187<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kinit</span> <span class="o">-</span><span class="n">f</span> <span class="o">-</span><span class="n">l</span> <span class="mi">3</span><span class="n">h</span> <span class="n">david</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 188<span class="n">Password</span> <span class="k">for</span> <span class="n">david</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> <span class="o"><--</span> <span class="p">[</span><span class="n">Type</span> <span class="n">david</span><span class="s1">'s password here.]</span> 189<span class="n">shell</span><span class="o">%</span> 190</pre></div> 191</div> 192<div class="admonition note"> 193<p class="admonition-title">Note</p> 194<p>You cannot mix units; specifying a lifetime of 3h30m would 195result in an error. Note also that most systems specify a 196maximum ticket lifetime. If you request a longer ticket 197lifetime, it will be automatically truncated to the maximum 198lifetime.</p> 199</div> 200</section> 201<section id="viewing-tickets-with-klist"> 202<span id="view-tkt"></span><h2>Viewing tickets with klist<a class="headerlink" href="#viewing-tickets-with-klist" title="Permalink to this headline">¶</a></h2> 203<p>The <a class="reference internal" href="user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a> command shows your tickets. When you first obtain 204tickets, you will have only the ticket-granting ticket. The listing 205would look like this:</p> 206<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">klist</span> 207<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5cc_ttypa</span> 208<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 209 210<span class="n">Valid</span> <span class="n">starting</span> <span class="n">Expires</span> <span class="n">Service</span> <span class="n">principal</span> 211<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">19</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">21</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 212<span class="n">shell</span><span class="o">%</span> 213</pre></div> 214</div> 215<p>The ticket cache is the location of your ticket file. In the above 216example, this file is named <code class="docutils literal notranslate"><span class="pre">/tmp/krb5cc_ttypa</span></code>. The default 217principal is your Kerberos principal.</p> 218<p>The “valid starting” and “expires” fields describe the period of time 219during which the ticket is valid. The “service principal” describes 220each ticket. The ticket-granting ticket has a first component 221<code class="docutils literal notranslate"><span class="pre">krbtgt</span></code>, and a second component which is the realm name.</p> 222<p>Now, if <code class="docutils literal notranslate"><span class="pre">jennifer</span></code> connected to the machine <code class="docutils literal notranslate"><span class="pre">daffodil.mit.edu</span></code>, 223and then typed “klist” again, she would have gotten the following 224result:</p> 225<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">klist</span> 226<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5cc_ttypa</span> 227<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 228 229<span class="n">Valid</span> <span class="n">starting</span> <span class="n">Expires</span> <span class="n">Service</span> <span class="n">principal</span> 230<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">19</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">21</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 231<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">20</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">30</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 232<span class="n">shell</span><span class="o">%</span> 233</pre></div> 234</div> 235<p>Here’s what happened: when <code class="docutils literal notranslate"><span class="pre">jennifer</span></code> used ssh to connect to the 236host <code class="docutils literal notranslate"><span class="pre">daffodil.mit.edu</span></code>, the ssh program presented her 237ticket-granting ticket to the KDC and requested a host ticket for the 238host <code class="docutils literal notranslate"><span class="pre">daffodil.mit.edu</span></code>. The KDC sent the host ticket, which ssh 239then presented to the host <code class="docutils literal notranslate"><span class="pre">daffodil.mit.edu</span></code>, and she was allowed 240to log in without typing her password.</p> 241<p>Suppose your Kerberos tickets allow you to log into a host in another 242domain, such as <code class="docutils literal notranslate"><span class="pre">trillium.example.com</span></code>, which is also in another 243Kerberos realm, <code class="docutils literal notranslate"><span class="pre">EXAMPLE.COM</span></code>. If you ssh to this host, you will 244receive a ticket-granting ticket for the realm <code class="docutils literal notranslate"><span class="pre">EXAMPLE.COM</span></code>, plus 245the new host ticket for <code class="docutils literal notranslate"><span class="pre">trillium.example.com</span></code>. klist will now 246show:</p> 247<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">klist</span> 248<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5cc_ttypa</span> 249<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 250 251<span class="n">Valid</span> <span class="n">starting</span> <span class="n">Expires</span> <span class="n">Service</span> <span class="n">principal</span> 252<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">19</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">21</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 253<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">20</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">30</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 254<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">20</span><span class="p">:</span><span class="mi">24</span><span class="p">:</span><span class="mi">18</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 255<span class="mi">06</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">04</span> <span class="mi">20</span><span class="p">:</span><span class="mi">24</span><span class="p">:</span><span class="mi">18</span> <span class="mi">06</span><span class="o">/</span><span class="mi">08</span><span class="o">/</span><span class="mi">04</span> <span class="mi">05</span><span class="p">:</span><span class="mi">49</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 256<span class="n">shell</span><span class="o">%</span> 257</pre></div> 258</div> 259<p>Depending on your host’s and realm’s configuration, you may also see a 260ticket with the service principal <code class="docutils literal notranslate"><span class="pre">host/trillium.example.com@</span></code>. If 261so, this means that your host did not know what realm 262trillium.example.com is in, so it asked the <code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> KDC for 263a referral. The next time you connect to <code class="docutils literal notranslate"><span class="pre">trillium.example.com</span></code>, 264the odd-looking entry will be used to avoid needing to ask for a 265referral again.</p> 266<p>You can use the <strong>-f</strong> option to view the flags that apply to your 267tickets. The flags are:</p> 268<table class="docutils align-default"> 269<colgroup> 270<col style="width: 17%" /> 271<col style="width: 83%" /> 272</colgroup> 273<tbody> 274<tr class="row-odd"><td><p>F</p></td> 275<td><p>Forwardable</p></td> 276</tr> 277<tr class="row-even"><td><p>f</p></td> 278<td><p>forwarded</p></td> 279</tr> 280<tr class="row-odd"><td><p>P</p></td> 281<td><p>Proxiable</p></td> 282</tr> 283<tr class="row-even"><td><p>p</p></td> 284<td><p>proxy</p></td> 285</tr> 286<tr class="row-odd"><td><p>D</p></td> 287<td><p>postDateable</p></td> 288</tr> 289<tr class="row-even"><td><p>d</p></td> 290<td><p>postdated</p></td> 291</tr> 292<tr class="row-odd"><td><p>R</p></td> 293<td><p>Renewable</p></td> 294</tr> 295<tr class="row-even"><td><p>I</p></td> 296<td><p>Initial</p></td> 297</tr> 298<tr class="row-odd"><td><p>i</p></td> 299<td><p>invalid</p></td> 300</tr> 301<tr class="row-even"><td><p>H</p></td> 302<td><p>Hardware authenticated</p></td> 303</tr> 304<tr class="row-odd"><td><p>A</p></td> 305<td><p>preAuthenticated</p></td> 306</tr> 307<tr class="row-even"><td><p>T</p></td> 308<td><p>Transit policy checked</p></td> 309</tr> 310<tr class="row-odd"><td><p>O</p></td> 311<td><p>Okay as delegate</p></td> 312</tr> 313<tr class="row-even"><td><p>a</p></td> 314<td><p>anonymous</p></td> 315</tr> 316</tbody> 317</table> 318<p>Here is a sample listing. In this example, the user <em>jennifer</em> 319obtained her initial tickets (<strong>I</strong>), which are forwardable (<strong>F</strong>) 320and postdated (<strong>d</strong>) but not yet validated (<strong>i</strong>):</p> 321<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">klist</span> <span class="o">-</span><span class="n">f</span> 322<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5cc_320</span> 323<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 324 325<span class="n">Valid</span> <span class="n">starting</span> <span class="n">Expires</span> <span class="n">Service</span> <span class="n">principal</span> 326<span class="mi">31</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">05</span> <span class="mi">19</span><span class="p">:</span><span class="mi">06</span><span class="p">:</span><span class="mi">25</span> <span class="mi">31</span><span class="o">/</span><span class="mi">07</span><span class="o">/</span><span class="mi">05</span> <span class="mi">19</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">25</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 327 <span class="n">Flags</span><span class="p">:</span> <span class="n">FdiI</span> 328<span class="n">shell</span><span class="o">%</span> 329</pre></div> 330</div> 331<p>In the following example, the user <em>david</em>’s tickets were forwarded 332(<strong>f</strong>) to this host from another host. The tickets are reforwardable 333(<strong>F</strong>):</p> 334<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">klist</span> <span class="o">-</span><span class="n">f</span> 335<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">krb5cc_p11795</span> 336<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">david</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 337 338<span class="n">Valid</span> <span class="n">starting</span> <span class="n">Expires</span> <span class="n">Service</span> <span class="n">principal</span> 339<span class="mi">07</span><span class="o">/</span><span class="mi">31</span><span class="o">/</span><span class="mi">05</span> <span class="mi">11</span><span class="p">:</span><span class="mi">52</span><span class="p">:</span><span class="mi">29</span> <span class="mi">07</span><span class="o">/</span><span class="mi">31</span><span class="o">/</span><span class="mi">05</span> <span class="mi">21</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mi">23</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 340 <span class="n">Flags</span><span class="p">:</span> <span class="n">Ff</span> 341<span class="mi">07</span><span class="o">/</span><span class="mi">31</span><span class="o">/</span><span class="mi">05</span> <span class="mi">12</span><span class="p">:</span><span class="mi">03</span><span class="p">:</span><span class="mi">48</span> <span class="mi">07</span><span class="o">/</span><span class="mi">31</span><span class="o">/</span><span class="mi">05</span> <span class="mi">21</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mi">23</span> <span class="n">host</span><span class="o">/</span><span class="n">trillium</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 342 <span class="n">Flags</span><span class="p">:</span> <span class="n">Ff</span> 343<span class="n">shell</span><span class="o">%</span> 344</pre></div> 345</div> 346</section> 347<section id="destroying-tickets-with-kdestroy"> 348<h2>Destroying tickets with kdestroy<a class="headerlink" href="#destroying-tickets-with-kdestroy" title="Permalink to this headline">¶</a></h2> 349<p>Your Kerberos tickets are proof that you are indeed yourself, and 350tickets could be stolen if someone gains access to a computer where 351they are stored. If this happens, the person who has them can 352masquerade as you until they expire. For this reason, you should 353destroy your Kerberos tickets when you are away from your computer.</p> 354<p>Destroying your tickets is easy. Simply type kdestroy:</p> 355<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdestroy</span> 356<span class="n">shell</span><span class="o">%</span> 357</pre></div> 358</div> 359<p>If <a class="reference internal" href="user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a> fails to destroy your tickets, it will beep and 360give an error message. For example, if kdestroy can’t find any 361tickets to destroy, it will give the following message:</p> 362<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdestroy</span> 363<span class="n">kdestroy</span><span class="p">:</span> <span class="n">No</span> <span class="n">credentials</span> <span class="n">cache</span> <span class="n">file</span> <span class="n">found</span> <span class="k">while</span> <span class="n">destroying</span> <span class="n">cache</span> 364<span class="n">shell</span><span class="o">%</span> 365</pre></div> 366</div> 367</section> 368</section> 369 370 371 <div class="clearer"></div> 372 </div> 373 </div> 374 </div> 375 </div> 376 <div class="sidebar"> 377 378 <h2>On this page</h2> 379 <ul> 380<li><a class="reference internal" href="#">Ticket management</a><ul> 381<li><a class="reference internal" href="#kerberos-ticket-properties">Kerberos ticket properties</a></li> 382<li><a class="reference internal" href="#obtaining-tickets-with-kinit">Obtaining tickets with kinit</a></li> 383<li><a class="reference internal" href="#viewing-tickets-with-klist">Viewing tickets with klist</a></li> 384<li><a class="reference internal" href="#destroying-tickets-with-kdestroy">Destroying tickets with kdestroy</a></li> 385</ul> 386</li> 387</ul> 388 389 <br/> 390 <h2>Table of contents</h2> 391 <ul class="current"> 392<li class="toctree-l1 current"><a class="reference internal" href="index.html">For users</a><ul class="current"> 393<li class="toctree-l2"><a class="reference internal" href="pwd_mgmt.html">Password management</a></li> 394<li class="toctree-l2 current"><a class="current reference internal" href="#">Ticket management</a></li> 395<li class="toctree-l2"><a class="reference internal" href="user_config/index.html">User config files</a></li> 396<li class="toctree-l2"><a class="reference internal" href="user_commands/index.html">User commands</a></li> 397</ul> 398</li> 399<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> 400<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> 401<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> 402<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> 403<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> 404<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> 405<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> 406<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> 407<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> 408<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> 409</ul> 410 411 <br/> 412 <h4><a href="../index.html">Full Table of Contents</a></h4> 413 <h4>Search</h4> 414 <form class="search" action="../search.html" method="get"> 415 <input type="text" name="q" size="18" /> 416 <input type="submit" value="Go" /> 417 <input type="hidden" name="check_keywords" value="yes" /> 418 <input type="hidden" name="area" value="default" /> 419 </form> 420 421 </div> 422 <div class="clearer"></div> 423 </div> 424 </div> 425 426 <div class="footer-wrapper"> 427 <div class="footer" > 428 <div class="right" ><i>Release: 1.21.3</i><br /> 429 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. 430 </div> 431 <div class="left"> 432 433 <a href="../index.html" title="Full Table of Contents" 434 >Contents</a> | 435 <a href="pwd_mgmt.html" title="Password management" 436 >previous</a> | 437 <a href="user_config/index.html" title="User config files" 438 >next</a> | 439 <a href="../genindex.html" title="General Index" 440 >index</a> | 441 <a href="../search.html" title="Enter search criteria" 442 >Search</a> | 443 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Ticket management">feedback</a> 444 </div> 445 </div> 446 </div> 447 448 </body> 449</html>