[ Usenet FAQs | Search | Web FAQs | Documents | RFC Index ]
Single Page
Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.25. What is "user to user" authentication?
Next Document: 1.27. What are renewable tickets?
-
Search the FAQ Archives
Single Page
Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.25. What is "user to user" authentication?
Next Document: 1.27. What are renewable tickets?
1.26. What are forwardable tickets?
Inside of the Kerberos ticket is encoded the IP address of the client. This is used by application servers and the KDC to verify the address of the client. This means that a ticket that was acquired on one host cannot be used on another. Kerberos 5 introduced the concept of forwardable tickets. During the initial TGT acquisition, a client can request that the ticket be marked forwardable. If the KDC chooses to honor this request (the administrator has the option of disallowing forwardable tickets on a per-site or per-principal basis), the TKT_FLG_FORWARDABLE flag will be set in the flags field in the ticket. Once the TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use this ticket to request a new ticket, but with a different IP address. Thus, a user can use their current credentials to get credentials valid on another machine. In the MIT Kerberos 5 release, all of the remote login programs (telnet, rlogin, rsh) support forwarding a user's TGT to the remote system.
Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.25. What is "user to user" authentication?
Next Document: 1.27. What are renewable tickets?
Single Page
[ Usenet FAQs | Search | Web FAQs | Documents | RFC Index ]
Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update December 05 2008 @ 00:11 AM