Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 1.26. What are forwardable tickets?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Property taxes ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.25. What is "user to user" authentication?
Next Document: 1.27. What are renewable tickets?
See reader questions & answers on this topic! - Help others by sharing your knowledge
Inside of the Kerberos ticket is encoded the IP address of the client. This
is used by application servers and the KDC to verify the address of the
client. This means that a ticket that was acquired on one host cannot be
used on another.

Kerberos 5 introduced the concept of forwardable tickets. During the initial
TGT acquisition, a client can request that the ticket be marked forwardable.
If the KDC chooses to honor this request (the administrator has the option
of disallowing forwardable tickets on a per-site or per-principal basis),
the TKT_FLG_FORWARDABLE flag will be set in the flags field in the ticket.

Once the TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use this
ticket to request a new ticket, but with a different IP address. Thus, a
user can use their current credentials to get credentials valid on another
machine.

In the MIT Kerberos 5 release, all of the remote login programs (telnet,
rlogin, rsh) support forwarding a user's TGT to the remote system.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.25. What is "user to user" authentication?
Next Document: 1.27. What are renewable tickets?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM