Kerberos - (Ticket|Credentials)

1 - About

Security - (Identity+Authenticator=Credential) in Kerberos.

Kerberos credentials, or “tickets”, are a set of electronic information that can be used to verify an identity.

There are only two different types for tickets that the KDC issues.

3 - Management

3.1 - Storage

Kerberos tickets may be stored in a file, or they may exist only in memory.

3.2 - Delete

The kdestroy utility destroys the user’s active Kerberos authorization tickets by writing zeros to the specified credentials cache that contains them.

3.3 - Get

If your site is using the Kerberos V5 login program, you will get Kerberos tickets automatically when you log in otherwise, you need to explicitly obtain them, using the kinit program.

3.4 - List

klist permits to see the ticket with their flags.

4 - Flag

You can use the (flag|properties) with the klist utility and the -f option (f means flag).

4.1 - forward

A new ticket can be issued with a different network address.

This allows for authentication forwarding. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the netword address of the remote system, allowing authentication on that host to work as though the user were logged in locally.

4.2 - proxy

A proxiable ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client.

Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket (TGT) cannot be issued based on a ticket that is proxiable but not forwardable.

4.3 - ....

5 - Documentation / References

security/kerberos/ticket.txt · Last modified: 2018/05/15 16:41 by gerardnico