System Administration Guide, Volume 2

Ticket Management

This section explains how to obtain, view, and destroy tickets. For an introduction to tickets, see "How SEAM Works".

Do You Need to Worry About Tickets?

PAM can be set up to automatically get tickets when you log in. It is possible that your SEAM configuration does not include this automatic forwarding of tickets, but it is the default behavior.

Most of the Kerberized commands also automatically destroy your tickets when they exit. However, you might want to explicitly destroy your Kerberos tickets with kdestroy when you are through with them, just to be sure. See "How to Destroy Tickets" for more information on kdestroy.

For information on ticket lifetimes, see "Ticket Lifetimes".

How to Create a Ticket

Normally a ticket is created automatically when you log in and you need not do anything special to obtain one. However, you might need to create a ticket in the following cases:

To create a ticket, use the kinit command.


% /usr/bin/kinit 

kinit prompts you for your password. For the full syntax of the kinit command, see the kinit(1) man page.

Example--Creating a Ticket

This example shows a user, jennifer, creating a ticket on her own system.


% kinit
Password for jennifer@ENG.ACME.COM:  <enter password>

Here the user david creates a ticket good for three hours with the -l option.


% kinit -l 3h david@ACME.ORG
Password for david@ACME.ORG:  <enter password>

This example shows david creating a forwardable ticket (with -f) for himself. With this forwardable ticket, he can (for example) log in to a second system, and then telnet to a third system.


% kinit -f david@ACME.ORG
Password for david@ACME.ORG:     <enter password>

For more on how forwarding tickets works, see "Types of Tickets".

How to View Tickets

Not all tickets are alike. One ticket might be, for example, forwardable; another might be postdated; while a third might be both. You can see which tickets you have, and what their attributes are, by using the klist command with the -f option:


% /usr/bin/klist -f

The following symbols indicate the attributes associated with each ticket, as displayed by klist:

Forwardable 

Forwarded 

Proxiable 

Proxy 

Postdateable 

Postdated 

Renewable 

Initial 

Invalid 

"Types of Tickets" describes the various attributes a ticket can have.

Example--Viewing Tickets

This example shows that the user jennifer has an initial ticket, which is forwardable (F) and postdated (d), but not yet validated (i).


% /usr/bin/klist -f
Ticket cache: /tmp/krb5cc_74287
Default principal: jenniferm@ENG.ACME.COM
 
Valid starting                 Expires                 Service principal
09 Mar 99 15:09:51  09 Mar 99 21:09:51  nfs/ACME.SUN.COM@ACME.SUN.COM
        renew until 10 Mar 99 15:12:51, Flags: Fdi

The example below shows that the user david has two tickets that were forwarded (f) to his host from another host. The tickets are also (re)forwardable (F):


% klist -f
Ticket cache: /tmp/krb5cc_74287
Default principal: david@ACME.SUN.COM
 
Valid starting                 Expires                 Service principal
07 Mar 99 06:09:51  09 Mar 99 23:33:51  host/ACME.COM@ACME.COM
        renew until 10 Mar 99 17:09:51, Flags: fF
 
Valid starting                 Expires                 Service principal
08 Mar 99 08:09:51  09 Mar 99 12:54:51  nfs/ACME.COM@ACME.COM
        renew until 10 Mar 99 15:22:51, Flags: fF

How to Destroy Tickets

Tickets are generally destroyed automatically when the commands that created them exit; however, you might want to explicitly destroy your Kerberos tickets when you are through with them, just to be sure. Tickets can be stolen, and if this happens, the person who has them can use them until they expire (although stolen tickets must be decrypted).

To destroy your tickets, use the kdestroy command.


% /usr/bin/kdestroy

kdestroy destroys all your tickets. You cannot use it to selectively destroy a particular ticket.

If you are going to be away from your system and are concerned about an intruder using your permissions, you should either use kdestroy or a screensaver that locks the screen.


Note -

One way to help ensure that tickets are always destroyed is to add the kdestroy command to the .logout file in your home directory.

In cases where the PAM module has been configured, tickets are destroyed automatically upon logout, so adding a call to kdestroy to your .login file is not necessary. However, if the PAM module has not been configured, or if you don't know whether it has or not, you might want to add kdestroy to your .login file to be sure that tickets are destroyed when you exit your system.