This section explains how to obtain, view, and destroy tickets. For an introduction to tickets, see How SEAM Works.
With SEAM 1.0 or 1.0.1 installed, Kerberos is built into the login command, and you will obtain tickets automatically when you log in.
Most of the Kerberized commands also automatically destroy your tickets when they exit. However, you might want to explicitly destroy your Kerberos tickets with kdestroy when you are finished with them, just to be sure. See How to Destroy Tickets for more information on kdestroy.
For information on ticket lifetimes, see Ticket Lifetimes.
Normally, a ticket is created automatically when you log in, and you need not do anything special to obtain a ticket. However, you might need to create a ticket if your ticket expires.
To create a ticket, use the kinit command.
% /usr/bin/kinit |
kinit prompts you for your password. For the full syntax of the kinit command, see the kinit(1) man page.
This example shows a user, jennifer, creating a ticket on her own system:
% kinit Password for jennifer@ENG.EXAMPLE.COM: <type password> |
Here, the user david creates a ticket that is valid for three hours with the -l option:
% kinit -l 3h david@EXAMPLE.ORG Password for david@EXAMPLE.ORG: <type password> |
This example shows the user david creating a forwardable ticket (with the -f option) for himself. With this forwardable ticket, he can, for example, log in to a second system.
% kinit -f david@EXAMPLE.ORG Password for david@EXAMPLE.ORG: <type password> |
For more on how forwarding tickets works, see Types of Tickets.
Not all tickets are alike. One ticket might be, for example, forwardable; another ticket might be postdated; while a third ticket might be both forwardable and postdated. You can see which tickets you have, and what their attributes are, by using the klist command with the -f option:
% /usr/bin/klist -f |
The following symbols indicate the attributes that are associated with each ticket, as displayed by klist:
F |
Forwardable |
f |
Forwarded |
P |
Proxiable |
p |
Proxy |
D |
Postdateable |
d |
Postdated |
R |
Renewable |
I |
Initial |
i |
Invalid |
Types of Tickets describes the various attributes that a ticket can have.
This example shows that the user jennifer has an initial ticket, which is forwardable (F) and postdated (d), but not yet validated (i):
% /usr/bin/klist -f Ticket cache: /tmp/krb5cc_74287 Default principal: jenniferm@ENG.EXAMPLE.COM Valid starting Expires Service principal 09 Mar 99 15:09:51 09 Mar 99 21:09:51 nfs/EXAMPLE.SUN.COM@EXAMPLE.SUN.COM renew until 10 Mar 99 15:12:51, Flags: Fdi |
The following example shows that the user david has two tickets that were forwarded (f) to his host from another host. The tickets are also forwardable (F):
% klist -f Ticket cache: /tmp/krb5cc_74287 Default principal: david@EXAMPLE.SUN.COM Valid starting Expires Service principal 07 Mar 99 06:09:51 09 Mar 99 23:33:51 host/EXAMPLE.COM@EXAMPLE.COM renew until 10 Mar 99 17:09:51, Flags: fF Valid starting Expires Service principal 08 Mar 99 08:09:51 09 Mar 99 12:54:51 nfs/EXAMPLE.COM@EXAMPLE.COM renew until 10 Mar 99 15:22:51, Flags: fF |
Usually, tickets are destroyed automatically when the commands that created them exit. However, you might want to explicitly destroy your Kerberos tickets when you are finished with them, just to be sure. Tickets can be stolen. If tickets are stolen, the person who has stolen them can use them until they expire (although stolen tickets must be decrypted).
To destroy your tickets, use the kdestroy command.
% /usr/bin/kdestroy |
kdestroy destroys all your tickets. You cannot use this command to selectively destroy a particular ticket.
If you are going to be away from your system and are concerned about an intruder using your permissions, you should use either kdestroy or a screen saver that locks the screen.
One way to help ensure that your tickets are always destroyed is to add the kdestroy command to the .logout file in your home directory.
In instances where the PAM module has been configured (which is the default and usual case), tickets are destroyed automatically upon logout. So, adding a call to kdestroy to your .login file is not necessary. However, if the PAM module has not been configured, or if you don't know whether it has been, you might want to add kdestroy to your .login file to ensure that your tickets are destroyed when you exit your system.