Forwarding Tickets with -f and -F

As described in "Overview of Kerberized Commands", some commands allow you to forward tickets with either the -f or -F option. Forwarding tickets allows you to "chain" your network transactions; you can, for example, rlogin to one machine and then rlogin from it to another. The -f option allows you to forward a ticket, while the -F option allows you to reforward a forwarded ticket.

In Figure 4-1, the user david obtains a non-forwardable ticket-granting ticket (TGT) with kinit. (It is non-forwardable because he did not specify the -f option.) In scenario 1, he is able to rlogin to machine B, but he can go no further. In scenario 2, the rlogin -f command fails because he is attempting to forward a ticket which is non-forwardable.

Figure 4-1 Using Non-Forwardable Tickets

In actuality, SEAM configuration files are set up so that kinit obtains forwardable tickets by default. However, your configuration may differ. For the sake of explanation we have assumed that kinit does not obtain forwardable TGTs unless it is invoked with kinit -f. Notice, by the way, that kinit does not have a -F option; TGTs are either forwardable or not.

In Figure 4-2, david obtains forwardable TGTs with kinit -f. In scenario 3, he is able to reach machine C because he uses a forwardable ticket with rlogin. In scenario 4, the second rlogin fails because the ticket is not reforwardable. By using the -F option instead, as in scenario 5, the second rlogin succeeds and the ticket can be reforwarded on to machine D.

Figure 4-2 Using Forwardable Tickets