Tickets have properties that govern how they can be used. These properties are assigned to the ticket when it is created, although you can modify a ticket's properties later. For example, a ticket can change from being forwardable to being forwarded. You can view ticket properties with the klist command. See Viewing Kerberos Tickets.
Tickets can be described by one or more of the following terms:
A forwardable ticket can be sent from one host to another host, obviating the need for a client to reauthenticate itself. For example, if the user david obtains a forwardable ticket while on user jennifer's machine, david can log in to his own machine without having to get a new ticket (and thus authenticate himself again). See Example 6–1 for an example of a forwardable ticket.
An initial ticket is a ticket that is issued directly, not based on a ticket-granting ticket. Some services, such as applications that change passwords, can require tickets to be marked “initial” in order to assure themselves that the client can demonstrate a knowledge of its secret key. An initial ticket indicates that the client has recently authenticated itself instead of relying on a ticket-granting ticket, which might be older.
An invalid ticket is a postdated ticket that has not yet become usable. An invalid ticket will be rejected by an application server until it becomes validated. To be validated, a ticket must be presented to the KDC by the client in a ticket-granting service request, with the –VALIDATE flag set, after its start time has passed.
A postdated ticket is a ticket that does not become valid until some specified time after its creation. Such a ticket is useful, for example, for batch jobs that are intended to be run late at night, because the ticket, if stolen, cannot be used until the batch job is to be run. When a postdated ticket is issued, it is issued as invalid and remains that way until its start time has passed, and the client requests validation by the KDC. A postdated ticket is normally valid until the expiration time of the ticket-granting ticket. However, if the ticket is marked renewable, its lifetime is normally set to be equal to the duration of the full life of the ticket-granting ticket.
At times, principal might need to allow a service to perform an operation on its behalf. The principal name of the proxy must be specified when the ticket is created. Oracle Solaris does not support proxiable or proxy tickets.
A proxiable ticket is similar to a forwardable ticket except that it is valid only for a single service. A forwardable ticket grants the service the complete use of the client's identity. A forwardable ticket can therefore be thought of as a sort of super-proxy.
Because tickets with very long lives are a security risk, tickets can be designated as renewable. A renewable ticket has two expiration times: the time at which the current instance of the ticket expires, and the maximum lifetime for any ticket, which is one week. If a client wants to continue to use a ticket, the client renews it before the first expiration occurs. For example, suppose a ticket can be valid for one hour, with all tickets having a maximum lifetime of 10 hours. If the client that is holding the ticket wants to keep it for more than an hour, the client must renew it within that hour. When a ticket reaches the maximum ticket lifetime (10 hours), it automatically expires and cannot be renewed.
For information about how to view the attributes of tickets, see Viewing Kerberos Tickets.
When a principal obtains a ticket, including a ticket-granting ticket (TGT), the ticket's lifetime is set as the smallest of the following lifetime values:
The maximum lifetime value that is specified in the Kerberos database for the service principal that provides the ticket. In the case of kinit, the service principal is krbtgt/realm.
The maximum lifetime value that is specified in the Kerberos database for the user principal that requests the ticket.
The following figure shows how a TGT's lifetime is determined and where the four lifetime values originate. When any principal obtains a ticket, the ticket's lifetime is determined similarly. The two differences are that kinit does not provide a lifetime value, and the service principal that provides the ticket provides a maximum lifetime value instead of the krbtgt/realm principal.
Figure 7-1 How a TGT's Lifetime Is Determined
The renewable ticket lifetime is determined from the minimum of four renewable lifetime values, as follows:
The renewable lifetime value that is specified by the –r option of kinit, if kinit is used to obtain or renew the ticket.
The maximum lifetime renewable value that is specified in the Kerberos database for the service principal that provides the ticket. In the case of kinit, the service principal is krbtgt/realm.
The maximum lifetime renewable value that is specified in the Kerberos database for the user principal that requests the ticket.
Each ticket is identified by a principal name. The principal name can identify a user or a service. The following examples show typical principal names:
A principal for the master KDC server that allows access to the KDC when you are changing passwords.
A principal that is used by the kclient installation utility.
A principal that is used by the ftp service. This principal can be used instead of a host principal.
A principal that is used by the Kerberized applications (klist and kprop, for example) and services (such as ftp and telnet). This principal is called a host or service principal. The principal is used to authenticate NFS mounts. This principal is also used by a client to verify that the TGT that is issued to the client is from the correct KDC.
The master key name principal. One master key name principal is associated with each master KDC.
A principal that includes a key used to keep password histories for other principals. Each master KDC has one of these principals.
A principal for the master KDC server that allows access to the KDC by using kadmind.
A principal that is used to accept password change requests from clients that are not running an Oracle Solaris release.
This principal is used when you generate a ticket-granting ticket.
This principal is an example of a cross-realm ticket-granting ticket.
A principal that is used by the NFS service. This principal can be used instead of a host principal.
A principal that is associated with the root account on a client. This principal is called a root principal and provides root access to NFS mounted file systems..
A principal for a user.
An admin principal that can be used to administer the KDC database.