Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

 
Updated: August 2014
 
 

Viewing Kerberos Tickets

Not all tickets are alike. For example, one ticket might be forwardable, another ticket might be postdated, and a third ticket might be both forwardable and postdated. You can see which tickets you have, and what their attributes are, by using the klist command with the –f option:

% /usr/bin/klist -f

The following symbols indicate the attributes that are associated with each ticket, as displayed by klist:

A

Preauthenticated

D

Postdatable

d

Postdated

F

Forwardable

f

Forwarded

I

Initial

i

Invalid

P

Proxiable

p

Proxy

R

Renewable

Types of Tickets describes the various attributes that a ticket can have.

Example 6-2  Viewing Kerberos Tickets

This example shows that the user kdoe has an initial ticket, which is forwardable (F) and postdated (d), but not yet validated (i).

% /usr/bin/klist -f
Ticket cache: /tmp/krb5cc_74287
Default principal: kdoe@EXAMPLE.COM

Valid starting                 Expires                 Service principal
09 Feb 14 15:09:51  09 Feb 14 21:09:51  nfs/EXAMPLE.COM@EXAMPLE.COM
renew until 10 Feb 14 15:12:51, Flags: Fdi

The following example shows that the user kdoe has two tickets that were forwarded (f) to the user's host from another host. The tickets are also forwardable (F).

% klist -f
Ticket cache: /tmp/krb5cc_74287
Default principal: kdoe@EXAMPLE.COM

Valid starting                 Expires                 Service principal
07 Feb 14 06:09:51  09 Feb 14 23:33:51  host/EXAMPLE.COM@EXAMPLE.COM
renew until 10 Feb 14 17:09:51, Flags: fF

Valid starting                 Expires                 Service principal
08 Feb 14 08:09:51  09 Feb 14 12:54:51  nfs/EXAMPLE.COM@EXAMPLE.COM
renew until 10 Feb 14 15:22:51, Flags: fF

The following example shows how to display the encryption types of the session key and the ticket by using the –e option. The –a option is used to map the host address to a host name if the name service can do the conversion.

% klist -fea
Ticket cache: /tmp/krb5cc_74287
Default principal: kdoe@EXAMPLE.COM

Valid starting                 Expires                 Service principal
07 Feb 14 06:09:51  09 Feb 14 23:33:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 10 Feb 14 17:09:51, Flags: FRIA
Etype(skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC
Addresses: client.example.com
Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next