[5440] in Kerberos
Re: forwardable tickets
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Thu Jun 29 18:31:40 1995
To: kerberos@MIT.EDU
Date: 29 Jun 1995 22:22:40 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <3submh$222@linus.mitre.org>, jkm@faron.mitre.org (Jonathan K. Millen) writes:
|> Fist, when and how is a forwardable TGT issued? The AS
|> normally gives a non-forwardable TGT to the client for
|> the TGS. Is this the one that is marked fowardable
|> if the client requests it?
Yes, exactly. For example, the kinit client in the MIT Kerberos distribution
has a "-f" command-line option. If the user specifies that command-line
option when running kinit to get a TGT, then kinit will ask the AS to issue a
forwardable ticket.
|> Then, how is the forwardable TGT sent to the service
|> that will use it? Ordinarily a service gets a service
|> ticket that the client has requested from the TGT.
|> Is the forwardable TGT sent to the service as part of
|> the same message that sends it the service ticket?
It's up to the application to ask the TGS for a ticket for the remote host,
and then to send that ticket to the remote host. Unfortunately, at least as
of MIT's beta 4 patchlevel 3 release, there's no easy way inside the Kerberos
API to do this work. However, you can see how MIT's rlogin and
rsh applications do it, and use the same procedure in your own applications,
by looking in appl/bsd/forward.c, which contains the main body of the
forwarding code; kcmd.c, which calls into forward.c to get the forwarded
ticket to be sent to the remote host; and krlogind.c, which calls into
forward.c to read the forwarded ticket and store it in the local credential
cache.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
