kftgt(1)
NAME
- kftgt - Forward Kerberos v4 ticket-granting tickets to a
- remote host
SYNOPSIS
kftgt [-vq] [-l username] [-f ticket-file] [-t seconds] [username@]host [username@host ...]
DESCRIPTION
- kftgt is a program that allows a user to forward Kerberos
- v4 tickets to a remote host. This can be done without the user's
- password ever leaving the client machine.
- In order to establish tickets remotely without the use of
- something like kftgt, one would have to log in to the remote host
- and run kinit(1), or use rkinit(1). kftgt followed by rlogin can
- be thought of as a safer substitute for rlogin followed by kinit,
- and partly duplicates the Kerberos v5 ticket forwarding support.
- kftgt uses the same access checking mechanism as rlogin.
- That means that kftgt can be used to create any tickets for user
- A on remote host B if and only if A's tickets would entitle a lo
- gin to B. This means that one can forward tickets for oneself or
- for another user if listed in that user's .klogin file.
- The username on the remote host to which to forward tick
- ets can be specified either with the -l command-line option or by
- prepending username and an @-sign to the hostname. The latter
- syntax is more convenient for forwarding one's credentials to
- multiple remote machines, possibly with different local usernames
- on each machine.
- kftgt only works with the AFS Kerberos server since it
- does not look at the IP addresses in ticket granting tickets.
OPTIONS
- -f ticket-file
- This option is used to specify the name of the ticket
- file that should be used on the remote host. If a ticket file is
- not specified, the tickets will be placed in the default location
- of /tmp/tktuid, where uid is the UID of the user who owns the re
- mote ticket file.
- Obviously, kftgt is most easily used in combination
- with a login.krb program on the remote host that uses the same
- default ticket location as that used by kftgtd. Otherwise, you
- will have to set the environment variable KRBTKFILE to the appro
- priate filename once you get to the remote host in order for you
- to use the tickets.
- -l username
- The user on the remote host to which to forward tick
- ets. If not specified, the default is the primary portion of the
- Kerberos principal being forwarded.
- Note that this can also be specified on a per-host ba
- sis by prepending username and an @-sign to the hostname.
- -q Don't print the "forwarded" message.
- -t seconds
- Number of seconds to wait for the remote host to ac
- cept the tickets. The default value is 60 seconds. If the
- transaction has not completed in this time period, it will be
- aborted.
- -v Print version and exit.
EXIT STATUS
- On success, kftgt exits with 0 status, like most Unix pro
- grams. On failure, it exits with a status indicating the problem
- with the last host to which it attempted to forward tickets:
- 1. Host not found in DNS.
- 2. Timeout while attempting to connect to the remote host.
- 3. Connection to the remote host failed for some reason.
- 4. A Kerberos failure, generally either the lack of a lo
- cal ticket cache or the lack of a service principal for the re
- mote host.
- 5. Some error occurred during the actual protocol ex
- change.
- 6. An internal system error occurred on the client host,
- unrelated to the remote host.
EXAMPLES
- In the following examples, slapshot and dilbert are ma
- chines in the IR.STANFORD.EDU kerberos realm and rjs is a user
- who can log in to dilbert and has "schemers@IR.STANFORD.EDU" in
- his .klogin file.
% kftgt dilbert
kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to dil- bert
- % kftgt -l rjs dilbert
kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to rjs - on dilbert
- % kftgt rjs@dilbert schemers@slapshot
kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to rjs - on dilbert
kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to - schemers on slapshot
CAVEATS
- This program was written for Stanford University's local
- Kerberos setup and is probably not that useful outside of that
- environment, although it is potentially useful for anyone using
- the Transarc kaserver as a Kerberos v4 KDC. The operation of
- forwarding a Kerberos v4 ticket-granting ticket, while not inher
- ently insecure, is at best somewhat questionable within the Ker
- beros v4 security model.
- kftgt does not work with Kerberos v5 tickets and likely
- never will, as Kerberos v5 added a different ticket forwarding
- mechanism that functions as part of the connection protocol
- rather than using a separate connection (with is inherently more
- secure). kftgt is minorly more convenient, however, as it allows
- one to refresh tickets on a remote host without running kinit
- there or logging in again.
- Caution should be taken when forwarding tickets to host
- names that do not correspond to a single remote host. Because
- kftgt and rlogin are two separate programs that each perform
- their own DNS lookups, it's possible to forward one's credentials
- to a different system than one logs on to. Using the klogin(1)
- wrapper around kftgt and rlogin partly resolves this problem.
AUTHOR
Roland J. Schemers <schemers@stanford.edu>.
- kftgt and kftgtd continue to be maintained by the Kerberos
- team at Stanford University, although no major changes in the
- functionality of these programs are planned. Questions and bug
- reports may be sent to Russ Allbery <rra@stanford.edu>, but
- please be aware that we only support Stanford affiliates and may
- not be able to help with problems at other sites.
LICENSE
- Copyright 1994, 1997, 2001, 2003 Board of Trustees, Leland
- Stanford Jr. University
- All rights reserved.
- Export of this software from the United States of America
- may require a specific license from the United States Government.
- It is the responsibility of any person or organization contem
- plating export to obtain such a license before exporting.
- WITHIN THAT CONSTRAINT, permission to use, copy, modify,
- and distribute this software and its documentation for any pur
- pose and without fee is hereby granted, provided that the above
- copyright notice appear in all copies and that both that copy
- right notice and this permission notice appear in supporting doc
- umentation, and that the name of Stanford University not be used
- in advertising or publicity pertaining to distribution of the
- software without specific, written prior permission. Stanford
- University makes no representations about the suitability of this
- software for any purpose. It is provided "as is" without express
- or implied warranty.
- THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS
- OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR
- POSE.
SEE ALSO
- kftgtd(8), kerberos(1), kinit(1)
- 1.12 2005-05-21