JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

Kerberos Ticket Management

Do You Need to Worry About Tickets?

Creating a Kerberos Ticket

Viewing Kerberos Tickets

Destroying Kerberos Tickets

Kerberos Password Management

Advice on Choosing a Password

Changing Your Password

Granting Access to Your Account

Kerberos User Commands

Overview of Kerberized Commands

Forwarding Kerberos Tickets

Using Kerberized Commands (Examples)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Kerberos Ticket Management

This section explains how to obtain, view, and destroy tickets. For an introduction to tickets, see How the Kerberos Service Works.

Do You Need to Worry About Tickets?

With any of the Oracle Solaris releases installed, Kerberos is built into the login command. However, to obtain tickets automatically, you must configure the PAM service for the applicable login services. For more information, see the pam_krb5(5) man page. The Kerberized commands rsh, rcp, telnet, and rlogin are usually set up to forward copies of your tickets to the other machines, so you don't have to explicitly ask for tickets to get access to those machines. Your configuration might not include this automatic forwarding, since by default system is not configured to have credentials forwarded. See Overview of Kerberized Commands and Forwarding Kerberos Tickets for more information on forwarding tickets.

For information on ticket lifetimes, see Ticket Lifetimes.

Creating a Kerberos Ticket

Normally, if PAM is configured properly, a ticket is created automatically when you log in, and you need not do anything special to obtain a ticket. However, you might need to create a ticket if your ticket expires. Also, you might need to use a different principal besides your default principal, for example, if you use rlogin -l to log in to a machine as someone else.

To create a ticket, use the kinit command.

% /usr/bin/kinit
 

The kinit command prompts you for your password. For the full syntax of the kinit command, see the kinit(1) man page.

Example 24-1 Creating a Kerberos Ticket

This example shows a user, jennifer, creating a ticket on her own system.

% kinit
Password for jennifer@ENG.EXAMPLE.COM:  <Type password>
 

Here, the user david creates a ticket that is valid for three hours with the -l option.

% kinit -l 3h david@EXAMPLE.ORG
Password for david@EXAMPLE.ORG:  <Type password>
 

This example shows the user david creating a forwardable ticket (with the -f option) for himself. With this forwardable ticket, he can, for example, log in to a second system, and then telnet to a third system.

% kinit -f david@EXAMPLE.ORG
Password for david@EXAMPLE.ORG:     <Type password>
 

For more information on how forwarding tickets works, see Forwarding Kerberos Tickets and Types of Tickets.

Viewing Kerberos Tickets

Not all tickets are alike. One ticket might, for example, be forwardable. Another ticket might be postdated. While a third ticket might be both forwardable and postdated. You can see which tickets you have, and what their attributes are, by using the klist command with the -f option:

% /usr/bin/klist -f

The following symbols indicate the attributes that are associated with each ticket, as displayed by klist:

A

Preauthenticated

D

Postdatable

d

Postdated

F

Forwardable

f

Forwarded

I

Initial

i

Invalid

P

Proxiable

p

Proxy

R

Renewable

Types of Tickets describes the various attributes that a ticket can have.

Example 24-2 Viewing Kerberos Tickets

This example shows that the user jennifer has an initial ticket, which is forwardable (F) and postdated (d), but not yet validated (i).

% /usr/bin/klist -f
Ticket cache: /tmp/krb5cc_74287
Default principal: jennifer@EXAMPLE.COM
 
Valid starting                 Expires                 Service principal
09 Mar 04 15:09:51  09 Mar 04 21:09:51  nfs/EXAMPLE.COM@EXAMPLE.COM
        renew until 10 Mar 04 15:12:51, Flags: Fdi
 

The following example shows that the user david has two tickets that were forwarded (f) to his host from another host. The tickets are also forwardable (F).

% klist -f
Ticket cache: /tmp/krb5cc_74287
Default principal: david@EXAMPLE.COM
 
Valid starting                 Expires                 Service principal
07 Mar 04 06:09:51  09 Mar 04 23:33:51  host/EXAMPLE.COM@EXAMPLE.COM
        renew until 10 Mar 04 17:09:51, Flags: fF
 
Valid starting                 Expires                 Service principal
08 Mar 04 08:09:51  09 Mar 04 12:54:51  nfs/EXAMPLE.COM@EXAMPLE.COM
        renew until 10 Mar 04 15:22:51, Flags: fF

The following example shows how to display the encryption types of the session key and the ticket by using the -e option. The -a option is used to map the host address to a host name if the name service can do the conversion.

% klist -fea
Ticket cache: /tmp/krb5cc_74287
Default principal: david@EXAMPLE.COM
 
Valid starting                 Expires                 Service principal
07 Mar 04 06:09:51  09 Mar 04 23:33:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 10 Mar 04 17:09:51, Flags: FRIA
        Etype(skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with CRC-32
        Addresses: client.example.com

Destroying Kerberos Tickets

If you want to destroy all Kerberos tickets acquired during your current session, use the kdestroy command. The command destroys you credential cache, which destroys all your credentials and tickets. While this is not usually necessary, running kdestroy reduces the chance of the credential cache being compromised during times that you are not logged in.

To destroy your tickets, use the kdestroy command.

% /usr/bin/kdestroy

The kdestroy command destroys all your tickets. You cannot use this command to selectively destroy a particular ticket.

If you are going to be away from your system and are concerned about an intruder using your permissions, you should use either kdestroy or a screen saver that locks the screen.