2 (Kerberos v4 ticket forwarding)
4 Originally written by Roland Schemers and Booker Bense
5 Currently maintained by Russ Allbery <rra@stanford.edu>
7 Copyright 1994, 1996, 1997, 1999, 2001, 2002, 2003, 2005, 2006, 2007
8 Board of Trustees, Leland Stanford Jr. University. This software is
9 distributed under a BSD-style license. Please see the file LICENSE for
10 terms of use and redistribution.
14 This package includes a client and daemon to forward and accept
15 forwarded Kerberos v4 tickets, for remote login support in Kerberos v4
16 environments. It also contains Perl wrappers around rsh, rlogin, and
17 telnet to forward tickets before connecting to the remote system. This
18 package is largely obsoleted by Kerberos v5 and its built-in ticket
19 forwarding support, but may still be useful for sites running AFS
20 kaserver and using Kerberos v4 tickets for AFS access.
22 This package is largely frozen, and no significant additional
23 development is anticipated. Stanford is migrating to a pure Kerberos v5
24 environment, after which this software will be dropped. It is currently
25 supported solely for compatibility with our existing infrastructure
26 while we make that migration.
28 Note that forwarding of Kerberos v4 tickets is likely to only work with
29 the AFS kaserver as the Kerberos v4 KDC and probably will not work with
30 other Kerberos v4 KDCs.
34 As a Kerberos program, kftgt requires Kerberos v4 libraries to link
35 against. It has been tested only with the MIT Kerberos v4 compatibility
36 libraries from the Kerberos v5 distribution, but likely will also build
37 against the KTH Kerberos v4 libraries.
39 The krsh and klogin wrappers require Perl 5.004 or later. krsh also
40 expects to find aklog, kdestroy, and unlog on the user's path, the first
41 to obtain AFS tokens from a Kerberos v4 ticket. You may need to change
42 krsh if your aklog is spelled afslog.
44 As mentioned above, ticket forwarding will likely only work if your
45 Kerberos v4 KDC is the AFS kaserver.
49 The best way to build kftgt/kftgtd is to do something like (assuming
50 your make program understands VPATH):
52 mkdir sun4x_58 # (for example)
58 You'll probably have to specify some options to configure. By default
59 things gets installed using the prefix /usr/local (in other words, kftgt
60 is placed in /usr/local/bin, kftgtd in /usr/local/sbin, and so on).
62 To change the prefix use the --prefix option:
64 ../configure --prefix=/opt/kerberos
66 If your kerberos libraries and includes aren't in /usr/local/include and
67 /usr/local/lib (or some other include directory and library directory
68 searched by default by your compiler), then you need to also specify
71 ../configure --prefix=/opt/kerberos --with-kerberos=/usr/pubsw
73 To specify a particular krb5-config script to use, either set the
74 KRB5_CONFIG environment variable or pass it to configure like:
76 ./configure KRB5_CONFIG=/path/to/krb5-config
78 You may also need to change the path to Perl on the first line of the
79 klogin and krsh scripts.
81 kftgtd is started from inetd so you need to add an entry to inetd.conf:
83 kftgtd stream tcp nowait root /usr/local/sbin/kftgtd kftgtd
85 And an entry in /etc/services like:
87 kftgt 2109/tcp kftgtd # K4 TGT forwarding service
89 If you change the service port you should also change it in kftgt.h and
90 rebuild kftgt. It uses the value in kftgt.h in case it can't find it in
93 You can pass the --enable-reduced-depends flag to configure to try to
94 minimize the shared library dependencies encoded in the binaries. This
95 omits from the link line all the libraries included solely because the
96 Kerberos libraries depend on them and instead links the programs only
97 against libraries whose APIs are called directly. This will only work
98 with shared Kerberos libraries and will only work on platforms where
99 shared libraries properly encode their own dependencies (such as Linux).
100 It is intended primarily for building packages for Linux distributions
101 to avoid encoding unnecessary shared library dependencies that make
102 shared library migrations more difficult. If none of the above made any
103 sense to you, don't bother with this flag.
107 kftgt should compile cleanly on most systems. I've tested it on the
111 Linux (glibc 2.1, 2.2, and 2.3)
117 but it should work on any Unix system on which MIT Kerberos will
122 I didn't want to complicate things too much so I didn't worry much about
123 multiple realms (we only have one) or being able to forward a TGT that
124 is different then the one you have. A simple wrapper could handle the
125 second one (set KRBTKFILE to a temp variable, kinit, then run kftgt,
126 followed by kdestroy).
128 No significant development is planned on this package. Users are
129 encouraged to migrate to a pure Kerberos v5 environment as soon as they
130 can for improved security and functionality. This package is basically
131 a hack to duplicate functionality that is handled better and more
132 securely by Kerberos v5.
134 Please send any comments or bugs to rra@stanford.edu.