3 kftgt - Forward Kerberos v4 ticket-granting tickets to a remote host
7 kftgt [B<-vq>] [B<-l> I<username>] [B<-f> I<ticket-file>] [B<-t>
8 I<seconds>] [I<username>@]I<host> [I<username>@I<host> ...]
12 B<kftgt> is a program that allows a user to forward Kerberos v4 tickets to
13 a remote host. This can be done without the user's password ever leaving
16 In order to establish tickets remotely without the use of something like
17 B<kftgt>, one would have to log in to the remote host and run kinit(1), or
18 use rkinit(1). B<kftgt> followed by B<rlogin> can be thought of as a
19 safer substitute for B<rlogin> followed by B<kinit>, and partly duplicates
20 the Kerberos v5 ticket forwarding support.
22 B<kftgt> uses the same access checking mechanism as B<rlogin>. That means
23 that B<kftgt> can be used to create any tickets for user A on remote host
24 B if and only if A's tickets would entitle a login to B. This means that
25 one can forward tickets for oneself or for another user if listed in that
28 The username on the remote host to which to forward tickets can be
29 specified either with the B<-l> command-line option or by prepending
30 I<username> and an @-sign to the hostname. The latter syntax is more
31 convenient for forwarding one's credentials to multiple remote machines,
32 possibly with different local usernames on each machine.
34 B<kftgt> only works with the AFS Kerberos server since it does not look
35 at the IP addresses in ticket granting tickets.
41 =item B<-f> I<ticket-file>
43 This option is used to specify the name of the ticket file that should be
44 used on the remote host. If a ticket file is not specified, the tickets
45 will be placed in the default location of /tmp/tktI<uid>, where I<uid> is
46 the UID of the user who owns the remote ticket file.
48 Obviously, B<kftgt> is most easily used in combination with a B<login.krb>
49 program on the remote host that uses the same default ticket location as
50 that used by B<kftgtd>. Otherwise, you will have to set the environment
51 variable KRBTKFILE to the appropriate filename once you get to the remote
52 host in order for you to use the tickets.
54 =item B<-l> I<username>
56 The user on the remote host to which to forward tickets. If not
57 specified, the default is the primary portion of the Kerberos principal
60 Note that this can also be specified on a per-host basis by prepending
61 I<username> and an @-sign to the hostname.
65 Don't print the "forwarded" message.
67 =item B<-t> I<seconds>
69 Number of seconds to wait for the remote host to accept the tickets. The
70 default value is 60 seconds. If the transaction has not completed in this
71 time period, it will be aborted.
75 Print version and exit.
81 On success, B<kftgt> exits with 0 status, like most Unix programs. On
82 failure, it exits with a status indicating the problem with the last host
83 to which it attempted to forward tickets:
89 Host not found in DNS.
93 Timeout while attempting to connect to the remote host.
97 Connection to the remote host failed for some reason.
101 A Kerberos failure, generally either the lack of a local ticket cache or
102 the lack of a service principal for the remote host.
106 Some error occurred during the actual protocol exchange.
110 An internal system error occurred on the client host, unrelated to the
117 In the following examples, slapshot and dilbert are machines in the
118 IR.STANFORD.EDU kerberos realm and rjs is a user who can log in to dilbert
119 and has C<schemers@IR.STANFORD.EDU> in his .klogin file.
122 kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to dilbert
124 % kftgt -l rjs dilbert
125 kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to rjs on dilbert
127 % kftgt rjs@dilbert schemers@slapshot
128 kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to rjs on dilbert
129 kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to schemers on slapshot
133 This program was written for Stanford University's local Kerberos setup
134 and is probably not that useful outside of that environment, although it
135 is potentially useful for anyone using the Transarc kaserver as a Kerberos
136 v4 KDC. The operation of forwarding a Kerberos v4 ticket-granting ticket,
137 while not inherently insecure, is at best somewhat questionable within the
138 Kerberos v4 security model.
140 B<kftgt> does not work with Kerberos v5 tickets and likely never will, as
141 Kerberos v5 added a different ticket forwarding mechanism that functions
142 as part of the connection protocol rather than using a separate connection
143 (with is inherently more secure). B<kftgt> is minorly more convenient,
144 however, as it allows one to refresh tickets on a remote host without
145 running B<kinit> there or logging in again.
147 Caution should be taken when forwarding tickets to hostnames that do not
148 correspond to a single remote host. Because B<kftgt> and B<rlogin> are
149 two separate programs that each perform their own DNS lookups, it's
150 possible to forward one's credentials to a different system than one logs
151 on to. Using the klogin(1) wrapper around B<kftgt> and B<rlogin> partly
152 resolves this problem.
156 Roland J. Schemers <schemers@stanford.edu>.
158 B<kftgt> and B<kftgtd> continue to be maintained by the Kerberos team at
159 Stanford University, although no major changes in the functionality of
160 these programs are planned. Questions and bug reports may be sent to
161 Russ Allbery <rra@stanford.edu>, but please be aware that we only support
162 Stanford affiliates and may not be able to help with problems at other
167 Copyright 1994, 1997, 2001, 2003 Board of Trustees, Leland Stanford
172 Export of this software from the United States of America may require a
173 specific license from the United States Government. It is the
174 responsibility of any person or organization contemplating export to
175 obtain such a license before exporting.
177 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
178 this software and its documentation for any purpose and without fee is
179 hereby granted, provided that the above copyright notice appear in all
180 copies and that both that copyright notice and this permission notice
181 appear in supporting documentation, and that the name of Stanford
182 University not be used in advertising or publicity pertaining to
183 distribution of the software without specific, written prior permission.
184 Stanford University makes no representations about the suitability of
185 this software for any purpose. It is provided "as is" without express
188 THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
189 WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
190 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
194 kftgtd(8), kerberos(1), kinit(1)