What are forwardable tickets?
Inside of the Kerberos ticket is encoded the IP address of the client. Thisis used by application servers and the KDC to verify the address of theclient. This means that a ticket that was acquired on one host cannot beused on another.Kerberos 5 introduced the concept of forwardable tickets. During the initialTGT acquisition, a client can request that the ticket be marked forwardable.If the KDC chooses to honor this request (the administrator has the optionof disallowing forwardable tickets on a per-site or per-principal basis),the TKT_FLG_FORWARDABLE flag will be set in the flags field in the ticket.Once the TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use thisticket to request a new ticket, but with a different IP address. Thus, auser can use their current credentials to get credentials valid on anothermachine.In the MIT Kerberos 5 release, all of the remote login programs (telnet,rlogin, rsh) support forwarding a user’s TGT to the remote system.
Inside of the Kerberos ticket is encoded the IP address of the client. This is used by application servers and the KDC to verify the address of the client. This means that a ticket that was acquired on one host cannot be used on another. Kerberos 5 introduced the concept of forwardable tickets. During the initial TGT acquisition, a client can request that the ticket be marked forwardable.
Inside of the Kerberos ticket is encoded the IP address of the client. This is used by application servers and the KDC to verify the address of the client. This means that a ticket that was acquired on one host cannot be used on another. Kerberos 5 introduced the concept of forwardable tickets. During the initial TGT acquisition, a client can request that the ticket be marked forwardable. If the KDC chooses to honor this request (the administrator has the option of disallowing forwardable tickets on a per-site or per-principal basis), the TKT_FLG_FORWARDABLE flag will be set in the flags field in the ticket. Once the TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use this ticket to request a new ticket, but with a different IP address. Thus, a user can use their current credentials to get credentials valid on another machine. In the MIT Kerberos 5 release, all of the remote login programs (telnet, rlogin, rsh) support forwarding a user’s TGT to the remote system.
