Reputation: 1416
Can the forwarded Kerberos ticket be renewed?
Suppose we have the following situation: we have a machine, which acquired its ticket, then this ticket has been forwarded to another machine. Can that other machine renew the received ticket?
Other question - if the machine which acquired the ticket renew it, do other machines, which that ticket was forwarded to, have to renew this ticket by their own? or it gets immediately invalidated once the initial machine renews it?
Upvotes: 2
Views: 757
Answers (1)
Reputation: 6489
The protocol (RFC 4120) permits a client to forward a renewable ticket. All the implementations I'm familiar with (Windows, MIT and Heimdal) will end up with the ticket renewable once forwarded if it was forwarded before. So, you could do something like
ssh -K hostname # forward
kinit -R # renew tticket run inside ssh
Each ticket is its own thing. That is, the forwarded ticket is separate from the ticket before forwarding; the renewed ticket generated from the forwarded ticket is separate from the forward ticket. It's also separate from any renewed ticket generated from the base ticket. So, renewing tickets doesn't really typically inviladitate them. Each machine should be responsible for renewing its own tickets, and they should not cause problems for each other.
Upvotes: 3
Related Questions
- How can I renew Kerberos Ticket in Windows?
- Auto renew the Kerberos ticket
- Delegate/forward Kerberos tickets with Spring Security
- How to renew expiring Kerberos ticket in HBase?
- Jaas - Requesting Renewable Kerberos Tickets
- Java Kerberos ticket renew TGT
- Change the default maximum ticket life of a kerberos principal
- Lifetime of Kerberos tickets
- how do i renew a kerberos service ticket using GSS API
- What happens when the kerberos ticket expires?