Node:Viewing Your Tickets with klist, Next:Destroying Your Tickets with kdestroy, Previous:Obtaining Tickets with kinit, Up:Ticket Management
The klist
command shows your tickets. When you first obtain
tickets, you will have only the ticket-granting ticket. (See What is a Ticket?.) The listing would look like this:
shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU shell%
The ticket cache is the location of your ticket file. In the above
example, this file is named /tmp/krb5cc_ttypa
. The default
principal is your kerberos principal. (see What is a Kerberos Principal?)
The "valid starting" and "expires" fields describe the period of
time during which the ticket is valid. The service principal
describes each ticket. The ticket-granting ticket has the primary
krbtgt
, and the instance is the realm name.
Now, if jennifer connected to the machine
daffodil.mit.edu
, and then typed
klist again, she would have gotten the following result:
shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU shell%
Here's what happened: when jennifer used telnet to connect
to the host daffodil.mit.edu
, the telnet
program presented her ticket-granting ticket to the KDC and requested a
host ticket for the host
daffodil.mit.edu
. The KDC sent the host
ticket, which telnet then presented to the host
daffodil.mit.edu
, and she was allowed to
log in without typing her password.
Suppose your Kerberos tickets allow you to log into a host in another
domain, such as trillium.example.com
, which
is also in another Kerberos realm, EXAMPLE.COM
. If you
telnet to this host, you will receive a ticket-granting ticket for the
realm EXAMPLE.COM
, plus the new host
ticket for
trillium.example.com
. klist will now
show:
shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@ATHENA.MIT.EDU shell%
You can use the -f
option to view the flags that apply to
your tickets. The flags are:
Here is a sample listing. In this example, the user jennifer
obtained her initial tickets (I
), which are forwardable
(F
) and postdated (d
) but not yet validated (i
).
(See kinit Reference, for more information about postdated tickets.)
shell% klist -f Ticket cache: /tmp/krb5cc_320 Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU Flags: FdiI shell%
In the following example, the user david's tickets were
forwarded (f
) to this host from another host. The tickets are
reforwardable (F
).
shell% klist -f Ticket cache: /tmp/krb5cc_p11795 Default principal: david@EXAMPLE.COM Valid starting Expires Service principal 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: Ff 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM Flags: Ff shell%