Next: Destroying Your Tickets with kdestroy, Previous: Obtaining Tickets with kinit, Up: Ticket Management
The klist command shows your tickets. When you first obtain
tickets, you will have only the ticket-granting ticket. (See What is a Ticket?.) The listing would look like this:
shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU
Valid starting Expires Service principal
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
shell%
The ticket cache is the location of your ticket file. In the above
example, this file is named /tmp/krb5cc_ttypa. The default
principal is your kerberos principal. (see What is a Kerberos Principal?)
The “valid starting” and “expires” fields describe the period of
time during which the ticket is valid. The service principal
describes each ticket. The ticket-granting ticket has the primary
krbtgt, and the instance is the realm name.
Now, if jennifer connected to the machine
daffodil.mit.edu, and then typed
klist again, she would have gotten the following result:
shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU
Valid starting Expires Service principal
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU
shell%
Here's what happened: when jennifer used telnet to connect
to the host daffodil.mit.edu, the telnet
program presented her ticket-granting ticket to the KDC and requested a
host ticket for the host
daffodil.mit.edu. The KDC sent the host
ticket, which telnet then presented to the host
daffodil.mit.edu, and she was allowed to
log in without typing her password.
Suppose your Kerberos tickets allow you to log into a host in another
domain, such as trillium.example.com, which
is also in another Kerberos realm, EXAMPLE.COM. If you
telnet to this host, you will receive a ticket-granting ticket for the
realm EXAMPLE.COM, plus the new host ticket for
trillium.example.com. klist will now
show:
shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU
Valid starting Expires Service principal
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU
06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@ATHENA.MIT.EDU
shell%
You can use the -f option to view the flags that apply to
your tickets. The flags are:
Here is a sample listing. In this example, the user jennifer obtained her initial tickets (I), which are forwardable (F) and postdated (d) but not yet validated (i). (See kinit Reference, for more information about postdated tickets.)
shell% klist -f
Ticket cache: /tmp/krb5cc_320
Default principal: jennifer@ATHENA.MIT.EDU
Valid starting Expires Service principal
31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
Flags: FdiI
shell%
In the following example, the user david's tickets were forwarded (f) to this host from another host. The tickets are reforwardable (F).
shell% klist -f
Ticket cache: /tmp/krb5cc_p11795
Default principal: david@EXAMPLE.COM
Valid starting Expires Service principal
07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Flags: Ff
07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM
Flags: Ff
shell%