Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!spool.mu.edu!snorkelwacker.mit.edu!stanford.edu!ATHENA.MIT.EDU!tytso From: tytso@ATHENA.MIT.EDU (Theodore Ts'o) Newsgroups: comp.protocols.kerberos Subject: Re: setup of kerberos Message-ID: <9104062139.AA09007@tsx-11.MIT.EDU> Date: 6 Apr 91 21:39:57 GMT References: <1991Apr5.200458.6549@kpc.com> Sender: news@shelby.stanford.edu (USENET News System) Reply-To: tytso@ATHENA.MIT.EDU Organization: Internet-USENET Gateway at Stanford University Lines: 35 Date: 5 Apr 91 20:04:58 GMT From: massey@kpc.com (Todd Massey) I cannot figure out how to get the setup correct so that kerberos stops giving me Warning: No Kerberos tickets obtained. when i rlogin. You always get those messages; what rlogind is warning you about is the fact that if you have Kerberos tickets on host A, and use them to rlogn to host B from host A, you will _not_ automatically get Kerberos tickets on host B. The reason behind this is of security. Kerberos tickets are only good on one host, so that if someone steals your tickets, they can only use them to compromise you on the host they originally came from. Therefore, when you login to a new host, your Kerberos credentials do not automatically follow you. In order to get tickets on host B, you will either need to kinit after you rlogin (which has the drawback that your password goes accross the network in the clear), or you need to use a client called rkinit before you use rlogin. rkinit securely obtains and transports over to host B tickets which can be used for host B. Both using kinit and rkinit require that you type your password over again, but that's the price you pay for security. In Kerberos Version 5, "forwardable" tickets can be created (although the KDC can be compiled to disallow them, depending on the site policies) which allow you to forward tickets from Host A to Host B without needing to type your password over again. Of course, this opens up a minor security hole, but some users demand convenience at any cost.... - Ted