(Forward Kerberos v4 ticket-granting tickets to a remote host)


kftgt [-vq] [-l username] [-f ticket-file] [-t seconds] [username@]host [username@host ...]


kftgt is a program that allows a user to forward Kerberos v4 tickets to a remote host. This can be done without the user's password ever leaving the client machine.

In order to establish tickets remotely without the use of something like kftgt, one would have to log in to the remote host and run kinit(1), or use rkinit(1). kftgt followed by rlogin can be thought of as a safer substitute for rlogin followed by kinit, and partly duplicates the Kerberos v5 ticket forwarding support.

kftgt uses the same access checking mechanism as rlogin. That means that kftgt can be used to create any tickets for user A on remote host B if and only if A's tickets would entitle a login to B. This means that one can forward tickets for oneself or for another user if listed in that user's .klogin file.

The username on the remote host to which to forward tickets can be specified either with the -l command-line option or by prepending username and an @-sign to the hostname. The latter syntax is more convenient for forwarding one's credentials to multiple remote machines, possibly with different local usernames on each machine.

kftgt only works with the AFS Kerberos server since it does not look at the IP addresses in ticket granting tickets.


-f ticket-file

This option is used to specify the name of the ticket file that should be used on the remote host. If a ticket file is not specified, the tickets will be placed in the default location of /tmp/tktuid, where uid is the UID of the user who owns the remote ticket file.

Obviously, kftgt is most easily used in combination with a login.krb program on the remote host that uses the same default ticket location as that used by kftgtd. Otherwise, you will have to set the environment variable KRBTKFILE to the appropriate filename once you get to the remote host in order for you to use the tickets.

-l username

The user on the remote host to which to forward tickets. If not specified, the default is the primary portion of the Kerberos principal being forwarded.

Note that this can also be specified on a per-host basis by prepending username and an @-sign to the hostname.


Don't print the "forwarded" message.

-t seconds

Number of seconds to wait for the remote host to accept the tickets. The default value is 60 seconds. If the transaction has not completed in this time period, it will be aborted.


Print version and exit.


On success, kftgt exits with 0 status, like most Unix programs. On failure, it exits with a status indicating the problem with the last host to which it attempted to forward tickets:


Host not found in DNS.


Timeout while attempting to connect to the remote host.


Connection to the remote host failed for some reason.


A Kerberos failure, generally either the lack of a local ticket cache or the lack of a service principal for the remote host.


Some error occurred during the actual protocol exchange.


An internal system error occurred on the client host, unrelated to the remote host.


In the following examples, slapshot and dilbert are machines in the IR.STANFORD.EDU kerberos realm and rjs is a user who can log in to dilbert and has schemers@IR.STANFORD.EDU in his .klogin file.

    % kftgt dilbert
    kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to dilbert

    % kftgt -l rjs dilbert
    kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to rjs on dilbert

    % kftgt rjs@dilbert schemers@slapshot
    kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to rjs on dilbert
    kftgt: tgt schemers.@IR.STANFORD.EDU forwarded to schemers on slapshot


This program was written for Stanford University's local Kerberos setup and is probably not that useful outside of that environment, although it is potentially useful for anyone using the Transarc kaserver as a Kerberos v4 KDC. The operation of forwarding a Kerberos v4 ticket-granting ticket, while not inherently insecure, is at best somewhat questionable within the Kerberos v4 security model.

kftgt does not work with Kerberos v5 tickets and likely never will, as Kerberos v5 added a different ticket forwarding mechanism that functions as part of the connection protocol rather than using a separate connection (with is inherently more secure). kftgt is minorly more convenient, however, as it allows one to refresh tickets on a remote host without running kinit there or logging in again.

Caution should be taken when forwarding tickets to hostnames that do not correspond to a single remote host. Because kftgt and rlogin are two separate programs that each perform their own DNS lookups, it's possible to forward one's credentials to a different system than one logs on to. Using the klogin(1) wrapper around kftgt and rlogin partly resolves this problem.


Roland J. Schemers <schemers@stanford.edu>.

kftgt and kftgtd continue to be maintained by the Kerberos team at Stanford University, although no major changes in the functionality of these programs are planned. Questions and bug reports may be sent to Russ Allbery <rra@stanford.edu>, but please be aware that we only support Stanford affiliates and may not be able to help with problems at other sites.


Copyright 1994, 1997, 2001, 2003 Board of Trustees, Leland Stanford Jr. University

All rights reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.



kftgtd(8), kerberos(1), kinit(1)

Last modified and spun 2014-07-26