kftgt release 1.14

(Kerberos v4 ticket forwarding)

Originally written by Roland Schemers and Booker Bense
Currently maintained by Russ Allbery <rra@stanford.edu>

Copyright 1994, 1996, 1997, 1999, 2001, 2002, 2003, 2005, 2006, 2007 Board of Trustees, Leland Stanford Jr. University. This software is distributed under a BSD-style license. Please see the file LICENSE for terms of use and redistribution.


This package includes a client and daemon to forward and accept forwarded Kerberos v4 tickets, for remote login support in Kerberos v4 environments. It also contains Perl wrappers around rsh, rlogin, and telnet to forward tickets before connecting to the remote system. This package is largely obsoleted by Kerberos v5 and its built-in ticket forwarding support, but may still be useful for sites running AFS kaserver and using Kerberos v4 tickets for AFS access.

This package is largely frozen, and no significant additional development is anticipated. Stanford is migrating to a pure Kerberos v5 environment, after which this software will be dropped. It is currently supported solely for compatibility with our existing infrastructure while we make that migration.

Note that forwarding of Kerberos v4 tickets is likely to only work with the AFS kaserver as the Kerberos v4 KDC and probably will not work with other Kerberos v4 KDCs.


As a Kerberos program, kftgt requires Kerberos v4 libraries to link against. It has been tested only with the MIT Kerberos v4 compatibility libraries from the Kerberos v5 distribution, but likely will also build against the KTH Kerberos v4 libraries.

The krsh and klogin wrappers require Perl 5.004 or later. krsh also expects to find aklog, kdestroy, and unlog on the user's path, the first to obtain AFS tokens from a Kerberos v4 ticket. You may need to change krsh if your aklog is spelled afslog.

As mentioned above, ticket forwarding will likely only work if your Kerberos v4 KDC is the AFS kaserver.


The best way to build kftgt/kftgtd is to do something like (assuming your make program understands VPATH):

    mkdir sun4x_58    # (for example)
    cd sun4x_58
    make install

You'll probably have to specify some options to configure. By default things gets installed using the prefix /usr/local (in other words, kftgt is placed in /usr/local/bin, kftgtd in /usr/local/sbin, and so on).

To change the prefix use the --prefix option:

    ../configure --prefix=/opt/kerberos

If your kerberos libraries and includes aren't in /usr/local/include and /usr/local/lib (or some other include directory and library directory searched by default by your compiler), then you need to also specify --with-kerberos=path:

    ../configure --prefix=/opt/kerberos --with-kerberos=/usr/pubsw

To specify a particular krb5-config script to use, either set the KRB5_CONFIG environment variable or pass it to configure like:

    ./configure KRB5_CONFIG=/path/to/krb5-config

You may also need to change the path to Perl on the first line of the klogin and krsh scripts.

kftgtd is started from inetd so you need to add an entry to inetd.conf:

    kftgtd stream  tcp  nowait  root  /usr/local/sbin/kftgtd kftgtd

And an entry in /etc/services like:

    kftgt  2109/tcp  kftgtd  # K4 TGT forwarding service

If you change the service port you should also change it in kftgt.h and rebuild kftgt. It uses the value in kftgt.h in case it can't find it in /etc/services.

You can pass the --enable-reduced-depends flag to configure to try to minimize the shared library dependencies encoded in the binaries. This omits from the link line all the libraries included solely because the Kerberos libraries depend on them and instead links the programs only against libraries whose APIs are called directly. This will only work with shared Kerberos libraries and will only work on platforms where shared libraries properly encode their own dependencies (such as Linux). It is intended primarily for building packages for Linux distributions to avoid encoding unnecessary shared library dependencies that make shared library migrations more difficult. If none of the above made any sense to you, don't bother with this flag.


kftgt should compile cleanly on most systems. I've tested it on the following platforms:

    Digital UNIX 4.0F
    Linux (glibc 2.1, 2.2, and 2.3)
    HP-UX 11.00
    AIX 4.3
    IRIX 6.5
    Solaris 2.6 and 8

but it should work on any Unix system on which MIT Kerberos will compile.


I didn't want to complicate things too much so I didn't worry much about multiple realms (we only have one) or being able to forward a TGT that is different then the one you have. A simple wrapper could handle the second one (set KRBTKFILE to a temp variable, kinit, then run kftgt, followed by kdestroy).

No significant development is planned on this package. Users are encouraged to migrate to a pure Kerberos v5 environment as soon as they can for improved security and functionality. This package is basically a hack to duplicate functionality that is handled better and more securely by Kerberos v5.

Please send any comments or bugs to rra@stanford.edu.

Converted to XHTML by faq2html version 1.33