Kerberos Tickets and How They Work
Kerberos allows a client (you) to exchange private information
with a server across an otherwise open network. A unique key, called
a ticket, is assigned to each person that authenticates to the network
using his or her PennKey and password with special ticket management
software. The ticket instead of your PennKey and password is embedded
in messages and identifies you to various Kerberized services on
campus when you attempt to connect to them. Your PennKey and password
are never sent across the network.
Types of Tickets
You receive two types of tickets that help identify you.
Ticket-granting ticket (TGT). When you use your PennKey
and password to log into the Kerberos ticket manager installed
on your computer, you receive a ticket-granting ticket (TGT)
from a central Key Distribution Center (KDC). The TGT acts as
a master ID that identifies you to all the various Kerberized
services on campus.
Service ticket. When you attempt to connect to a specific service
(e.g., IMAP email), on a server that employs Kerberos for authentication,
the service wants to know that you are who you say you are. To that end,
your Kerberos-capable client software (e.g., Eudora) presents the ticket
that was issued by the KDC, much as one might present a government-issued
photo ID at airport check-in. The service first examines the ticket to verify
your identity, and then checks to see if you are authorized to use the service.
If everything checks out, you are authenticated and presented with a Service
Ticket Duration and Destroying Tickets
You should also understand how long tickets are good for and how
to inactivate them so you do not inadvertently leave tickets (and
your accounts) available for others to use.
TGT. At Penn, TGTs last up to 10 hours. Thus if you
get a Kerberos ticket at 9:00 AM, you can continue to communicate
with Kerberized services and hosts until 7:00 PM without re-authenticating
to the KDC.
Your TGT is destroyed if you reboot your computer; you will
need to log into the Kerberos ticket manager every time you
start your computer. Your TGT is NOT destroyed when you exit
the ticket manager, so it's VERY IMPORTANT to always destroy
your ticket when you leave your work area.
Service Ticket. The service tickets length varies
according to host and server. As with the TGT (see above), your
service ticket is not destrored when you exit the ticket manager,
so it is critical to always destroy your ticket before your
leave your workstation unattended.
Destroying tickets in current Kerberos ticket managers is an
"all-or-nothing" action: When you instruct a ticket
manager to destroy tickets, it will destroy all services tickets
along with the TGT.
In summary, as long as you have a valid TGT, you can re-authenticate
and receive a new service ticket for any service you are authorized
to use on any host on campus. (This is what is meant by single sign-on.)
It's very important to destroy all tickets from within the Kerberos
ticket manager any time you leave your work area. In order to prevent
subsequent unauthorized access from your computer by another person,
you must also exit or quit all client applications you have been
using to access Kerberized services.