Understanding Kerberos ticket forwarding and SSO

by Community Manager on ‎10-21-2015 02:40 PM

When a user runs a kinit command on host A, their ticket is stored locally on host A. From then on, each command they run uses this ticket. If they then connect to host B, they will need to run the kinit command again as the ticket will not be available in the local ticket cache (/tmp/krb5cc_1000 for example).
When a principal is created in the Key Distribution Center (KDC), it can be specified in two ways:

  • user/host@domain
  • user@domain

If a ticket is created in the first format, the user will be able to kinit *only* on the host specified so they would need one principal per host. If the second format is used, they can kinit from any host so only one principal is required.
Hadoop services use the first format because attempting to kinit with the second format simultaneously from several hosts will cause some of the requests to be rejected in order to prevent man-in-the-middle replay attacks.

So in short, it's possible to kinit on any node on the cluster, but typically not possible to kinit once and have it be used everywhere by default because the file is stored locally in /tmp/krb5cc_1000.

Kerberos ticket forwarding allows for an SSH session to pass the forwardable tickets on to the next host, which is similar to the concept of single-sign-on, but requires that all sessions are initiated to the same host in order to achieve this. Using this, a user can kinit, then when connecting via SSH to the next host, the current host will connect to the KDC to obtain the appropriate credentials which will then be written over the SSH session to the destination host's ticket cache automatically.

Note that specific configuration must be set in order for forwarding to work (for example, the KDC must issue forwardable tickets). For configuration information, consult your KDC documentation.

Comments
by obar1
on ‎11-16-2016 12:12 AM

if ur new to kerberos ... have a look to this post http://www.roguelynn.com/words/explain-like-im-5-kerberos/

Contributors
Disclaimer: The information contained in this article was generated by third-parties and not by Cloudera or it's personnel. Cloudera cannot guarantee its accuracy or efficacy. Cloudera disclaims all warranties of any kind and users of this information assume all risk associated with it and with following the advice or directions contained herein. By visiting this page, you agree to be bound by the Terms and Conditions of Site Usage , including all disclaimers and limitations contained therein.