The File
Location
tab allows you to specify the location of the default Kerberos 5 ticket
cache and
configuration file. The Ticket
File field specifies the name of
the in-memory cache (Ticket File) used to store the Kerberos 5 tickets. The format of the name is “API:” followed by
the cache name or "MSLSA:". Disk caches
(type "FILE:") are not
supported by Kerberos for Windows. The Configuration File field specifies the
path to the Kerberos 5 configuration file, krb5.ini.
If Confirm
that new configuration file exists is checked when the
configuration file
location is changed, then Leash will not accept values which are not
pre-existing Kerberos 5 configuration files.
Configuration Options:
On the Configuration Options page, you provide default attribute values to be used when requesting Kerberos 5 tickets from the Kerberos server.
When Forwardable tickets are received from the Kerberos Server, these tickets can be forwarded to a remote host when you connect via telnet, ssh, ftp, rlogin, or similar applications. When tickets are forwarded, there is no need to obtain Kerberos tickets again to access Kerberized services on the remote host.
When Proxiable tickets
are received from the Kerberos Server, these tickets can be passed onto
Kerberized services which can in turn act on your behalf.
When Renewable
tickets are received from the Kerberos Server, the ticket lifetimes may
be
renewed without prompting the user for her password.
This allows Kerberos tickets to be issued
with short lifetimes allowing compromised accounts to be disabled on
short
notice without requiring the user to enter a password every few hours. When combined with Automatic
Ticket Renewal (Option menu), Leash can maintain valid
tickets for a week, a month, or longer by automatically renewing
tickets prior
to their expiration. The ability to
renew tickets without a password is limited by the ticket’s renewable
lifetime as
issued by the Kerberos Server.
Traditionally, Kerberos tickets have included a
list of
network addresses within the tickets.
This address list restricts the use of the tickets to the
computers
which are assigned those addresses. The
use of address lists has become a headache for many users of Kerberos
on
network connections which use either Network Address Translation
(Cable/DSL
routers) or Network Address Hiding (VPN) capabilities.
On these networks the address of the client
machine appears to be different to the network service than it does to
the
client. The result is the Kerberos
ticket is deemed to be invalid by the service even though it has not been
stolen. When No Addresses is
checked, Kerberos will not insert an address list
into the Kerberos tickets. For
Kerberized services which do not require address lists, this will
enable
Kerberos to be used across NAT and VPN based connections.
Note 1: As of
Kerberos 5 release 1.3, the library default is to disable the use of
address
lists. Leash will detect the setting
from the Kerberos 5 configuration and check the No
Addresses box. If you
attempt to re-enable address lists while the library is configured to
disable
them , Leash will warn you that the Kerberos 5 configuration file must
be
altered.
Note 2: Distributed Computing Environment (DCE) servers require the use of address lists.