krb5.forwardable.user.tickets

This configuration parameter specifies whether you want the agent to create forwardable Kerberos user tickets. Creating a forwardable ticket allows a user’s logon ticket to be sent to another computer and used to access to additional systems and resources. For example, if a user logs on and is authenticated on one computer, then uses a Kerberized telnet session to connect to a second computer, a forwarded ticket allows the user to access to additional Kerberized resources from that second computer without separate authentication.

In most environments, forwarding user tickets is a safe practice. However, if you do not want tickets to be forwarded, you can use this parameter to prevent the agent from creating forwardable tickets.

The parameter value should be 1 is you want to allow ticket forwarding or 0 is you want to prevent ticket forwarding. For example, if you want the agent to create forwardable user tickets:

krb5.forwardable.user.tickets: 1

If this parameter is not defined in the configuration file, its default value is 1 (yes).