Kerberos Ticket Forwarding in Secure Shell Sessions

By default, Reflection forwards your Kerberos Ticket Granting Ticket (TGT) to the host after authentication.

You can disable ticket forwarding using any of the following techniques.

  • Clear the Delegate credentials setting on the GSSAPI tab of the Secure Shell Settings dialog box. This setting affects only Secure Shell protocol version 2 connections.
  • Edit the Secure Shell configuration file. Use one or both of the following lines, depending on which protocol(s) you use. The first line disables ticket forwarding for protocol version 1; the second for protocol version 2.

    KerberosTgtPassing no

    GssapiDelegateCredentials no

  • To disable ticket forwarding for realms used by your principal profile, use the Kerberos Manager (if it is available on your system). While these changes affect Secure Shell sessions that are configured to use Reflection Kerberos, they do not affect sessions configured to use SSPI. Changes you make with the Kerberos Manager are ignored if you have configured ticket forwarding using either of the preceding techniques.