Authentication forwarding is an instance of a proxy where the service that is granted is complete use of the client's identity. An example where it might be used is when a user logs in to a remote system and wants authentication to work from that system as if the login were local.
The FORWARDABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by application servers. The FORWARDABLE flag has an interpretation similar to that of the PROXIABLE flag, except ticket-granting tickets may also be issued with different network addresses. This flag is reset by default, but users MAY request that it be set by setting the FORWARDABLE option in the AS request when they request their initial ticket-granting ticket.
This flag allows for authentication forwarding without requiring the user to enter a password again. If the flag is not set, then authentication forwarding is not permitted, but the same result can still be achieved if the user engages in the AS exchange specifying the requested network addresses and supplies a password.
The FORWARDED flag is set by the TGS when a client presents a ticket with the FORWARDABLE flag set and requests a forwarded ticket by specifying the FORWARDED KDC option and supplying a set of addresses for the new ticket. It is also set in all tickets issued based on tickets with the FORWARDED flag set. Application servers may choose to process FORWARDED tickets differently than non-FORWARDED tickets.
If addressless tickets are forwarded from one system to another, clients SHOULD still use this option to obtain a new TGT in order to have different session keys on the different systems.
Here is how you would acquire a FORWARDED ticket for the service host/latte.josefsson.org:
$ shishi jas@JOSEFSSON.ORG host/latte.josefsson.org --forwarded Enter password for `jas@JOSEFSSON.ORG': libshishi: warning: KDC bug: Reply encrypted using wrong key. jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:07:11 2003 Starttime: Mon Sep 8 20:07:12 2003 Endtime: Tue Sep 9 04:07:11 2003 Server: host/latte.josefsson.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: FORWARDED (4) $
As you noticed, this asked for your password. The reason is that forwarded tickets must be acquired using a forwardable ticket granting ticket, which was not present. If you often need to get forwarded tickets, you may acquire a forwardable ticket granting ticket from the start:
$ shishi --forwardable Enter password for `jas@JOSEFSSON.ORG': jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:08:53 2003 Endtime: Tue Sep 9 04:08:53 2003 Server: krbtgt/JOSEFSSON.ORG key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: FORWARDABLE INITIAL (514) $
Then you should be able to acquire forwarded tickets based on that ticket granting ticket, as follows:
$ shishi jas@JOSEFSSON.ORG host/latte.josefsson.org --forwarded libshishi: warning: KDC bug: Reply encrypted using wrong key. jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:08:53 2003 Starttime: Mon Sep 8 20:08:57 2003 Endtime: Tue Sep 9 04:08:53 2003 Server: host/latte.josefsson.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: FORWARDED (4) $