Kerberos key Lifetime

六月ゝ 毕业季﹏ 提交于 2019-12-12 01:44:29

问题


I have a HTTP service running on my domain. But I have few doubts regarding how the life time for my HTTP service is decided. how long can a client be able to use my HTTP service ?


回答1:


A Kerberos ticket has a lifetime (e.g. 10 hours) and a renewable lifetime (e.g. 7 days). As long as the ticket is still valid and is still renewable, you can request a "free" renewal -- no password required --, and the lifetime counter is reset (e.g. 10h to go, again).

When creating the ticket, each "lifetime" is set as the MIN() of 3 values:

  • the max duration set in KDC server config (check the MIT documentation under max_life and max_renewable_life)
  • the standard duration in client config, typically in /etc/krb5.conf (check the MIT documentation under ticket_lifetime and renew_lifetime)
  • the explicit duration requested by the client, if any (for instance the kinit command has -l and -r options)

Bottom line: if your KDC does not serve renewable tickets because max_renewable_life = 0 then clients will have to get a new ticket every max_life (or less, if their local ticket_lifetime is smaller).

PS: if the ticket is stored in the default cache then you can use klist to check the end-of-(renewable)-life time.
PPS: I remember some complaints about Java API (JAAS) not allowing apps to request renewable Kerberos tickets... Check if it's still the case.



来源:https://stackoverflow.com/questions/38452020/kerberos-key-lifetime

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!