问题
I have a HTTP service running on my domain. But I have few doubts regarding how the life time for my HTTP service is decided. how long can a client be able to use my HTTP service ?
回答1:
A Kerberos ticket has a lifetime (e.g. 10 hours) and a renewable lifetime (e.g. 7 days). As long as the ticket is still valid and is still renewable, you can request a "free" renewal -- no password required --, and the lifetime counter is reset (e.g. 10h to go, again).
When creating the ticket, each "lifetime" is set as the MIN() of 3 values:
- the max duration set in KDC server config (check the MIT documentation under max_life and max_renewable_life)
- the standard duration in client config, typically in
/etc/krb5.conf
(check the MIT documentation under ticket_lifetime and renew_lifetime) - the explicit duration requested by the client, if any (for instance the
kinit
command has-l
and-r
options)
Bottom line: if your KDC does not serve renewable tickets because max_renewable_life = 0
then clients will have to get a new ticket every max_life
(or less, if their local ticket_lifetime
is smaller).
PS: if the ticket is stored in the default cache then you can use klist
to check the end-of-(renewable)-life time.
PPS: I remember some complaints about Java API (JAAS) not allowing apps to request renewable Kerberos tickets... Check if it's still the case.
来源:https://stackoverflow.com/questions/38452020/kerberos-key-lifetime