[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Shishi interop server running
From: |
Mats Erik Andersson |
Subject: |
Re: Shishi interop server running |
Date: |
Thu, 9 Aug 2012 19:52:44 +0200 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
onsdag den 8 augusti 2012 klockan 15:18 skrev Simon Josefsson detta:
> All,
>
> I have setup a Shishi KDC for interop purposes on interop.josefsson.org.
> The server is running Ubuntu 12.04 with Shishi installed from packages.
There is one issue with ticket life times in the present setup.
An outdated OpenSolaris, as well as a contemporary OpenIndiana, are
both receiving TGT:s of almost infinite validity when requested by
kinit(1) without specifying a desired life time at the command line.
In fact, the ticket is valid until 2037-12-31, at 00:00. Using
instead "kinit -l 2h" provides the bounded, and correct expiry time.
The interpretation is that libshishi must initialize a sane default,
even if the administrator does not ask for this explicitly. It seems
as if the other MIT derived implementations, and those based on Heimdal,
are by themselves imposing a reasonable time limit already in kinit(1),
just as shishi(1) does itself. I do not think that Shishi should rely
on this, but should instead improve in the sense of setting a finite
interval as default initialization.
Also, probably the authorization value of the TELNET server should
be raised to "-avalid".
Best regards,
Mats Erik Andersson