[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Put a limit to ticket life span.
|
From: |
Russ Allbery |
|
Subject: |
Re: Put a limit to ticket life span. |
|
Date: |
Sat, 27 Oct 2012 12:42:40 -0700 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) |
Mats Erik Andersson <address@hidden> writes:
> I have brought this up before:
> A native Solaris' Kerberos ticket request, will be granted
> by "shishid" with a life span of 25 years, since libshishi
> does not perform sanitation. It is "shishid" that malfunc-
> tions, not the external client!
> The following patch resets the requested expiration time for
> any request that asks for more than a five-fold of the default
> life span, simply by resetting the interval to the configured
> default value. I have tested this with "kinit" on OpenIndiana
> and "shishid" on Debian.
Assuming that I understood this correctly (I've not studied the code)....
Maximum ticket lifetime should really be something that the KDC
administrator can configure, since this is closely tied with local
security policies and with the basic security tradeoff of Kerberos (short
ticket expirations but no revocation facility). For both MIT and Heimdal,
the maximum ticket lifetime is configurable per principal.
Assuming 5x the default expiration caps the problem, but isn't the
configuration that I suspect most people use. Most sites in my experience
set the maximum ticket lifetime to the same as the default and use
renewable tickets if they want to allow tickets to last longer than that.
--
Russ Allbery (address@hidden) <http://www.eyrie.org/~eagle/>