Thoughts on long-lived credentials

Alexandra Ellwood lxs at MIT.EDU
Thu Jan 19 12:59:15 EST 2006 

On Jan 19, 2006, at 11:59 AM, Luke Howard wrote:

>
> What are the current thoughts on automatically renewing Kerberos  
> credentials
> for long-lived sessions, particularly with respect to NFSv4 (where  
> the user
> experience could be adversely affected)?

Kerberos.app on Mac OS X has auto-renewed tickets for a while now.   
It waits until the tickets are more than 1/2 expired and then tries  
to renew them.  If the machine is off the network, it halves the time  
left and sets a timer to try again at that time (with a minimum time  
between tries to avoid going crazy just before the tickets expire).   
It also detects wake from sleep and if the tickets are more than 1/2  
expired on wake it will try immediately.  This algorithm works well  
on laptops using Kerberos as well as desktops.

Rather than forcing users to add Kerberos.app to their login items,  
we have considered creating an auto-renewer which is launched  
automatically for the user whenever they get tickets.  Due to  
upcoming architectural changes in the CCacheServer which would  
influence how such an auto-renewer would get launched, we've tabled  
this work for now.


Since this gets brought up every time we discuss auto-renewal on the  
Mac, I'm going to preemptively point out that even if you have an in- 
memory storage daemon like the CCacheServer, you don't want to use it  
for auto-renewal for the following reasons:

1) Auto-renewal mechanism tied to a specific ccache type won't work  
for other types of caches.

2) An in-memory credentials storage daemon is both a single point of  
failure for Kerberos and also a good target for attacks.  Thus it  
should be lightweight and easy to inspect for bugs.  Linking in the  
Kerberos libraries into such a daemon will make your QA process much  
more horrible.

3) Vendors may wish to integrate the credentials storage daemon into  
a similar existing daemon already on their OS (eg: Apple's  
SecurityServer).  Having a complicated credentials renewal component  
to the daemon would make this much more difficult.


> Another issue is what to do when a TGT is no longer renewable. At  
> first, we
> thought one might wish to store one's long-term Kerberos key at  
> logon, so it
> would be possible to reacquire a TGT after the renewable lifetime  
> was up. (*)

Windows does this I think.  In fact I seem to recall that for at  
least some versions of Windows it doesn't even bother trying to renew  
the tickets and just always uses the stored key.

We have an open feature request for Kerberos for Macintosh to allow  
the user to store their Kerberos password in the Keychain.  Since  
this is already where pkinit certs go, we will probably end up adding  
support for it.  As is typical on the Mac, the "Remember in Keychain"  
checkbox will not be checked by default.  And we will almost  
certainly add some config file way to turn off the support entirely  
for sites with more stringent security policies.


HTH,

--lxs

Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>

More information about the Kerberos mailing list