default ticket lifetime

Tony Lill ajlill at ajlc.waterloo.on.ca
Fri Mar 14 13:36:08 EST 2003


>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:

    Douglas> Klaas Hagemann wrote:
    >> 
    >> Jens Kleineheismann schrieb:
    >> > Hi there,
    >> Hi Jens,
    >> 
    >> there are tree points where the ticket lifetime is defined:
    >> 1. kdc.conf, you checked this
    >> 2. the principals, you checked this as well
    >> 3. the /etc/krb5.conf on the client side.
    >> There you can define a default ticket lifetime.
    >> 
    >> In the section [libdefaults] you can set
    >> ticket_lifetime = <<ticket lifetime in seconds>>


    Douglas> But it is hard coded in the MIT 1.2.6  get_in_tkt.c: 

    Douglas>    859      if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
    Douglas>    860      request.till += options->tkt_life;
    Douglas>    861      else
    Douglas>    862      request.till += 10*60*60; /* this used to be hardcoded in kinit.c */

    Douglas> so it looks like the [libdefaults] is not used. 

Even if it was, there is this little jem from init_ctx.c:

#if 0
	/* Default ticket lifetime is currently not supported */
	profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime",
			    0, 10 * 60 * 60, &tmp);
	ctx->tkt_lifetime = tmp;
#endif

Not only is it ifdef'd out, but to add insult to injury, the variable
name doesn't even match the documentation and sample krb.conf files!

Would anyone care to explain why we're not allowed to change the
default ticket lifetime?
--
Tony Lill,                         Tony.Lill at AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"



More information about the Kerberos mailing list