Thoughts on long-lived credentials

Luke Howard lukeh at padl.com
Thu Jan 19 11:59:13 EST 2006


What are the current thoughts on automatically renewing Kerberos credentials
for long-lived sessions, particularly with respect to NFSv4 (where the user
experience could be adversely affected)?

It seems that Solaris has kwarnd, which can both warn users of impending
ticket expiry as well as renewing tickets. Are there any plans to do
something similar for Linux? (I know about KCM, but we need a solution that
works with MIT, and preferably one that will work with any ccache type.)

Another issue is what to do when a TGT is no longer renewable. At first, we
thought one might wish to store one's long-term Kerberos key at logon, so it
would be possible to reacquire a TGT after the renewable lifetime was up. (*)

After some discussion we reached the conclusion that it would be preferable
to have a longer renewable lifetime rather than storing users' long-term
keys, something which one generally wishes to avoid, although the new Linux
keyring functionality might buy some security. Also, storing long-term keys
doesn't appear to buy much if it is acceptable to increase the renewable
lifetime to the password must change interval.


cheers,

-- Luke

P.S. Anyone have any idea on the status of a Linux keyring ccache type? I
would be interested in working on this if no one else is.

(*) With KCM, you can call _krb5_kcm_get_initial_ticket()
    with a Kerberos key, and it will acquire credentials on your behalf; I
    never got around to integrating this with kinit or pam_krb5 though. And
    again, we would need an MIT-compatible solution.)
--



More information about the Kerberos mailing list