Thoughts on long-lived credentials

Fredrik Tolf fredrik at dolda2000.com
Fri Jan 20 20:16:35 EST 2006


On Fri, 2006-01-20 at 03:59 +1100, Luke Howard wrote:
> What are the current thoughts on automatically renewing Kerberos credentials
> for long-lived sessions, particularly with respect to NFSv4 (where the user
> experience could be adversely affected)?

For my home network, which is an environment under my control and only
using file ccaches, I wrote a small Perl script called krenewall that I
put in crontab to run every hour. It iterates all ccaches that are
currently in use by a process, and renews them when they have less than
two hours left to live. I remove all expired ccaches that are no longer
in use by any process. I usually give principals a renewable lifetime of
10 days, but some I even give 100 days.

To detect which ccaches are in use by a process, I wrote another small C
hack called krb5mapcc, which just looks KRB5CCNAME in /proc/*/environ.
It's very, very ugly, but it works until the Linux keyring ccache scheme
works and becomes the standard.

I'll attach the files (they are rather small anyway) if you want them.

Fredrik Tolf



More information about the Kerberos mailing list