Question on renewable lifetime
Greg Hudson
ghudson at MIT.EDU
Fri Mar 27 12:52:05 EDT 2009
I would personally stick with using a supplied keytab.
If you do switch to renewing tickets, be aware that renewal has to
happen while the old tickets are still valid. If your crontab ever
misses a renewal, it will break until you kinit again by hand.
The theoretical advantage of renewal over a known password is that
renewable tickets can be blacklisted if stolen. But blacklisting is not
implemented in the MIT KDC, so it's hard to realize this advantage.
On Thu, 2009-03-26 at 17:53 +0100, miguel.sanders at arcelormittal.com
wrote:
> I'm having a background process which requires a service principal to
> work correctly.
> Currently, I'm having a cron job which does a kinit (with the keytab
> supplied) for that service principal.
> Wouldn't it be better to renew the ticket instead of doing the above?
> As a result, I would have to set the renewable lifetime for that service
> principal to unlimited.
More information about the Kerberos
mailing list