Question on renewable lifetime

Greg Hudson ghudson at MIT.EDU
Fri Mar 27 12:52:05 EDT 2009


I would personally stick with using a supplied keytab.

If you do switch to renewing tickets, be aware that renewal has to
happen while the old tickets are still valid.  If your crontab ever
misses a renewal, it will break until you kinit again by hand.

The theoretical advantage of renewal over a known password is that
renewable tickets can be blacklisted if stolen.  But blacklisting is not
implemented in the MIT KDC, so it's hard to realize this advantage.

On Thu, 2009-03-26 at 17:53 +0100, miguel.sanders at arcelormittal.com
wrote:
> I'm having a background process which requires a service principal to
> work correctly.
> Currently, I'm having a cron job which does a kinit (with the keytab
> supplied) for that service principal.
> Wouldn't it be better to renew the ticket instead of doing the above?
> As a result, I would have to set the renewable lifetime for that service
> principal to unlimited. 





More information about the Kerberos mailing list