no renewable flag in krb5.conf ?
Russ Allbery
rra at stanford.edu
Tue Apr 13 14:23:42 EDT 2010
Guillaume Rousse <Guillaume.Rousse at inria.fr> writes:
> I just realized than it was possible to force forwardable tickets
> through krb5.conf, but not renewable ones. Is it intentional ?
> For instance, the following doesn't work as expected:
> [appdefaults]
> pam = {
> forwardable = true
> renewable = true
> }
I assume that you're using my PAM module here, since I think it's the only
one that looks at [appdefaults].pam. (I could be wrong, though; maybe the
Red Hat one does as well.) Anyway, for mine, you want to use
renew_lifetime, not renewable:
renew_lifetime=<lifetime>
Obtain renewable tickets with a maximum renewable lifetime of
<lifetime>. <lifetime> should be a Kerberos lifetime string such
as "2d4h10m" or a time in minutes. If set, this overrides the
Kerberos library default set in the [libdefaults] section of
krb5.conf.
This option can be set in krb5.conf and is only applicable to the
auth group.
Or as mentioned you can also set this in [libdefaults], where it will also
affect kinit and similar programs as well as the PAM module.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list