ticket renew lifetime limited by Windows KDC policy

Di Pe dipeit at gmail.com
Tue Sep 7 14:49:44 EDT 2010


Thanks Russ,

I am currently using the workflow in the cronjob script below. It
would be nice if some of that could be implemented in k5start

Dipe


##########

#! /bin/sh
# This script renews kerberos tickets for all logged on users
# that have not yet expired and removes tickets that have expired.
# It also allows a user to refresh her ticket in time by not
# auto renewing tickets that have between 8 and 1 hour to live
# durning the last 4 days of the renew_lifetime. Thus, the user
# is not prompted for a password for 3 days after logon if the
# ticket renew lifetime is 7 days (MS AD default policy)
# The user should set this env variable (6 hours):
# export PROMPT_COMMAND="k5start -H 360"
#
# Finally the scripts logs out users for who renew_lifetime is
# less than 1 hour. (FORCELOGOUT is set to "no" by default) and
# sends a warning email to all users for who renew_lifetime is less than
# 2 hours (SENDWARNING is set to "no" by default)
#
# Test cases, there are more test cases in the code below.
# kinit -l 10m -r 3d
# (ticket_lifetime = 10 minutes,  renew_lifetime = 3 days)
#
# Please put this script in /etc/cron.hourly and edit /etc/krb5.conf :
##[libdefaults]
##    ticket_lifetime = 10h
##    renew_lifetime = 7d

SENDWARNING="no"
FORCELOGOUT="no"
MAILHOST="mx"
DOMAIN=`hostname -d`
CURRUSERS=`users | sed 's/ /\n/g' | sort -u`
for TCACHE in $( ls -1 /tmp/krb5cc* 2> /dev/null ); do
    OWNER=$( ls -l $TCACHE | awk '{print $3}' )
    GROUP=$( ls -l $TCACHE | awk '{print $4}' )
    NOW=$( date +%s )
    EXPIRE_TIME=$( date -d "$( klist -c $TCACHE | grep krbtgt | awk
'{print $3, $4}' )" +%s )
    RENEW_TIME=$( date -d "$( klist -c $TCACHE | grep "renew until" |
awk '{print $3, $4}' )" +%s )

    echo owner:$OWNER tcache:$TCACHE expire:$EXPIRE_TIME
renew:$RENEW_TIME current:$NOW

    # If the ticket has already expired, might as well delete it
    # testcase: kinit -l 10s
    if [ $NOW -ge $EXPIRE_TIME ]; then
        kdestroy -c $TCACHE &> /dev/null:
        echo "Removed expired ticket cache $TCACHE for user $OWNER"

    # log user out if we are within one hour or less of max
renew_lifetime, prevent lockup
    # testcase: kinit -l 1h -r 1h
    elif [ $( expr $RENEW_TIME - $NOW ) -le 3600 ]; then
        echo "time to log user out!"
        if [[ $FORCELOGOUT == "yes" ]]; then
            kill -15 $(ps -U $OWNER -o "pid=")
            echo "send notice to user!"
            emailbody=`mktemp`
            mail -s "You have been logged out from '`hostname`' and
all your jobs have been ended." -r root@`hostname -f` \
                     -S "smtp=$MAILHOST.$DOMAIN" $OWNER@$DOMAIN < $emailbody
            rm $emailbody
        fi

    # notify user if we are between 3 and 4 hours of max
renew_lifetime to prevent forced logout
    # testcase: kinit -l 1h -r 4h
    elif [ $( expr $RENEW_TIME - $NOW ) -le 14400 ]; then
        if [ $( expr $RENEW_TIME - $NOW ) -gt 10800 ]; then
            echo "send warning to user!"
            if [[ $SENDWARNING == "yes" ]]; then
                emailbody=`mktemp`
                echo "$OWNER, please make sure to login to
'`hostname`' to update your credentials."  >> $emailbody
                echo "If you can't login within 3 hours you will be
logged out and your running jobs will be ended." >> $emailbody
                mail -s "Please login to '`hostname`' within the next
3 hours." -r root@`hostname -f` \
                         -S "smtp=$MAILHOST.$DOMAIN" $OWNER@$DOMAIN < $emailbody
                rm $emailbody
            fi
        fi

    else

        # standard refresh loop, tickets are not in immediate danger to expire
        for user in $CURRUSERS; do
            if [[ $user == $OWNER ]]; then
                echo "user $OWNER is logged on, check renewal!"
                # renew ticket if it will expire in one hour or less
                # testcase: kinit -l 1h -r 1d
                if [ $( expr $EXPIRE_TIME - $NOW ) -le 3600 ]; then
                    kinit -R -c $TCACHE
                    chown $OWNER:$GROUP $TCACHE
                    echo "auto renewed - 1h!"

                # renew ticket if it will expire in 8 hours or less
                # testcase: kinit -l 8h -r 97h
                elif [ $( expr $EXPIRE_TIME - $NOW ) -le 28800 ]; then
                    # ....and if there is at least 96 hours left for renewal
                    if [ $( expr $RENEW_TIME - $NOW ) -ge 345600 ]; then
                        kinit -R -c $TCACHE
                        chown $OWNER:$GROUP $TCACHE
                        echo "auto renewed - <96h left"
                    else
                        #testcase: kinit -l 8h -r 96h
                        echo "time for ticket refresh via k5start or
systray app"
                    fi
                fi
            fi
        done

    fi

done







On Mon, Sep 6, 2010 at 2:25 PM, Russ Allbery <rra at stanford.edu> wrote:
> Di Pe <dipeit at gmail.com> writes:
>
>> This seems to be a good idea. I used
>> export PROMPT_COMMAND="k5start -H 500"
>> and it does what it's supposed to do.
>
>> One issue tough: k5start seems to look at ticket_lifetime instead of
>> renew_liefetime. ticket_lifetime is enforced to 10 hours by active
>> directory. If I don't use a cron job to renew the ticket users would
>> have to enter their credentials every few hours or so which is not
>> good if they run jobs over night.
>
> Yeah, you ideally want k5start to renew the ticket if it can, and if not,
> prompt.  That's something that k5start -H should probably just do by
> default.  It doesn't do that right now and it will require some coding.
> I'll add it to the to-do list.
>
>> Another problem we notice on our terminal server is that user sessions
>> are completely locking up when a ticket expires on a nfs mounted home
>> directory. It would be good if we had a cron job that forces a logout
>> for users where the ticket is about to expire in 60 minutes or less.  Is
>> there a way to check for a happy ticket in a shell script without
>> getting a prompt if the ticket is not happy?
>
> Also a good idea.  There isn't at the moment.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>



More information about the Kerberos mailing list