longer ticket life vs auto renew
Greg Hudson
ghudson at MIT.EDU
Fri Aug 10 22:26:37 EDT 2012
On 08/09/2012 09:42 AM, Matt Garman wrote:
> Perhaps I didn't look hard enough, but I haven't been able to find a
> discussion on why one might choose one option over the other. I was
> hoping some of the list members might weigh in with their thoughts.
Practically speaking, I think the main security difference is that if
you abandon a renewable ticket without destroying it for a while (until
its current lifetime is expired, but before its renewable lifetime is)
and someone else recovers it, they can't use it. But if the ticket has
a really long lifetime, they can.
On the flip side, you have to run something like krenew to keep the
ticket from expiring while you're using it.
More information about the Kerberos
mailing list