longer ticket life vs auto renew

Roland C. Dowdeswell elric at imrryr.org
Tue Aug 14 16:41:21 EDT 2012


On Tue, Aug 14, 2012 at 10:47:42AM -0500, Nico Williams wrote:
>

> On Mon, Aug 13, 2012 at 7:05 AM, Mark Pr?hl <mark at mproehl.net> wrote:
> > if a ticket has been issued to the client, the KDC cannot revoke that
> > ticket, even if the client is deleted or disabled. But if the client
> > needs to do a renew request from time to time, the KDC might not issue
> > new tickets if the client is deleted or disabled.
> 
> A few remarks regarding revocation:
> 
>  - For same realm client and service the TGS should check that the
> client principal is still valid.

Right, but this only applies to services that are not in the ccache.
Given that many tickets may be in the caches when a client is
disabled, it's often safest to assume that the client will continue
to have access to quite a lot until the max life has passed.

>  - For x-realm tickets the most reasonable thing to do may be  to
> shorten ticket life.

It might also be reasonable to assign shorter lifetimes to all
service tickets excluding the main TGT but including all of the
xrealm TGTs.  Of course, within a reasonable analysis of performance.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


More information about the Kerberos mailing list