longer ticket life vs auto renew
Roland C. Dowdeswell
elric at imrryr.org
Tue Aug 14 16:41:21 EDT 2012
On Tue, Aug 14, 2012 at 10:47:42AM -0500, Nico Williams wrote:
>
> On Mon, Aug 13, 2012 at 7:05 AM, Mark Pr?hl <mark at mproehl.net> wrote:
> > if a ticket has been issued to the client, the KDC cannot revoke that
> > ticket, even if the client is deleted or disabled. But if the client
> > needs to do a renew request from time to time, the KDC might not issue
> > new tickets if the client is deleted or disabled.
>
> A few remarks regarding revocation:
>
> - For same realm client and service the TGS should check that the
> client principal is still valid.
Right, but this only applies to services that are not in the ccache.
Given that many tickets may be in the caches when a client is
disabled, it's often safest to assume that the client will continue
to have access to quite a lot until the max life has passed.
> - For x-realm tickets the most reasonable thing to do may be to
> shorten ticket life.
It might also be reasonable to assign shorter lifetimes to all
service tickets excluding the main TGT but including all of the
xrealm TGTs. Of course, within a reasonable analysis of performance.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the Kerberos
mailing list