k5start -K and ticket renewals

Russ Allbery eagle at eyrie.org
Wed Jan 15 21:51:39 EST 2014 

Hello all,

I'm considering a mildly backwards-incompatible change to k5start and
wanted to ask here, since this is probably the best forum I have for
reaching k5start users.

Currently, when one runs k5start as a daemon with the -K option, the
argument to -K controls how frequently k5start will wake up and check
whether its ticket is expiring.  However, it won't always renew the ticket
when it wakes up.  It will only do so if the ticket will expire before or
within two minutes of the next time it wakes up.

This poses a couple of problems:

* It's difficult, using this approach, to guarantee a minimum ticket
  lifetime at any time.  In other words, if you want the cache renewed
  such that the ticket will always be valid for at least an hour at any
  given time, it's complex to construct the right lifetime and wakeup time
  to do this.

* When using k5start in conjunction with AFS and the -t flag, new tokens
  will be acquired only when new tickets are acquired.  This means that,
  if the AFS tokens might go away before the tickets for some reason (such
  as if the AFS principal has a maximum ticket lifetime shorter than the
  krbtgt principal), it may be difficult to maintain AFS tokens.

It's also sort of weird and complex, and people struggle to understand it.

I'm therefore considering changing the next release to always acquire
fresh tickets each time k5start wakes up.  So if you run k5start -K 10,
then k5start will wake up every ten minutes and acquire new tickets
unconditionally, regardless of whether the current tickets are about to
expire.

I would make the similar change to krenew -K at the same time.

I think this would be more straightforward, would prevent the above
issues, and would mean that I wouldn't have to merge various patches
people have sent me to work around this or configure this in other ways.
The only drawback I can think of is that it may mean somewhat more
Kerberos KDC traffic, since I suspect a lot of people have set -K values
to be fairly short, but the minimum time is one minute anyway.  An
authentication every minute isn't a huge amount, and people can adjust
their -K arguments after this release.

Does anyone think this is a bad idea?  Am I missing any problem with this?

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list