k5start -K and ticket renewals

Ken Dreyer ktdreyer at ktdreyer.com
Thu Jan 16 18:27:55 EST 2014


On Wed, Jan 15, 2014 at 7:51 PM, Russ Allbery <eagle at eyrie.org> wrote:
> I think this would be more straightforward, would prevent the above
> issues, and would mean that I wouldn't have to merge various patches
> people have sent me to work around this or configure this in other ways.
> The only drawback I can think of is that it may mean somewhat more
> Kerberos KDC traffic, since I suspect a lot of people have set -K values
> to be fairly short, but the minimum time is one minute anyway.  An
> authentication every minute isn't a huge amount, and people can adjust
> their -K arguments after this release.
>
> Does anyone think this is a bad idea?  Am I missing any problem with this?

For what it's worth, I checked what we're using at work to
authenticate our Apache systems, and it's "-K 30", so I don't
anticipate that such a change would noticeably impact us.

- Ken


More information about the Kerberos mailing list