More questions about ticket renewal

Ben Creech bpcreech at
Wed Jun 4 15:03:45 EDT 2003

Two more questions:
1) Is there any way for a client to get configuration information out of 
the KDC, particularly max ticket lifetime and renewal time?  I don't see 
anything, but I wanted to be sure.  Obviously one can just request infinite 
expiration in get_*creds to get the max, but I'm looking for a way to set 
the bounds on a GUI option.

2) What reason might a KDC admin have to not allow near-infinite ticket 
renewal?  The only explanation I can come up with is "if a TGT is 
compromised (within its normal lifetime), it will only be renewable without 
use of kpasswd for less than a week", which seems pretty pointless.  I 
guess if a client laptop with kinit -R in a cronjob were to be stolen, the 
thief would have only a week to wreak havoc on the former owner's network 

More information about the krbdev mailing list