Keytab-based initiator creds design
Nico Williams
nico at cryptonector.com
Thu Jun 7 18:25:08 EDT 2012
On Thu, Jun 7, 2012 at 5:07 PM, Russ Allbery <rra at stanford.edu> wrote:
> Simo Sorce <simo at redhat.com> writes:
>
>> Well I am pushing for getting you a ccache at login time, my idea is
>> that the user shouldn't even know nor care that they have a ccache and
>> not have to learn to use kinit. Of course admins need to, but I would
>> expect them to know what they are doing :)
>
> This works up until the point when your ticket cache expires. Refreshing
> an expired ticket cache is the primary reason why our users run kinit.
> (And renewable tickets reduce this problem but don't eliminate it; wanting
> to stay logged in longer than a reasonable renewable ticket lifetime is
> common.) If you have a GUI session, you can spawn some local helper that
> does kinit for the user, but if they're logged in remotely, you can't
> really do that.
A good session scheme would certainly allow for automatic
renewals/refreshes. For example, there could be a daemon that you
register session ccaches with. Or maybe you'd spawn such a daemon for
each session, and make sure it gets reaped when the session ends. Or
you could setup a keytab in a per-session location and use that when
creds expire. There's several ways to design automatic
renewal/refreshing of per-session credentials.
More information about the krbdev
mailing list