Possible enhancement request for extra krb5.conf parameter support for kinit
Neng Xue
neng.xue at oracle.com
Wed May 13 17:14:28 EDT 2015
Hi Greg,
Thanks for the comments!
On 05/13/15 11:02 AM, Greg Hudson wrote:
> On 05/12/2015 07:37 PM, Neng Xue wrote:
>> I am Neng Xue who works in Oracle Solaris Security group. Recently when
>> I was working on a kerberos related project I noticed that Solaris
>> kerberos has a quite handy krb5.conf [appdefaults] parameter support for
>> kinit command:
>>
>> forwardable=[true | false]
>> Can forward tickets to a remote server.
>>
>> proxiable=[true | false]
>> Sets the proxiable flag in all tickets.
>>
>> no_addresses=[true | false]
>> Creates tickets with no address bindings.
> We already support forwardable, proxiable, and noaddresses options under
> [libdefaults].
Yes, but we still think this per application parameter support might be
useful in some cases. If we can provide the implementation, do you think
MIT kerberos team will accept the pull request?
>> renewable=[true | false]
>> Creates a TGT that can be renewed (prior to the ticket expiration time).
> We support a renew_lifetime option under [libdefaults]. I don't know
> what it would mean to request a renewable ticket without a specific
> renewable lifetime.
As far as I can tell from Solaris kerberos, if there is no renewable
lifetime specified from kinit command line. It will then take the
maximum renewable lifetime (7 days by default).
Best
--
Neng Xue
Oracle Solaris Software Engineer
Santa Clara, CA, USA
More information about the krbdev
mailing list