Default ticket lifetime - Kerberos

This is a discussion on Default ticket lifetime - Kerberos ; Hi, I'm trying to set a default ticket lifetime longer than the 10 hour default in /etc/krb5.conf (without hacking the source). It appears that at one point there was a tkt_lifetime option, but that it was later removed. Is there ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 32

Thread: Default ticket lifetime

  1. Default ticket lifetime


    Hi,

    I'm trying to set a default ticket lifetime longer than the 10 hour
    default in /etc/krb5.conf (without hacking the source). It appears that
    at one point there was a tkt_lifetime option, but that it was later
    removed. Is there any way to do this in the current krb5 distribution
    or any plans to implement something similar?

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Default ticket lifetime

    Ryan Underwood writes:

    > I'm trying to set a default ticket lifetime longer than the 10 hour
    > default in /etc/krb5.conf (without hacking the source). It appears that
    > at one point there was a tkt_lifetime option, but that it was later
    > removed. Is there any way to do this in the current krb5 distribution
    > or any plans to implement something similar?


    default_lifetime in the [appdefaults] section, I believe.

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: Default ticket lifetime

    On Tue, Jun 28, 2005 at 08:04:16PM -0700, Russ Allbery wrote:
    > Ryan Underwood writes:
    >
    > > I'm trying to set a default ticket lifetime longer than the 10 hour
    > > default in /etc/krb5.conf (without hacking the source). It appears
    > > that
    > > at one point there was a tkt_lifetime option, but that it was later
    > > removed. Is there any way to do this in the current krb5
    > > distribution
    > > or any plans to implement something similar?

    >
    > default_lifetime in the [appdefaults] section, I believe.


    I've tried this in both the appdefaults and realms sections with no
    effect. Additionally, it does not turn up in a source grep.

    I should mention that I am able to obtain tickets of the correct length
    by using the '-l' option to kinit, so the KDC and principals are
    apparently configured correctly.

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Default ticket lifetime

    Ryan Underwood writes:

    > I've tried this in both the appdefaults and realms sections with no
    > effect. Additionally, it does not turn up in a source grep.


    > I should mention that I am able to obtain tickets of the correct length
    > by using the '-l' option to kinit, so the KDC and principals are
    > apparently configured correctly.


    Ah, hm.

    #if 0
    /* Default ticket lifetime is currently not supported */
    profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime",
    0, 10 * 60 * 60, &tmp);
    ctx->tkt_lifetime = tmp;
    #endif

    (src/lib/krb5/krb/init_ctx.c). It looks like they might not have ever
    been really supported?

    --
    Russ Allbery (rra@stanford.edu)

  5. Implementing a Kerberos application

    Hello,
    I have to implement a Kerberos application,
    providing interoperability between Windows 2000
    Kerberos server and Kerberos Java clients.

    Can someone please provide any references..?

    Regards,
    Mukul




    __________________________________________________ __
    Yahoo! Sports
    Rekindle the Rivalries. Sign up for Fantasy Football
    http://football.fantasysports.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Default ticket lifetime


    On Tue, Jun 28, 2005 at 08:49:34PM -0700, Russ Allbery wrote:
    >
    > Ah, hm.
    >
    > #if 0
    > /* Default ticket lifetime is currently not supported */
    > profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime",
    > 0, 10 * 60 * 60, &tmp);
    > ctx->tkt_lifetime = tmp;
    > #endif
    >
    > (src/lib/krb5/krb/init_ctx.c). It looks like they might not have ever
    > been really supported?


    >From the Changelog, it looks like this was disabled sometime in 1996 and

    never revisited. But this is what I was referring to in my original
    post. Was this a bad idea for some reason?

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Default ticket lifetime

    Ryan Underwood writes:

    > From the Changelog, it looks like this was disabled sometime in 1996 and
    > never revisited. But this is what I was referring to in my original
    > post. Was this a bad idea for some reason?


    It looks more like an effort was made to add it, but never really
    finished.

    Anyway, that's libdefaults. Looking at the source of kinit for 1.4, it
    sure looks like my original message was *supposed* to be right:

    #define KINIT_DEFAULT_LIFE "default_lifetime"

    [...]

    /* Lifetime */
    default_list[KINIT_LIFETM_INDEX].option = KINIT_DEFAULT_LIFE ;
    default_list[KINIT_LIFETM_INDEX].default_value = "10hrs" ;
    default_list[KINIT_LIFETM_INDEX].parse_function = krb5_string_to_deltat ;
    default_list[KINIT_LIFETM_INDEX].store =(void *) &(opts->lifetime);

    [...]

    if ( k5->me != NULL ) {
    rcode = krb5_appdefault_read(k5->ctx,progname,
    krb5_princ_realm(k5->ctx,k5->me),
    default_list,KINIT_DEFAULT_COUNT);
    } else {
    rcode = krb5_appdefault_read(k5->ctx,progname,
    NULL,
    default_list,KINIT_DEFAULT_COUNT);
    }

    That would be default_lifetime in [appdefaults]. Are you sure that you
    have the time specification syntax right?

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Default ticket lifetime


    On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote:
    > Ryan Underwood writes:
    >
    > > From the Changelog, it looks like this was disabled sometime in 1996 and
    > > never revisited. But this is what I was referring to in my original
    > > post. Was this a bad idea for some reason?

    >
    > It looks more like an effort was made to add it, but never really
    > finished.
    >
    > Anyway, that's libdefaults. Looking at the source of kinit for 1.4, it
    > sure looks like my original message was *supposed* to be right:


    Woops; I'm using 1.3.6 from Debian. I guess that means this feature has
    been recently added?

    > That would be default_lifetime in [appdefaults]. Are you sure that you
    > have the time specification syntax right?


    Yeah, I just don't have the code you quoted in the 1.3.6 kinit.c - that
    may be the problem.

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Default ticket lifetime

    Ryan Underwood writes:

    > Woops; I'm using 1.3.6 from Debian. I guess that means this feature has
    > been recently added?


    Yup, looks like all that code has been significantly redone in 1.4. I
    agree, I don't see anything in 1.3.6 that would let you change the default
    ticket lifetime in krb5.conf.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Default ticket lifetime


    On Tue, Jun 28, 2005 at 09:51:47PM -0700, Russ Allbery wrote:
    >
    > Yup, looks like all that code has been significantly redone in 1.4. I
    > agree, I don't see anything in 1.3.6 that would let you change the default
    > ticket lifetime in krb5.conf.


    Is an upgrade of the package planned? I only see one pending "new
    upstream release" bug regarding krb5, against krb5-admin-server.

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: Default ticket lifetime

    Ryan Underwood writes:
    > On Tue, Jun 28, 2005 at 09:51:47PM -0700, Russ Allbery wrote:


    >> Yup, looks like all that code has been significantly redone in 1.4. I
    >> agree, I don't see anything in 1.3.6 that would let you change the
    >> default ticket lifetime in krb5.conf.


    > Is an upgrade of the package planned? I only see one pending "new
    > upstream release" bug regarding krb5, against krb5-admin-server.


    Sam is working on an upload to experimental but is very busy. I have a
    few other things on my plate as well, alas, but I hope it won't be too
    much longer before we can start testing 1.4.1. It's a fairly substantial
    change and now requires coordination with the NFSv4 folks, so it's worth
    proceeding cautiously.

    Unfortunately, that means I don't know what kind of time frame we're
    talking about for solving your particular problem. Before etch is
    released, certainly.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. Re: Default ticket lifetime


    On Tue, Jun 28, 2005 at 09:57:51PM -0700, Russ Allbery wrote:
    >
    > Sam is working on an upload to experimental but is very busy. I have a
    > few other things on my plate as well, alas, but I hope it won't be too
    > much longer before we can start testing 1.4.1. It's a fairly substantial
    > change and now requires coordination with the NFSv4 folks, so it's worth
    > proceeding cautiously.
    >
    > Unfortunately, that means I don't know what kind of time frame we're
    > talking about for solving your particular problem. Before etch is
    > released, certainly.


    It's no hurry. I've dealt with the status quo for a long time and just
    today had the itch to revisit this particular issue, armed with a few
    years of field experience with Kerberos and AFS. In any case, I'm glad
    to know that the gears are in motion, and I'll add myself to the
    notification list for the upload.

    Thanks!

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  13. Re: Default ticket lifetime

    Ryan Underwood writes:

    > On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote:
    > > Ryan Underwood writes:
    > >
    > > > From the Changelog, it looks like this was disabled sometime in 1996 and
    > > > never revisited. But this is what I was referring to in my original
    > > > post. Was this a bad idea for some reason?

    > >
    > > It looks more like an effort was made to add it, but never really
    > > finished.
    > >
    > > Anyway, that's libdefaults. Looking at the source of kinit for 1.4, it
    > > sure looks like my original message was *supposed* to be right:

    >
    > Woops; I'm using 1.3.6 from Debian. I guess that means this feature has
    > been recently added?


    On debian sarge You could use heimdal-clients on Your workstations in
    the meantime (probably not on machines where You do kerberos administrative
    work). Kinit from heimdal evaluates the appdefaults section
    properly.

    Hth,

    Christian

    --
    Dipl.-Ing. Christian Pfaffel-Janser
    Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
    Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
    Petersgasse 16, A-8010 Graz http://itp.tugraz.at/~flash/pubkey.gpg
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  14. Re: Default ticket lifetime

    Ryan Underwood writes:
    > On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote:


    >> That would be default_lifetime in [appdefaults]. Are you sure that you
    >> have the time specification syntax right?


    > Yeah, I just don't have the code you quoted in the 1.3.6 kinit.c - that
    > may be the problem.


    *sigh*. Ignore all that stuff I told you. I keep forgetting how much we
    modified some aspects of the Kerberos code and keep forgetting to go look
    at a virgin source tree. Now I have one on hand and will hopefully
    remember....

    All that code to support appdefault configuration in kinit is a local
    modification, which is also why default_lifetime was working for us
    locally but isn't working for you.

    I'm sorry about the confusion.

    --
    Russ Allbery (rra@stanford.edu)

  15. Re: Default ticket lifetime

    Ryan Underwood writes:

    > From the Changelog, it looks like this was disabled sometime in 1996 and
    > never revisited. But this is what I was referring to in my original
    > post. Was this a bad idea for some reason?


    Sam pointed me at the right place. ticket_lifetime in libdefaults should
    work in 1.4 and later.

    2004-08-12 Alexandra Ellwood

    * get_in_tkt.c (get_init_creds):
    Support ticket_lifetime libdefault.
    Made aware of 32 bit min and max for times.
    Allow renew_until time < expiration time.

    --
    Russ Allbery (rra@stanford.edu)

  16. Re: Implementing a Kerberos application

    I am sorry that my question was quite vague.. I am
    heading against a wall with my study. I'll try to
    explain my requirements a bit more clearly, and hoping
    for some help..

    I have to implement a SSO (Single Sign On)
    application. For this, I think Kerberos will fit into
    the architecture. I am planning to use Java GSS API
    between the peer applications (which will participate
    for Single Sign On). The authenticiation credentials
    will propagate between the peer applications using GSS
    calls. Some how I think, Windows 2000 Kerberos server
    (Windows Domain Controller) will fit into the
    architecture. The requirement is to provide
    interoperability between Java Kerberos system and
    Microsoft Windows based one. The clients will be web
    browser based ones.

    This is my understanding of the architecture I have in
    mind. I'll appreciate any improvements to my ideas..
    Any references will surely be helpful to me..

    Regards,
    Mukul

    --- Mukul Gandhi wrote:

    > Hello,
    > I have to implement a Kerberos application,
    > providing interoperability between Windows 2000
    > Kerberos server and Kerberos Java clients.
    >
    > Can someone please provide any references..?
    >
    > Regards,
    > Mukul
    >
    >
    >
    >
    > __________________________________________________ __
    >
    > Yahoo! Sports
    > Rekindle the Rivalries. Sign up for Fantasy Football
    >
    > http://football.fantasysports.yahoo.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  17. Re: Implementing a Kerberos application

    Not to offend you, but a simple google search for "single sign-on kerberos"
    reveals a lot of information on this subject. The 2nd link that came up for me
    was a guide to Kerberos single sign-on in Java:

    http://java.sun.com/j2se/1.4.2/docs/...le-signon.html

    Hope this helps get you started.

    Best regards,

    -Michael


    --- Mukul Gandhi wrote:

    > I am sorry that my question was quite vague.. I am
    > heading against a wall with my study. I'll try to
    > explain my requirements a bit more clearly, and hoping
    > for some help..
    >
    > I have to implement a SSO (Single Sign On)
    > application. For this, I think Kerberos will fit into
    > the architecture. I am planning to use Java GSS API
    > between the peer applications (which will participate
    > for Single Sign On). The authenticiation credentials
    > will propagate between the peer applications using GSS
    > calls. Some how I think, Windows 2000 Kerberos server
    > (Windows Domain Controller) will fit into the
    > architecture. The requirement is to provide
    > interoperability between Java Kerberos system and
    > Microsoft Windows based one. The clients will be web
    > browser based ones.
    >
    > This is my understanding of the architecture I have in
    > mind. I'll appreciate any improvements to my ideas..
    > Any references will surely be helpful to me..
    >
    > Regards,
    > Mukul
    >
    > --- Mukul Gandhi wrote:
    >
    > > Hello,
    > > I have to implement a Kerberos application,
    > > providing interoperability between Windows 2000
    > > Kerberos server and Kerberos Java clients.
    > >
    > > Can someone please provide any references..?
    > >
    > > Regards,
    > > Mukul
    > >
    > >
    > >
    > >
    > > __________________________________________________ __
    > >
    > > Yahoo! Sports
    > > Rekindle the Rivalries. Sign up for Fantasy Football
    > >
    > > http://football.fantasysports.yahoo.com
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Tired of spam? Yahoo! Mail has the best spam protection around
    > http://mail.yahoo.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  18. Re: Default ticket lifetime


    On Wed, Jun 29, 2005 at 10:04:40AM -0700, Russ Allbery wrote:
    >
    > All that code to support appdefault configuration in kinit is a local
    > modification, which is also why default_lifetime was working for us
    > locally but isn't working for you.


    Hmm, so are you saying that in 1.4 this doesn't exist either? If so,
    would it be a bad idea to merge it?

    --
    Ryan Underwood,
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  19. Re: Default ticket lifetime

    Ryan Underwood writes:
    > On Wed, Jun 29, 2005 at 10:04:40AM -0700, Russ Allbery wrote:


    >> All that code to support appdefault configuration in kinit is a local
    >> modification, which is also why default_lifetime was working for us
    >> locally but isn't working for you.


    > Hmm, so are you saying that in 1.4 this doesn't exist either? If so,
    > would it be a bad idea to merge it?


    There is a libdefaults setting that's supported in 1.4, just not an
    appdefaults setting. We locally added a ton of additional appdefaults
    settings for our site, but it's a bit entangled with other bits of code
    that probably aren't wanted upstream, particularly now that K4 support is
    being dropped (since that's what most of it was for).

    If I get a chance, I'll separate out just that part of the patch and then
    see if anyone's interested.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  20. Need some tips on kerberizing our ENTIRE network

    Good day,

    We had a meeting last time regarding the need for a
    centralized authentication in our agency. Everyone
    except me, was looking into using an ldap directory. I
    insist on them that if we were to use ldap for sole
    authentication purpose, ldap was not designed for it,
    and we should be considering the use of kerberos
    instead. But I told them that there is a catch, if we
    were to use kerberos, we must find a kerberized
    versions for those network services we wish to use the
    kerberos authentication. In short, other custom made
    apps, such as web applications must find a way to know
    how to interact with kerberos. On the other hand,
    doing some research of my own, ldap support for
    popular services seems to be more available than that
    with kerberos support. At the end of our meeting, we
    have agreed upon the accounting of our services which
    requires authentication and finding out if it supports
    authentication through ldap(since we still need the
    directory functions of ldap).

    But my problem is this, I've been reading a lot of
    discussion regarding the use of kerberos
    authentication, its stregth against other mechanisms,
    the whole protocol itself and I'm pretty much
    convinced that for authentication, kerberos is the
    only way to go. In short, I'm still looking forward to
    using kerberos in our network services authentication
    instead of ldap which leads me to a bigger problem.
    Will it be achievable for the following services?:

    jabberd2 (by just looking at its config file, it
    definitely supports ldap, not sure with kerberos)

    Nagios server monitoring(I've heard some discussions
    regarding its ldap support, not sure with kerberos)

    rt3 TTS(also read some ldap support, not sure with
    kerberos)

    email (qmail or postfix) I just bumped into a document
    saying postfix supports sasl/gssapi, and qmail has a
    qmail-ldap version but not sure with qmail-kerberos.

    ssh (I saw its sshd_config and it has an option for
    kerberos authentication)

    Unix login (I'm also quite sure it supports being
    kerberized)

    radius wifi login( ldap support, also not sure with
    kerberos)

    ftp (although kerberos provides kerberized ftpd, we
    are currently using ProFTP, no idea if it supports
    kerberos authentication)

    samba( we are using snap server. Its an appliance
    which if it doesn't support kerberos, there's no way
    to tweek it, I guess.)

    web apps( I've read some docs regarding apache modules
    for kerberos, some patches for some web browser to
    support kerberos authentication and also some rfcs
    which discusses adding kerberos mech to the SSL/TLS
    protocol.

    openldap directory( it definitely supports kerberos)

    Summary of apps that I'm SURE it has kerberos support:
    postfix
    ssh
    unix logins
    ldap

    Summary of apps that I'm NOT SURE if it has kerberos
    support:

    jabberd2
    webapps
    samba(Snap server)
    radius
    rt
    nagios

    Our bosses relies on best practices most of the time
    such as using the most widely use email server, ftp,
    etc. If only I can convince them the ease of having a
    rock-solid single sign-on environment kerberos has to
    offer, which I think I can, I'm sure it would be easy
    to convince them to use other software alternatives if
    it supports kerberos rather than those popular ones
    which lacks it.

    My huge problem is, will it be achievable for those
    services I have mentioned above? IMO, I don't see any
    sense on kerberizing some of the services while others
    are still authenticating through ldap, do you?

    What do you think?


    Thanks!
    -jay










    __________________________________
    Yahoo! Mail
    Stay connected, organized, and protected. Take the tour:
    http://tour.mail.yahoo.com/mailtour.html

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread
Page 1 of 2 1 2 LastLast