[30937] in Kerberos
Re: Question on renewable lifetime
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Mar 27 12:53:34 2009
From: Greg Hudson <ghudson@MIT.EDU>
To: miguel.sanders@arcelormittal.com
In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206ABC0E7@GEN-MXB-V04.msad.arcelor.net>
Date: Fri, 27 Mar 2009 12:52:05 -0400
Message-Id: <1238172725.6246.293.camel@ray>
Mime-Version: 1.0
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
I would personally stick with using a supplied keytab.
If you do switch to renewing tickets, be aware that renewal has to
happen while the old tickets are still valid. If your crontab ever
misses a renewal, it will break until you kinit again by hand.
The theoretical advantage of renewal over a known password is that
renewable tickets can be blacklisted if stolen. But blacklisting is not
implemented in the MIT KDC, so it's hard to realize this advantage.
On Thu, 2009-03-26 at 17:53 +0100, miguel.sanders@arcelormittal.com
wrote:
> I'm having a background process which requires a service principal to
> work correctly.
> Currently, I'm having a cron job which does a kinit (with the keytab
> supplied) for that service principal.
> Wouldn't it be better to renew the ticket instead of doing the above?
> As a result, I would have to set the renewable lifetime for that service
> principal to unlimited.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
