renewable in krb5.conf

Jeffrey Altman jaltman at secure-endpoints.com
Thu Mar 15 11:44:36 CET 2018


On 3/15/2018 4:57 AM, Andreas Haupt wrote:
> Hi Harald,
> 
> On Thu, 2018-03-15 at 09:30 +0100, Harald Barth wrote:
>> Is there really no way to make kinit have "renewable" as default (like
>> "forwardable" in [libdefaults] in /etc/krb5.conf)?
>>
>> If no, is there any good reason for it?
> 
> We have:
> 
> [libdefaults]
> 	renew_lifetime = 30d




You also need to specify

   renewable = true

if you want all tickets to be requested as renewable.   renew_lifetime
simply sets the default renew lifetime to request.

As far as I am concerned the client should always request the maximum
supported "lifetime" and "renew_lifetime" in order to permit the KDC
settings to take precedence.

Unfortunately, KDC implementation choices mean that there is no well
defined value for maximum lifetime and renew_lifetime.  180 days appears
to be safe enough.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4080 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.h5l.org/pipermail/heimdal-discuss/attachments/20180315/cb913569/attachment.bin>


More information about the Heimdal-discuss mailing list