Kerberos票证的生存期 [英] Lifetime of Kerberos tickets
问题描述
我已经开始配置kerberos.
I have started with configuring kerberos.
任何人都可以解释我们在krb5.conf文件中设置的票证有效期和续订有效期.
Can anyone explain the ticket lifetime and renew lifetime we set in the krb5.conf file.
ticket_lifetime = 2d
renew_lifetime = 7d
像
- 2天后,客户将获得新的续票吗?
- 7天后,我需要再次创建密钥选项卡并发送到客户端计算机吗?
推荐答案
Kerberos票证具有两个生存期:票证生存期和可更新生存期.票证寿命结束后,将无法再使用该票证.但是,如果可更新寿命比票证的寿命更长,那么持有票证的任何人都可以在任一个过期之前的任何时候,将票证提交给KDC并要求换一张新票证.尽管受可更新票证寿命的限制,但新票证通常将具有从当前时间开始的新票证寿命.
A Kerberos ticket has two lifetimes: a ticket lifetime and a renewable lifetime. After the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime is longer than the ticket lifetime, anyone holding the ticket can, at any point before either lifetime expires, present the ticket to the KDC and ask for a new ticket. That new ticket will generally have a fresh ticket lifetime dating from the current time, although constrained by the renewable ticket lifetime.
这意味着您必须在票证到期之前对其进行续签.您不能在票证过期后对其进行续订.但是续订票证不需要重新输入凭据,例如密码或密钥表中的密钥.因此,可以通过程序代表用户安静地完成此操作. (例如,有一些用于Windows,Linux和Mac OS X的系统后台实用程序,它们会监视用户的Kerberos票证,并根据需要对其进行更新,直到可更新的寿命.)
That means you have to renew a ticket before it expires. You can't renew a ticket after it expires. But renewing a ticket doesn't require re-entering credentials, like a password or the key from the keytab. It can therefore be done quietly on the user's behalf by a program. (There are, for example, some system background utilities for Windows, Linux, and Mac OS X that watch the user's Kerberos tickets and renew them as needed up to the renewable lifetime.)
可更新生命周期用尽后,或者如果在票证生命周期到期之前不续签该票证,则必须重新输入凭据或使用密钥表中的密钥.
After the renewable lifetime is exhausted, or if one doesn't renew the ticket before the ticket lifetime expires, you have to re-enter credentials or use the key from a keytab.
从安全角度而言,可再生票证相对于仅具有较长使用寿命的票证的优势在于,KDC可以拒绝续签请求(例如,如果已发现帐户遭到破坏,并且可再生票证可能是在攻击者的手中).
Security-wise, the advantage of renewable tickets over tickets that just have a long lifetime is that the KDC can decline the renew request (if, for example, it had been discovered that the account was compromised and the renewable ticket may be in the hands of an attacker).
可更新生命周期与键表无关.除非您永久更改主体的密钥,否则密钥表是一个很好的选择.
Renewable lifetimes don't have anything to do with keytabs. A keytab is good until you change the key for the principal, potentially forever.
这篇关于Kerberos票证的生存期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
