Kerberos密钥生存期 [英] Kerberos key Lifetime

问题描述

我的域上正在运行HTTP服务.但是对于如何确定HTTP服务的生命周期，我毫不怀疑. 客户端可以使用我的HTTP服务多长时间?

I have a HTTP service running on my domain. But I have few doubts regarding how the life time for my HTTP service is decided. how long can a client be able to use my HTTP service ?

推荐答案

Kerberos票证具有生存期(例如10小时)和可更新生存期(例如7天) ).只要票证仍然有效且仍可更新，您就可以请求免费"续订-无需密码-并重置生命周期计数器(例如，再走10小时).

A Kerberos ticket has a lifetime (e.g. 10 hours) and a renewable lifetime (e.g. 7 days). As long as the ticket is still valid and is still renewable, you can request a "free" renewal -- no password required --, and the lifetime counter is reset (e.g. 10h to go, again).

创建票证时，每个生存期"都设置为3个值的MIN():

When creating the ticket, each "lifetime" is set as the MIN() of 3 values:

• 在KDC服务器配置中设置的最大持续时间(请检查 max_life 和 max_renewable_life 下的> MIT文档)
• 客户端配置中的标准持续时间，通常在/etc/krb5.conf中(请检查 MIT文档，位于 ticket_lifetime 和 renew_lifetime )
• 客户端请求的显式持续时间(如果有)(例如，kinit命令具有-l和-r选项)

• the max duration set in KDC server config (check the MIT documentation under max_life and max_renewable_life)
• the standard duration in client config, typically in /etc/krb5.conf (check the MIT documentation under ticket_lifetime and renew_lifetime)
• the explicit duration requested by the client, if any (for instance the kinit command has -l and -r options)

最重要的是:如果您的KDC因为max_renewable_life = 0而没有提供可再生票，那么客户将必须每max_life(如果他们的本地ticket_lifetime较小，则更少)获得一张新票.

Bottom line: if your KDC does not serve renewable tickets because max_renewable_life = 0 then clients will have to get a new ticket every max_life (or less, if their local ticket_lifetime is smaller).

PS:如果票证存储在默认缓存中，则可以使用klist检查(可更新)寿命终止时间.
PPS:我记得一些关于Java API(JAAS)不允许应用程序请求可再生Kerberos票证的投诉……请检查情况是否仍然如此.

PS: if the ticket is stored in the default cache then you can use klist to check the end-of-(renewable)-life time.
PPS: I remember some complaints about Java API (JAAS) not allowing apps to request renewable Kerberos tickets... Check if it's still the case.

这篇关于Kerberos密钥生存期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！