On Mon, Mar 02, 2009 at 09:02:59PM -0500, Jason Edgecombe wrote: > Nicolas Williams wrote: > >I have seen sites use on the order of months for the renewable ticket > >lifetime, but still hours for normal ticket lifetime. If you already > >use seven days for renew life you might as well double it -- whatever > >your threat model is, if you can accept seven days then chances are you > >can accept fourteen. > > > Doubling it wouldn't really help. It would probably need to be on the > order of a month. If I were to change the renewable lifetime, I need to > change all principals, the client krb5.conf and the server kdc.conf. Is > that correct?
Hmmm, not sure. The client ought to ask for infinity, but I don't think that's the default, sadly. The kdc.conf parameters in question are best not used -- you can use kadmin policies instead. Also, IIRC the TGS principal's renew life puts a bound on all, IIRC, so generally you might want to set principals' renewable ticket life to be very long, and use the TGS principal as a big hammer. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
