On Wed, Jan 15, 2014 at 7:51 PM, Russ Allbery <ea...@eyrie.org> wrote: > I think this would be more straightforward, would prevent the above > issues, and would mean that I wouldn't have to merge various patches > people have sent me to work around this or configure this in other ways. > The only drawback I can think of is that it may mean somewhat more > Kerberos KDC traffic, since I suspect a lot of people have set -K values > to be fairly short, but the minimum time is one minute anyway. An > authentication every minute isn't a huge amount, and people can adjust > their -K arguments after this release. > > Does anyone think this is a bad idea? Am I missing any problem with this?
For what it's worth, I checked what we're using at work to authenticate our Apache systems, and it's "-K 30", so I don't anticipate that such a change would noticeably impact us. - Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos