On Fri, 2014-06-13 at 17:21 +0530, Manish Gupta wrote: > kerberos implementation in my platform take cares of secure storage of > kerberos credential cache. it is protected from any unauthorized access. > > In this case is there any harm in using long term TGT, like TGT valid for a > month? > > I cannot understand how it can be exploited if TGT is long term.
There's at least one case you're not thinking of. That case is when *your own* access is not authorized: your account was disabled for whatever reason. Your tickets will continue to work in that case until they expire. A practical application of this would be a guest account, where the user continues to have access over e.g. wifi after their account is disabled, and as long as their current TGT is valid they continue to be able to use it. (In fact, I believe there is currently a bit of a hole here.) -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
