renewable in krb5.conf

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

renewable in krb5.conf

Harald Barth-2

Is there really no way to make kinit have "renewable" as default (like
"forwardable" in [libdefaults] in /etc/krb5.conf)?

If no, is there any good reason for it?

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: renewable in krb5.conf

Andreas Haupt-2
Hi Harald,

On Thu, 2018-03-15 at 09:30 +0100, Harald Barth wrote:
> Is there really no way to make kinit have "renewable" as default (like
> "forwardable" in [libdefaults] in /etc/krb5.conf)?
>
> If no, is there any good reason for it?

We have:

[libdefaults]
        renew_lifetime = 30d

in krb5.conf and tickets are renewable for 30 days by default here. Doesn't
that work for you?

Cheers,
Andreas
--
| Andreas Haupt            | E-Mail: [hidden email]
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216



smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: renewable in krb5.conf

Harald Barth-2

> [libdefaults]
> renew_lifetime = 30d
>
> in krb5.conf and tickets are renewable for 30 days by default here. Doesn't
> that work for you?

That works, but I don't think is enables me to say: "I want renewable
and just give me the default from the KDC" like with the --renewable
command line flag. Maybe I could set renew_lifetime = 1y and always
get max (as 1y is capped by the KDC) but is that the same thing (is
default given by KDC == maximum possible by KDC)

Harald.


>
> Cheers,
> Andreas
> --
> | Andreas Haupt            | E-Mail: [hidden email]
> |  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
> |  Platanenallee 6         | Phone:  +49/33762/7-7359
> |  D-15738 Zeuthen         | Fax:    +49/33762/7-7216
>
>
Reply | Threaded
Open this post in threaded view
|

Re: renewable in krb5.conf

Jeffrey Altman-2
In reply to this post by Andreas Haupt-2
On 3/15/2018 4:57 AM, Andreas Haupt wrote:

> Hi Harald,
>
> On Thu, 2018-03-15 at 09:30 +0100, Harald Barth wrote:
>> Is there really no way to make kinit have "renewable" as default (like
>> "forwardable" in [libdefaults] in /etc/krb5.conf)?
>>
>> If no, is there any good reason for it?
>
> We have:
>
> [libdefaults]
> renew_lifetime = 30d



You also need to specify

   renewable = true

if you want all tickets to be requested as renewable.   renew_lifetime
simply sets the default renew lifetime to request.

As far as I am concerned the client should always request the maximum
supported "lifetime" and "renew_lifetime" in order to permit the KDC
settings to take precedence.

Unfortunately, KDC implementation choices mean that there is no well
defined value for maximum lifetime and renew_lifetime.  180 days appears
to be safe enough.




smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: renewable in krb5.conf

Harald Barth-2

> You also need to specify
>
>    renewable = true

I think this only makes a difference for the MIT library. My tests
suggest that. Correct?

Harald.


Reply | Threaded
Open this post in threaded view
|

Re: renewable in krb5.conf

Greg Hudson
On 03/15/2018 08:02 AM, Harald Barth wrote:>> You also need to specify
>>
>>    renewable = true
>
> I think this only makes a difference for the MIT library. My tests
> suggest that. Correct?

From a look at the Heimdal and MIT krb5 code, it doesn't appear to me
that either library does anything with a "renewable" krb5.conf variable.
 Both libraries appear to set the renewable KDC option when renew_till
is non-zero.

> "I want renewable
> and just give me the default from the KDC" like with the --renewable
> command line flag.

This option doesn't appear to really request the KDC maximum; it sets a
renewable lifetime of six months (kuser/kinit.c:556).

Jeff Altman wrote:
> As far as I am concerned the client should always request the maximum
> supported "lifetime" and "renew_lifetime" in order to permit the KDC
> settings to take precedence.
>
> Unfortunately, KDC implementation choices mean that there is no well
> defined value for maximum lifetime and renew_lifetime.  180 days appears
> to be safe enough.

[Mostly out of curiosity:]

From a protocol perspective, "till" isn't optional in the ASN.1
encoding, but sending 19700101000000Z (the encoding of POSIX timestamp
0) requests the KDC maximum.  "rtime" is optional, but RFC 4120 states
that it will be set when the renewable option is requested, and there is
no defined value for requesting the KDC maximum.

MIT krb5's KDC appears to respect an rtime of 19700101000000Z as being
the KDC maximum (going back to 1.0).  Heimdal's KDC appears to behave
similarly (although if the rtime field is omitted from the KDC-REQ-BODY
encoding, Heimdal will ignore the renewable option).  I don't have any
visibility into the Windows KDC and [MS-KILE] doesn't say anything
specific, so perhaps there lies the KDC implementation choice Jeff
refers to.

From a client perspective, both libraries appear to make it difficult to
set a request till or rtime of 19700101000000Z, so changes would be
needed to make it possible to configure clients to behave as Jeff
suggests.  Of course you can just request a very long lifetime and
renewable lifetime.