[Freeipa-users] How to change kerberos key lifetime?

David Kupka dkupka at redhat.com
Thu Feb 16 13:48:30 UTC 2017 

On Thu, Feb 16, 2017 at 07:54:47AM -0500, William Muriithi wrote:
> Morning David,
> 
> Thank you very much for your help.
> 
> > first you're mentioning "key expiry" but if I understand correctly you're
> > interested in "ticket lifetime".
> Yes, want to increase ticket lifetime.
> >
> > As mentioned here [1] the ticket lifetime is the minimum of 4 values:
> > 1) maxlife for the user principal
> > 2) maxlife for the service [principal]
> > 3) max_life in the kdc.conf
> > 4) requested lifetime in the ticket request
> >
> > You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> > [libdefaults] in /etc/krb5.conf on client).
> >
> > To increase 2) you need to change maxlife for krbtgt service. There're two ways
> > this ca be done:
> > a) modifying krbMaxTicketLife attribute in
> > krbPrincipalName=krbtgt/EXAMPLE.ORG at EXAMPLE.ORG,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
> > b) using kadmin.local:
> > # kadmin.local
> > Authenticating as principal admin/admin at EXAMPLE.ORG
> > : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> > Principal "krbtgt/EXAMPLE.ORG at EXAMPLE.ORG" modified.
> > : exit
> 
> Will try 2 b and see how it goes
> 
> >
> > To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
> > and restart krb5kdc service.
> >
> 
> okay, wasn't actually aware of this.  Will look at it
> 
> > But generally I don't think it's a good idea to have such long tickets. Would
> > it make sense in your use case to deploy SSSD on user systems to handle
> > Kerberos tickets for them?
> >
> I am actually using SSSD on all the systems, even the desktops.  I
> agree the changes above aren't ideal and would prefer to get SSSD
> working well.  Where would like to avoid this error showing around
> every 12 hours.
> 
> antimony:  Could not chdir to home directory /home/william: Key has expired
> 
> 
> Regards,
> William

Hello William!

The fact that your desktops are using SSSD changes the situation dramatically.

SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
And can be configured to renew the ticket for the user until the ticket renew
life time expires. 

Given this you can keep ticket life time reasonable short (~1 day) set ticket
renewable life time to longer period (~2 weeks) and maintain reasonable
security level without negative impact on user's daily work.

Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
in sssd-krb5 man page.

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170216/5ef74e45/attachment.sig>

More information about the Freeipa-users mailing list