[Freeipa-users] How to change kerberos key lifetime?
William Muriithi
william.muriithi at gmail.com
Thu Feb 16 23:05:48 UTC 2017
David
>
> The fact that your desktops are using SSSD changes the situation dramatically.
>
> SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
> And can be configured to renew the ticket for the user until the ticket renew
> life time expires.
>
> Given this you can keep ticket life time reasonable short (~1 day) set ticket
> renewable life time to longer period (~2 weeks) and maintain reasonable
> security level without negative impact on user's daily work.
>
> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> in sssd-krb5 man page.
>
Thanks a lot. I did actually end up using this. Will wait for a
couple of days and see if anybody if the situation is better and
update you.
Curious though, why isn't renewal interval setup by default? Is there
a negative consequence of having SSSD renewing tickets by default? I
can't think of any and hence a bit lost on explaining the default
setup
> --
Regards,
William
More information about the Freeipa-users
mailing list