[Freeipa-users] How to change kerberos key lifetime?
David Kupka
dkupka at redhat.com
Fri Feb 17 06:49:41 UTC 2017
On Thu, Feb 16, 2017 at 06:05:48PM -0500, William Muriithi wrote:
> David
>
>
> >
> > The fact that your desktops are using SSSD changes the situation dramatically.
> >
> > SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
> > And can be configured to renew the ticket for the user until the ticket renew
> > life time expires.
> >
> > Given this you can keep ticket life time reasonable short (~1 day) set ticket
> > renewable life time to longer period (~2 weeks) and maintain reasonable
> > security level without negative impact on user's daily work.
> >
> > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> > in sssd-krb5 man page.
> >
> Thanks a lot. I did actually end up using this. Will wait for a
> couple of days and see if anybody if the situation is better and
> update you.
>
> Curious though, why isn't renewal interval setup by default? Is there
> a negative consequence of having SSSD renewing tickets by default? I
> can't think of any and hence a bit lost on explaining the default
> setup
> > --
> Regards,
> William
Honestly, I don't know why krb5_renew_interval isn't set by default.
My wild guess would be that in typical SSSD deployment user logs-in in the
begining of work day, SSSD gets ticket that last for a day for him and he
logs-out in the end of the workday (after 8~10 hours). So there's no need to
refresh it.
But feel free to open a ticket for SSSD [1] and describe you use case. I don't
know SSSD that well and maybe there's no reason against setting it by default.
[1] https://fedorahosted.org/sssd/newticket
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170217/e9e3a381/attachment.sig>
More information about the Freeipa-users
mailing list