36

I have started with configuring kerberos.

Can anyone explain the ticket lifetime and renew lifetime we set in the krb5.conf file.

ticket_lifetime = 2d  
renew_lifetime = 7d

Is it like

  1. After 2 days client will get the new renewed ticket ?
  2. After 7 days do i need to create the key tabs again and send to client machines?
CharlesB
  • 86,532
  • 28
  • 194
  • 218
saiyan
  • 551
  • 1
  • 4
  • 20

2 Answers2

64

A Kerberos ticket has two lifetimes: a ticket lifetime and a renewable lifetime. After the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime is longer than the ticket lifetime, anyone holding the ticket can, at any point before either lifetime expires, present the ticket to the KDC and ask for a new ticket. That new ticket will generally have a fresh ticket lifetime dating from the current time, although constrained by the renewable ticket lifetime.

That means you have to renew a ticket before it expires. You can't renew a ticket after it expires. But renewing a ticket doesn't require re-entering credentials, like a password or the key from the keytab. It can therefore be done quietly on the user's behalf by a program. (There are, for example, some system background utilities for Windows, Linux, and Mac OS X that watch the user's Kerberos tickets and renew them as needed up to the renewable lifetime.)

After the renewable lifetime is exhausted, or if one doesn't renew the ticket before the ticket lifetime expires, you have to re-enter credentials or use the key from a keytab.

Security-wise, the advantage of renewable tickets over tickets that just have a long lifetime is that the KDC can decline the renew request (if, for example, it had been discovered that the account was compromised and the renewable ticket may be in the hands of an attacker).

Renewable lifetimes don't have anything to do with keytabs. A keytab is good until you change the key for the principal, potentially forever.

rra
  • 3,807
  • 18
  • 29
  • I wanted to test these values (renew_lifetime, ticket_lifetime) I did a kinit from my host $kinit /@ -kt and I get a valid ticket in my ticket cache. then after the renew_lifetime expiration, I can do the kinit again, and I am able to get the tickets in ticketcache. This seems a little confusing. The MIT Kerberos Documentation says, a ticket is not renewable once the renew_lifetime duration is over. – amitmula Nov 29 '16 at 08:06
  • When you do a kinit from a keytab, you are not renewing your ticket. You are getting a brand new ticket, authenticating with the long-term key in the keytab. As mentioned above, keytabs do not expire. They're equivalent to the password for the Kerberos principal. To test the values, use klist (which will show renew lifetime) and kinit -R (to renew a ticket). – rra Jan 16 '17 at 01:47
  • This is not true for my usercase about this clause "However, if the renewable lifetime is longer than the ticket lifetime, anyone holding the ticket can, at any point before either lifetime expires". Per my test, at least 2 mins before the expiration for my case, otheriwse "kinit -R" will throw "init: Ticket expired while renewing credentials" – Keith Jan 19 '18 at 09:56
1

There are two part of this one is ticket max life which is by default 1 day as det in /etc/krb5.conf file. Now when we create any principal its ticket maxlife is same as that of the krb5.conf ticket_lifetime. If we can to change the ticket life time for the user then give the command modprinc -maxlife "10 hrs" username.

Finally while generating the ticket we can set the life of that ticket. give the ticket life with kinit.

So there are three life.

  • kerberos ticket life time
  • principal max ticket life time which will be less than or equal to kerberos life time.
  • kinit life time which is less that or equal to principal ticket life time.
Avinav Mishra
  • 718
  • 9
  • 12