更新时间:2022-06-27 00:20:05
Kerberos票证具有生存期(例如10小时)和可更新生存期(例如7天) ).只要票证仍然有效且仍可更新,您就可以请求免费"续订-无需密码-并重置生命周期计数器(例如,再走10小时).
A Kerberos ticket has a lifetime (e.g. 10 hours) and a renewable lifetime (e.g. 7 days). As long as the ticket is still valid and is still renewable, you can request a "free" renewal -- no password required --, and the lifetime counter is reset (e.g. 10h to go, again).
创建票证时,每个生存期"都设置为3个值的MIN():
When creating the ticket, each "lifetime" is set as the MIN() of 3 values:
/etc/krb5.conf
中(请检查 MIT文档,位于 ticket_lifetime 和 renew_lifetime )kinit
命令具有-l
和-r
选项)/etc/krb5.conf
(check the MIT documentation under ticket_lifetime and renew_lifetime)kinit
command has -l
and -r
options)最重要的是:如果您的KDC因为max_renewable_life = 0
而没有提供可再生票,那么客户将必须每max_life
(如果他们的本地ticket_lifetime
较小,则更少)获得一张新票.
Bottom line: if your KDC does not serve renewable tickets because max_renewable_life = 0
then clients will have to get a new ticket every max_life
(or less, if their local ticket_lifetime
is smaller).
PS:如果票证存储在默认缓存中,则可以使用klist
检查(可更新)寿命终止时间.
PPS:我记得一些关于Java API(JAAS)不允许应用程序请求可再生Kerberos票证的投诉……请检查情况是否仍然如此.
PS: if the ticket is stored in the default cache then you can use klist
to check the end-of-(renewable)-life time.
PPS: I remember some complaints about Java API (JAAS) not allowing apps to request renewable Kerberos tickets... Check if it's still the case.