[OpenAFS] token lifetime

Brian Sebby sebby@anl.gov
Fri, 6 Jul 2012 14:56:53 -0500

The lifetime of a Kerberos ticket is a security measure to prevent someone
from being able to use your credentials if they can crack your ticket/token.
AFS still uses DES for its tokens, which is incredibly easy to crack these
days.  The limited lifetime is part of what prevents this from being an 
incredibly large security issue.  If you have lifetimes that long, with DES,
you might as well just run your servers with -noauth to turn off all 
authentication.  (Please please please do not actually do this.)

If you want long-lived tickets, look into using kinit -r, k5start, or any
of the other tools for extending the lifetime of a ticket/token.


On Fri, Jul 06, 2012 at 06:44:46PM +1000, Jayen Ashar wrote:
> On Fri, Jul 6, 2012 at 6:08 PM, Jeffrey Altman
> <jaltman@secure-endpoints.com> wrote:
> > The code in question is tkt_DecodeTicket5() in src/rxkad/ticket5.c and
> > tkt_CheckTimes() in src/rxkad/ticket.c.    If the 'end' value is not
> > exactly NEVERDATE (0xFFFFFFFF) and ('end' - 'start' is greater than
> > 30 days, the token will be rejected.
> Can I do anything (without changing code) to make the end 0xFFFFFFFF?
> As far as I can set, the end is only 0x7FFFFFFF.  If not, is it
> reasonable to change the 'end' - 'start' to 180 days?
> Thanks,
> Jayen
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Brian Sebby  (sebby@anl.gov)  |  Infrastructure and Operation Services
Phone: +1 630.252.9935        |  Computing and Information Systems
Fax:   +1 630.252.4601        |  Argonne National Laboratory