rxgk token expiry (was Re: [AFS3-std] Re: afs3-rxgk-updates for
03)
Benjamin Kaduk
kaduk@MIT.EDU
Wed, 31 Oct 2012 20:15:07 -0400 (EDT)
On Mon, 29 Oct 2012, Jeffrey Hutzelman wrote:
> On Mon, 2012-10-29 at 16:57 -0500, Andrew Deason wrote:
>
>>> commit 13a2d01b722969da997f1878ad176991fb0ffabc
>>> Author: Ben Kaduk <kaduk@mit.edu>
>>> Date: Wed Oct 24 23:26:49 2012 -0400
>>>
>>> Clarify token expiry
>>
>> For krb5-based tokens, does this have any relevance for renewable
>> tickets? That is, if our expiration time is in 10 hours, but we are
>> renewable for 7 days, we want this field to specify the 'expiration
>> time' in 7 days from now, not 10 hours, correct? Or does that just
>> result in an entirely new connection because the token is effectively
>> entirely new? (I feel like this is obvious, but after reading this text
>> for a while I tend to get confused easily... :)
>
> No, the token has to expire in 10 hours, when the ticket does. The
> renewable lifetime of a ticket only tells you for how long the KDC will
> let you get a new ticket by presenting the old one to the TGS.
I agree with jhutz; we must use the ticket that we have, not the ticket
that we could have.
-Ben