[OpenAFS] Is infinite ticket lifetime possible?

Russ Allbery rra@stanford.edu
Thu, 05 May 2005 08:57:50 -0700


Chris Crowther <chris@jm-crowther.co.uk> writes:
> Alvin Chan wrote:

>> From the document, the maximum ticket lifetime for authentication is
>> 720 hours. But what if I want the ticket never expire? Is it possible
>> to do this?

> As far as I'm aware: no; for the simple reason that you shouldn't be
> doing it.  If something needs to have permissions for extended amounts
> of time the chances are it's a server or dedicate host of some variety;
> you should be using a machine ACL instead.

I would not recommend using machine ACLs.  The permission they grant is a
bit broad (anything on the machine, rather than a particular user plus
root), and they have some interesting quirks in how the file server
notices new ones.

Rather, I would recommend using a keytab (or srvtab if you're using K4)
combined with something like:

    <http://www.eyrie.org/~eagle/software/kstart/>

or one of the several other programs that does similar things to maintain
a ticket cache and token for your program.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>