[OpenAFS] Is infinite ticket lifetime possible?
Russ Allbery
rra@stanford.edu
Thu, 05 May 2005 08:57:50 -0700
Chris Crowther <chris@jm-crowther.co.uk> writes:
> Alvin Chan wrote:
>> From the document, the maximum ticket lifetime for authentication is
>> 720 hours. But what if I want the ticket never expire? Is it possible
>> to do this?
> As far as I'm aware: no; for the simple reason that you shouldn't be
> doing it. If something needs to have permissions for extended amounts
> of time the chances are it's a server or dedicate host of some variety;
> you should be using a machine ACL instead.
I would not recommend using machine ACLs. The permission they grant is a
bit broad (anything on the machine, rather than a particular user plus
root), and they have some interesting quirks in how the file server
notices new ones.
Rather, I would recommend using a keytab (or srvtab if you're using K4)
combined with something like:
<http://www.eyrie.org/~eagle/software/kstart/>
or one of the several other programs that does similar things to maintain
a ticket cache and token for your program.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>