[OpenAFS] Re: pam-afs-session 1.0 released

Russ Allbery rra@stanford.edu
Fri, 15 Dec 2006 12:20:12 -0800

Adam Megacz <megacz@cs.berkeley.edu> writes:
> Russ Allbery <rra@stanford.edu> writes:

>> Huh, interesting.  I assume that the usage scenario here is that
>> basically you want permanent AFS tokens for a user that you can still
>> invalidate if you need to?

> Oh, I hadn't thought of the invalidation aspect.  Is there some easy way
> to do this without that capability that I'm missing?

Sure, increase the ticket lifetime to something incredibly high.  I'm not
sure what the maximum ticket lifetime is, but I know it's at least several
weeks and I think more than that.

The problem with just increasing the ticket lifetime is that you can't do
anything about those issued tickets once they're out there until they
expire.  The advantage of forcing either a reauthentication or a renewal
is that then you can deactivate the account and have that take effect
within a reasonable amount of time.

Another possibility would be to use a regular ticket lifetime but increase
the maximum renewable lifetime to something like a year, and then just
background a krenew process for users when they log in.  Although you'd
still have the problem of getting rid of it when they log out properly
unless it was the parent of the shell.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>