Re[2]: [OpenAFS] token lifetime
Esther Filderman
mizmoose@gmail.com
Thu, 29 Jun 2006 12:44:06 -0400
On 6/29/06, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> >I am not using kerberos (yet), so I have to set it with kas.
> >Can it be set to never expire ? or is the maximum lifetime 720 hours ?
>
> Just as a note ... if you set you tickets to never expire (which I don't
> think is possible with the current code), you're just asking to be 0wned.
> Just my $0.02.
>
What he said.
You set things in ka with "kas setfields" [or just type "kas", hit
return, and use it interactively, similarly to kadmin].
Using KAS means you're using K4, which is very insecure. Using an
insecure authentication mechanism with long lasting tickets is a good
way to get your whole cell comprimised.
I think you'll find few people here are going to give you advice on
how to set yourself up for a disaster.