[OpenAFS] OpenAFS + Kerb5: lifetimes

Derrick J Brashear shadow@dementia.org
Thu, 12 Jul 2007 19:51:55 -0400 (EDT) 

sure, but ignore the config files and give kinit a lifetime switch

On Thu, 12 Jul 2007, Jeff Blaine wrote:

> This is MIT Kerberos as shipped with RHELv4.
>
> ticket_lifetime = 2d in [libdefaults] of krb5.conf 
> buys
> me nothing.  ticket_lifetime is not a documented 
> option
> for [libdefaults] according to the official MIT 
> docs.
>
> ticket_lifetime=2d as an option to pam_krb5RA.so 
> buys
> me nothing.
>
> Jul 12 17:24:06 rcf-kerbtest-linux sshd: 
> (pam_krb5): none: pam_sm_authenticate: entry (0x1)
> Jul 12 17:24:06 rcf-kerbtest-linux sshd: 
> (pam_krb5): jblaine: attempting authentication as 
> jblaine@RCF.MITRE.ORG
> Jul 12 17:24:10 rcf-kerbtest-linux sshd: 
> (pam_krb5): jblaine: pam_sm_authenticate: exit 
> (success)
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4367]: 
> Accepted keyboard-interactive/pam for jblaine from 
> ::ffff:129.83.10.14 port 60577 ssh2
> Jul 12 17:24:10 rcf-kerbtest-linux 
> sshd(pam_unix)[4370]: session opened for user 
> jblaine by (uid=0)
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): none: pam_sm_setcred: entry (0x2)
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): none: no context found, creating one
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): jblaine: found initial ticket cache at 
> /tmp/krb5cc_pam_MB3OqY
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): jblaine: initializing ticket cache 
> FILE:/tmp/krb5cc_26560_HBBo23
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): jblaine: pam_sm_setcred: exit 
> (success)
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_afs_session): pam_sm_open_session: entry 
> (0x0)
> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: 
> (pam_afs_session): running /usr/afsws/bin/aklog as 
> UID 26560
> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: 
> (pam_afs_session): pam_sm_open_session: exit 
> (success)
> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): jblaine: pam_sm_setcred: entry (0x8)
> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: 
> (pam_krb5): jblaine: pam_sm_setcred: exit 
> (success)
>
> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist
> Ticket cache: FILE:/tmp/krb5cc_26560_zdQIVJ
> Default principal: jblaine@RCF.MITRE.ORG
>
> Valid starting     Expires            Service 
> principal
> 07/12/07 17:25:36  07/13/07 17:25:36 
> krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG
>        renew until 07/12/07 17:25:36
> 07/12/07 17:25:36  07/13/07 17:25:36 
> afs@RCF.MITRE.ORG
>        renew until 07/12/07 17:25:36
>
>
> Kerberos 4 ticket cache: /tmp/tkt26560
> klist: You have no tickets cached
> ~:rcf-kerbtest-linux> tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 26560) tokens for afs@rcf.mitre.org 
> [Expires Jul 13 17:25]
>   --End of list--
> ~:rcf-kerbtest-linux>
>
> Derrick J Brashear wrote:
>> kinit -l7d ?
>> 
>> On Thu, 12 Jul 2007, Jeff Blaine wrote:
>> 
>>> I spoke way too soon.
>>> 
>>> One of them was off.
>>> 
>>> They're all three set to "2 days" now as a test 
>>> and I still only
>>> get tickets and tokens for 24hrs.
>>> 
>>> Jeffrey Altman wrote:
>>>> Jeff Blaine wrote:
>>>>> I'm using OpenAFS 1.4.3, pam_afs_session, and 
>>>>> pam_krb5 from
>>>>> Russ Alberry.  Can anyone shed light on why 
>>>>> my tickets and
>>>>> tokens have only a 24hr lifetime?
>>>>> 
>>>>> kadmin.local:  getprinc jblaine
>>>>> Principal: jblaine@RCF.MITRE.ORG
>>>>> Expiration date: [never]
>>>>> Last password change: Mon Apr 23 14:50:16 EDT 
>>>>> 2007
>>>>> Password expiration date: [none]
>>>>> Maximum ticket life: 7 days 00:00:00
>>>>> Maximum renewable life: 0 days 00:00:00
>>>>> Last modified: Tue May 01 14:32:01 EDT 2007 
>>>>> (root/admin@RCF.MITRE.ORG)
>>>>> Last successful authentication: [never]
>>>>> Last failed authentication: [never]
>>>>> Failed password attempts: 0
>>>>> Number of keys: 2
>>>>> Key: vno 1, Triple DES cbc mode with 
>>>>> HMAC/sha1, no salt
>>>>> Key: vno 1, DES cbc mode with CRC-32, no salt
>>>>> Attributes:
>>>>> Policy: [none]
>>>>> kadmin.local:
>>>> 
>>>> What are the maximum ticket lifetimes for your
>>>> krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG and 
>>>> afs[/cell]@RCF@MITRE.ORG
>>>> principals?
>>>> 
>>>> The maximum lifetime is the minimum of the 
>>>> user, tgt and service principals.
>>>> 
>>>> Jeffrey Altman
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>> 
>> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>