On Jan 19, 2006, at 11:59 AM, Luke Howard wrote: > > What are the current thoughts on automatically renewing Kerberos > credentials > for long-lived sessions, particularly with respect to NFSv4 (where > the user > experience could be adversely affected)?
Kerberos.app on Mac OS X has auto-renewed tickets for a while now. It waits until the tickets are more than 1/2 expired and then tries to renew them. If the machine is off the network, it halves the time left and sets a timer to try again at that time (with a minimum time between tries to avoid going crazy just before the tickets expire). It also detects wake from sleep and if the tickets are more than 1/2 expired on wake it will try immediately. This algorithm works well on laptops using Kerberos as well as desktops. Rather than forcing users to add Kerberos.app to their login items, we have considered creating an auto-renewer which is launched automatically for the user whenever they get tickets. Due to upcoming architectural changes in the CCacheServer which would influence how such an auto-renewer would get launched, we've tabled this work for now. Since this gets brought up every time we discuss auto-renewal on the Mac, I'm going to preemptively point out that even if you have an in- memory storage daemon like the CCacheServer, you don't want to use it for auto-renewal for the following reasons: 1) Auto-renewal mechanism tied to a specific ccache type won't work for other types of caches. 2) An in-memory credentials storage daemon is both a single point of failure for Kerberos and also a good target for attacks. Thus it should be lightweight and easy to inspect for bugs. Linking in the Kerberos libraries into such a daemon will make your QA process much more horrible. 3) Vendors may wish to integrate the credentials storage daemon into a similar existing daemon already on their OS (eg: Apple's SecurityServer). Having a complicated credentials renewal component to the daemon would make this much more difficult. > Another issue is what to do when a TGT is no longer renewable. At > first, we > thought one might wish to store one's long-term Kerberos key at > logon, so it > would be possible to reacquire a TGT after the renewable lifetime > was up. (*) Windows does this I think. In fact I seem to recall that for at least some versions of Windows it doesn't even bother trying to renew the tickets and just always uses the stored key. We have an open feature request for Kerberos for Macintosh to allow the user to store their Kerberos password in the Keychain. Since this is already where pkinit certs go, we will probably end up adding support for it. As is typical on the Mac, the "Remember in Keychain" checkbox will not be checked by default. And we will almost certainly add some config file way to turn off the support entirely for sites with more stringent security policies. HTH, --lxs Alexandra Ellwood <[EMAIL PROTECTED]> MIT Kerberos Development Team <http://mit.edu/lxs/www> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
