Hello all, I'm considering a mildly backwards-incompatible change to k5start and wanted to ask here, since this is probably the best forum I have for reaching k5start users.
Currently, when one runs k5start as a daemon with the -K option, the argument to -K controls how frequently k5start will wake up and check whether its ticket is expiring. However, it won't always renew the ticket when it wakes up. It will only do so if the ticket will expire before or within two minutes of the next time it wakes up. This poses a couple of problems: * It's difficult, using this approach, to guarantee a minimum ticket lifetime at any time. In other words, if you want the cache renewed such that the ticket will always be valid for at least an hour at any given time, it's complex to construct the right lifetime and wakeup time to do this. * When using k5start in conjunction with AFS and the -t flag, new tokens will be acquired only when new tickets are acquired. This means that, if the AFS tokens might go away before the tickets for some reason (such as if the AFS principal has a maximum ticket lifetime shorter than the krbtgt principal), it may be difficult to maintain AFS tokens. It's also sort of weird and complex, and people struggle to understand it. I'm therefore considering changing the next release to always acquire fresh tickets each time k5start wakes up. So if you run k5start -K 10, then k5start will wake up every ten minutes and acquire new tickets unconditionally, regardless of whether the current tickets are about to expire. I would make the similar change to krenew -K at the same time. I think this would be more straightforward, would prevent the above issues, and would mean that I wouldn't have to merge various patches people have sent me to work around this or configure this in other ways. The only drawback I can think of is that it may mean somewhat more Kerberos KDC traffic, since I suspect a lot of people have set -K values to be fairly short, but the minimum time is one minute anyway. An authentication every minute isn't a huge amount, and people can adjust their -K arguments after this release. Does anyone think this is a bad idea? Am I missing any problem with this? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
