[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Put a limit to ticket life span.

From: Russ Allbery
Subject: Re: Put a limit to ticket life span.
Date: Sat, 27 Oct 2012 18:50:43 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Mats Erik Andersson <address@hidden> writes:

> The patch in this thread intended to address this, and the matter still
> is bound by the administrator's decision. Perhaps the factor five should
> be replaced by ten as breaking point, but it was chosen as a possible
> mode of detecting an exsessive time limit. I do not now for sure. Let me
> add that another idea for a solution was stated in [1], but it never
> caught any attention.

Oh, I see.

I'm actually surprised that *all* Kerberos clients don't send an empty
ticket lifetime by default.  That seems like a sensible thing to do, since
then the client gets whatever the server default is.

> Luckily, collecting my thoughts for this answer, I have found I third
> way of attack, which seems to be what you are looking for. It copes in
> the desired way with the Solaris clients, and leaves all other
> untouched.

Yes, this looks right and like what I would expect (assuming that
ticketlife is the server configuration for the maximum ticket life).

Russ Allbery (address@hidden)             <>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]