Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Lifetime of Kerberos tickets

Tags:

kerberos

I have started with configuring kerberos.

Can anyone explain the ticket lifetime and renew lifetime we set in the krb5.conf file.

ticket_lifetime = 2d  
renew_lifetime = 7d

Is it like

  1. After 2 days client will get the new renewed ticket ?
  2. After 7 days do i need to create the key tabs again and send to client machines?
like image 464
saiyan Avatar asked Feb 04 '13 07:02

saiyan

People also ask

What is Kerberos ticket lifetime?

Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT which is then used to request Service Tickets to resources.

How do I check my Kerberos lifetime ticket?

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding.

How long are Kerberos tickets in default?

By default, all Kerberos Tickets have a 10 hour lifetime before they expire, and a maximum renewal period of 1 week. If you want to renew your ticket, you must do so before it expires. If you wait until after the 10 hours is up, then it is too late, and you must get a new one.

What is ticket lifetime?

Any time a principal obtains a ticket, including a ticket–granting ticket (TGT), the ticket's lifetime is set as the smallest of the following lifetime values: The lifetime value that is specified by the -l option of kinit , if kinit is used to get the ticket.

2 Answers

A Kerberos ticket has two lifetimes: a ticket lifetime and a renewable lifetime. After the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime is longer than the ticket lifetime, anyone holding the ticket can, at any point before either lifetime expires, present the ticket to the KDC and ask for a new ticket. That new ticket will generally have a fresh ticket lifetime dating from the current time, although constrained by the renewable ticket lifetime.

That means you have to renew a ticket before it expires. You can't renew a ticket after it expires. But renewing a ticket doesn't require re-entering credentials, like a password or the key from the keytab. It can therefore be done quietly on the user's behalf by a program. (There are, for example, some system background utilities for Windows, Linux, and Mac OS X that watch the user's Kerberos tickets and renew them as needed up to the renewable lifetime.)

After the renewable lifetime is exhausted, or if one doesn't renew the ticket before the ticket lifetime expires, you have to re-enter credentials or use the key from a keytab.

Security-wise, the advantage of renewable tickets over tickets that just have a long lifetime is that the KDC can decline the renew request (if, for example, it had been discovered that the account was compromised and the renewable ticket may be in the hands of an attacker).

Renewable lifetimes don't have anything to do with keytabs. A keytab is good until you change the key for the principal, potentially forever.

like image 171
rra Avatar answered Oct 01 '22 09:10

rra

There are two part of this one is ticket max life which is by default 1 day as det in /etc/krb5.conf file. Now when we create any principal its ticket maxlife is same as that of the krb5.conf ticket_lifetime. If we can to change the ticket life time for the user then give the command modprinc -maxlife "10 hrs" username.

Finally while generating the ticket we can set the life of that ticket. give the ticket life with kinit.

So there are three life.

  • kerberos ticket life time
  • principal max ticket life time which will be less than or equal to kerberos life time.
  • kinit life time which is less that or equal to principal ticket life time.
like image 1
Avinav Mishra Avatar answered Oct 03 '22 09:10

Avinav Mishra
Sign in to Comment

Related questions

HttpClient set credentials for Kerberos authentication
Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
How to transform NTLM credentials to Kerberos token in Node.js
How to validate a Kerberos ticket against a server in Java?
Kerberos authentication with python
"GSSException Defective token detected" - when trying to Authenticate to Tomcat running on Windows using Kerberos
Enable detailed logging for kerberos in java
npm install mongoose causes gyp and kerberos errors (gssapi/gssapi.h file not found)
Java and Kerberos authentication krb5.conf versus System.setProperty
Kerberos authentication in Node.js https.get or https.request
How to test if a kinit is needed?
Is there a way in Java or a command-line util to obtain a Kerberos ticket for a service using the native SSPI API?
mongodb kerberos peer dependency
How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header
Should I call ugi.checkTGTAndReloginFromKeytab() before every action on hadoop?
Getting IIS to impersonate the windows user to SQL server in an intranet environment
What is a keytab exactly?
"Defective token detected" error (NTLM not Kerberos) with Kerberos/Spring Security/IE/Active Directory
How to connect with Java into Active Directory
IIS Returning Old User Names to my application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!