[torquedev] renewing credentials
Sergio.Gelato at astro.su.se
Thu Mar 8 12:42:48 MST 2007
* Chris Samuel [2007-03-08 14:21:39 +1100]:
> On Thu, 8 Mar 2007, Garrick Staples wrote:
> > Can pbs_server simply ensure that the ticket's lifetime is long enough
> > before the job executes?
> The problem there (and I'm speaking as someone who has never used Kerberos) is
> that you are then limited to the maximum lifetime of a Kerberos ticket
> defined by your Kerberos admin, which I think defaults to 7 days in many
> common Kerberos implementations.
7 days is an awfully long ticket lifetime. I give my users a default of
10 hours (which gets most of them through the working day) and a limit
of 24 hours.
For security, I don't think it's healthy to have lifetimes much longer
than that. Certainly not for AFS, which unfortunately still uses
single-DES. (How long does it now take to brute-force a single-DES key?)
Consider also what happens when a ticket cache falls into the wrong
hands or a password is compromised, and how long it takes to effectively
revoke access in those cases.
On the other hand, it's OK for the *renewable* lifetime to be weeks or
> So for the people like we have, who occasionally run 3 month jobs, that would
> be an issue (if we ran Kerberos, which we don't).
Precisely. That's why there is no alternative to renewing the tickets.
More information about the torquedev