[torquedev] renewing credentials

Sergio Gelato Sergio.Gelato at astro.su.se
Thu Mar 8 12:42:48 MST 2007


* Chris Samuel [2007-03-08 14:21:39 +1100]:
> On Thu, 8 Mar 2007, Garrick Staples wrote:
> 
> > Can pbs_server simply ensure that the ticket's lifetime is long enough
> > before the job executes?

No.

> The problem there (and I'm speaking as someone who has never used Kerberos) is 
> that you are then limited to the maximum lifetime of a Kerberos ticket 
> defined by your Kerberos admin, which I think defaults to 7 days in many 
> common Kerberos implementations.

7 days is an awfully long ticket lifetime. I give my users a default of
10 hours (which gets most of them through the working day) and a limit 
of 24 hours.

For security, I don't think it's healthy to have lifetimes much longer
than that. Certainly not for AFS, which unfortunately still uses
single-DES. (How long does it now take to brute-force a single-DES key?)
Consider also what happens when a ticket cache falls into the wrong
hands or a password is compromised, and how long it takes to effectively
revoke access in those cases.

On the other hand, it's OK for the *renewable* lifetime to be weeks or
months.

> So for the people like we have, who occasionally run 3 month jobs, that would 
> be an issue (if we ran Kerberos, which we don't).

Precisely. That's why there is no alternative to renewing the tickets.


More information about the torquedev mailing list