Re: Put a limit to ticket life span.

help-shishi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Put a limit to ticket life span.

From:	Russ Allbery
Subject:	Re: Put a limit to ticket life span.
Date:	Sat, 27 Oct 2012 18:50:43 -0700
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Mats Erik Andersson <address@hidden> writes:

> The patch in this thread intended to address this, and the matter still
> is bound by the administrator's decision. Perhaps the factor five should
> be replaced by ten as breaking point, but it was chosen as a possible
> mode of detecting an exsessive time limit. I do not now for sure. Let me
> add that another idea for a solution was stated in [1], but it never
> caught any attention.

Oh, I see.

I'm actually surprised that *all* Kerberos clients don't send an empty
ticket lifetime by default.  That seems like a sensible thing to do, since
then the client gets whatever the server default is.

> Luckily, collecting my thoughts for this answer, I have found I third
> way of attack, which seems to be what you are looking for. It copes in
> the desired way with the Solaris clients, and leaves all other
> untouched.

Yes, this looks right and like what I would expect (assuming that
ticketlife is the server configuration for the maximum ticket life).

-- 
Russ Allbery (address@hidden)             <http://www.eyrie.org/~eagle/>

[Prev in Thread]

Current Thread

[Next in Thread]

Put a limit to ticket life span., Mats Erik Andersson, 2012/10/27
- Re: Put a limit to ticket life span., Russ Allbery, 2012/10/27
  - Re: Put a limit to ticket life span., Mats Erik Andersson, 2012/10/27
    - Re: Put a limit to ticket life span., Russ Allbery <=

Prev by Date: Re: Put a limit to ticket life span.
Next by Date: On shisa and its password disclosure.
Previous by thread: Re: Put a limit to ticket life span.
Next by thread: On shisa and its password disclosure.
Index(es):
- Date
- Thread