StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>A Kerberos ticket has two lifetimes: a ticket lifetime and a renewable lifetime. After the end of the ticket lifetime, the ticket can no longer be used. However, if the renewable lifetime is longer than the ticket lifetime, anyone holding the ticket can, at any point before <em>either</em> lifetime expires, present the ticket to the KDC and ask for a new ticket. That new ticket will generally have a fresh ticket lifetime dating from the current time, although constrained by the renewable ticket lifetime.</p> <p>That means you have to renew a ticket before it expires. You can't renew a ticket after it expires. But renewing a ticket doesn't require re-entering credentials, like a password or the key from the keytab. It can therefore be done quietly on the user's behalf by a program. (There are, for example, some system background utilities for Windows, Linux, and Mac OS X that watch the user's Kerberos tickets and renew them as needed up to the renewable lifetime.)</p> <p>After the renewable lifetime is exhausted, or if one doesn't renew the ticket before the ticket lifetime expires, you have to re-enter credentials or use the key from a keytab.</p> <p>Security-wise, the advantage of renewable tickets over tickets that just have a long lifetime is that the KDC can decline the renew request (if, for example, it had been discovered that the account was compromised and the renewable ticket may be in the hands of an attacker).</p> <p>Renewable lifetimes don't have anything to do with keytabs. A keytab is good until you change the key for the principal, potentially forever.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload