当前位置:网站首页>[Kerberos] deeply understand the Kerberos ticket life cycle
[Kerberos] deeply understand the Kerberos ticket life cycle
2022-07-06 11:32:00 【kiraraLou】
ticket lifetime Depends on 5 Minimum value in item settings :
- Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_life
- built-in principal krbtgt Of maximum ticket life, Can be found in kadmin Command line getprinc Command view
- principal Of maximum ticket life, Can be found in kadmin Command line getprinc Command view
- Kerberos client On /etc/krb5.conf Of ticket_lifetime
- kinit -l The time specified after the parameter
ticket renew lifetime Depends on 5 Minimum value in item settings :
- Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_renewable_life
- built-in principal krbtgt Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
- Yours principal Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
- Kerberos client On /etc/krb5.conf Of renew_lifetime
- kinit -r The time specified after the parameter
View the current server ticket
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T14:01:44 2019-11-28T14:01:44 krbtgt/[email protected]
renew until 2019-12-04T14:01:44
- Valid starting: Time of certification , Which is execution kinit Time for :2019-11-27T14:01:44
Expires: Failure time 2019-11-28T14:01:44, This time is the expiration time of the current life cycle of the bill - renew until: After a life cycle of bills , Will automatically refresh once to get a new ticket , until 2019-12-04T14:01:44, After each refresh Expires Will change ;
Of course, you can also refresh manually
kinit -R
If you refresh manually ,valid starting and Expires Will change ,renew until unchanged
[[email protected] ~]# kinit -R
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T15:08:45 2019-11-28T15:08:45 krbtgt/[email protected]
renew until 2019-12-04T14:01:44
In fact, we can see that renew until Determines the final expiration time of the bill ;renew until How it was decided ?
renew until Determined by the following parameters
a:Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_renewable_life; Decided the upper limit
b:Kerberos client On /etc/krb5.conf Of renew_lifetime
c:krbtgt Of maximum renewable life, Use getprinc Command view
d:principal Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
e:kinit -r 15days
c Upper limit a
d The upper limit is c
b,e The upper limit is d
b,e<d<c<a
verification
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
database_name = /var/kerberos/principal
max_life = 25h
max_renewable_life = 90d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
restart krb5kdc
systemctl restart krb5kdc
For testing purposes , We will kdc Medium renewable Set to minimum 90days, The others are set to 100days,110days,120days
modify krbtgt Of maximum renewable life by 100days
kadmin.local: modprinc -maxlife 1days -maxrenewlife 100days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.
modify bigdata Of maximum renewable life by 110days
modprinc -maxlife 1days -maxrenewlife 110days +allow_renewable bigdata
Modify the client krb5.conf renew_lifetime by 120days
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 120d
forwardable = true
rdns = false
default_realm = HADOOP.COM
verification
[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T15:55:54 2019-11-28T15:55:54 krbtgt/[email protected]
renew until 2020-02-25T15:55:54
here renew until 2020-02-25T15:55:54,Time(2020-02-25T15:55:54)-Time(2019-11-27T15:55:54)=90days
modify krbtgt Of maximum renewable life by 80days
kadmin.local: modprinc -maxlife 1days -maxrenewlife 80days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.
again kinit
[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:00:05 2019-11-28T16:00:05 krbtgt/[email protected]
renew until 2020-02-15T16:00:05
here renew until 2020-02-15T16:00:05,Time(2020-02-15T16:00:05)-Time(2019-11-27T16:00:05)=80days
modify bigdata Of maximum renewable life by 70days
kadmin.local: modprinc -maxlife 1days -maxrenewlife 70days +allow_renewable bigdata
Principal "[email protected]" modified.
again kinit
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:03:40 2019-11-28T16:03:40 krbtgt/[email protected]
renew until 2020-02-05T16:03:40
here renew until 2020-02-05T16:03:40,Time(2020-02-05T16:03:40)-Time(2019-11-27T16:03:40)=70days
Modify the client krb5.conf,renew_lifetime by 60days
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 60d
forwardable = true
rdns = false
default_realm = HADOOP.COM
kinit
[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:08:21 2019-11-28T16:08:21 krbtgt/[email protected]
renew until 2020-01-26T16:08:21
Time(2020-01-26T16:08:21)-Time(2019-11-27T16:08:21)=60days
At this moment, if you manually refresh the settings renewable_lifetime by 80days
[[email protected] ~]# kinit -r 80days
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:09:41 2019-11-28T16:09:41 krbtgt/[email protected]
renew until 2020-02-05T16:09:41
Time(2020-02-05T16:09:41)-TIme(2019-11-27T16:09:41)=70days
Link to the original text :https://blog.csdn.net/woloqun/article/details/103277813/
边栏推荐
猜你喜欢
double转int精度丢失问题
UDS learning notes on fault codes (0x19 and 0x14 services)
Case analysis of data inconsistency caused by Pt OSC table change
C语言读取BMP文件
Windows下安装MongDB教程、Redis教程
Use dapr to shorten software development cycle and improve production efficiency
解决安装Failed building wheel for pillow
Pytorch基础
Picture coloring project - deoldify
Basic use of redis
随机推荐
Request object and response object analysis
Face recognition_ recognition
Cookie setting three-day secret free login (run tutorial)
L2-001 紧急救援 (25 分)
C语言读取BMP文件
牛客Novice月赛40
Software testing - interview question sharing
Case analysis of data inconsistency caused by Pt OSC table change
Software I2C based on Hal Library
Number game
AcWing 1298. Solution to Cao Chong's pig raising problem
Julia 1.6 1.7 common problem solving
使用lambda在循环中传参时,参数总为同一个值
Basic use of redis
How to build a new project for keil5mdk (with super detailed drawings)
PyCharm中无法调用numpy,报错ModuleNotFoundError: No module named ‘numpy‘
库函数--(持续更新)
Dotnet replaces asp Net core's underlying communication is the IPC Library of named pipes
L2-006 tree traversal (25 points)
L2-001 emergency rescue (25 points)