当前位置:网站首页>[Kerberos] deeply understand the Kerberos ticket life cycle

[Kerberos] deeply understand the Kerberos ticket life cycle

2022-07-06 11:32:00 kiraraLou

ticket lifetime Depends on 5 Minimum value in item settings :

  • Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_life
  • built-in principal krbtgt Of maximum ticket life, Can be found in kadmin Command line getprinc Command view
  • principal Of maximum ticket life, Can be found in kadmin Command line getprinc Command view
  • Kerberos client On /etc/krb5.conf Of ticket_lifetime
  • kinit -l The time specified after the parameter

ticket renew lifetime Depends on 5 Minimum value in item settings :

  • Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_renewable_life
  • built-in principal krbtgt Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
  • Yours principal Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
  • Kerberos client On /etc/krb5.conf Of renew_lifetime
  • kinit -r The time specified after the parameter

View the current server ticket

[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T14:01:44  2019-11-28T14:01:44  krbtgt/[email protected]
	renew until 2019-12-04T14:01:44
  • Valid starting: Time of certification , Which is execution kinit Time for :2019-11-27T14:01:44
    Expires: Failure time 2019-11-28T14:01:44, This time is the expiration time of the current life cycle of the bill
  • renew until: After a life cycle of bills , Will automatically refresh once to get a new ticket , until 2019-12-04T14:01:44, After each refresh Expires Will change ;

Of course, you can also refresh manually

kinit -R

If you refresh manually ,valid starting and Expires Will change ,renew until unchanged

[[email protected] ~]# kinit -R
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T15:08:45  2019-11-28T15:08:45  krbtgt/[email protected]
	renew until 2019-12-04T14:01:44

In fact, we can see that renew until Determines the final expiration time of the bill ;renew until How it was decided ?
renew until Determined by the following parameters

a:Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_renewable_life; Decided the upper limit 
b:Kerberos client On /etc/krb5.conf Of renew_lifetime
c:krbtgt Of maximum renewable life, Use getprinc Command view 
d:principal Of maximum renewable life, Can be found in kadmin Command line getprinc Command view 
e:kinit -r 15days

c Upper limit a
d The upper limit is c
b,e The upper limit is d

b,e<d<c<a

verification

vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOP.COM = {
    
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  database_name = /var/kerberos/principal
  max_life = 25h
  max_renewable_life = 90d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

restart krb5kdc

systemctl restart krb5kdc

For testing purposes , We will kdc Medium renewable Set to minimum 90days, The others are set to 100days,110days,120days

modify krbtgt Of maximum renewable life by 100days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 100days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.

modify bigdata Of maximum renewable life by 110days

modprinc -maxlife 1days -maxrenewlife 110days +allow_renewable bigdata

Modify the client krb5.conf renew_lifetime by 120days

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 120d
 forwardable = true
 rdns = false
 default_realm = HADOOP.COM

verification

[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T15:55:54  2019-11-28T15:55:54  krbtgt/[email protected]
	renew until 2020-02-25T15:55:54

here renew until 2020-02-25T15:55:54,Time(2020-02-25T15:55:54)-Time(2019-11-27T15:55:54)=90days
modify krbtgt Of maximum renewable life by 80days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 80days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.

again kinit

[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:00:05  2019-11-28T16:00:05  krbtgt/[email protected]
	renew until 2020-02-15T16:00:05

here renew until 2020-02-15T16:00:05,Time(2020-02-15T16:00:05)-Time(2019-11-27T16:00:05)=80days

modify bigdata Of maximum renewable life by 70days

kadmin.local:  modprinc -maxlife 1days -maxrenewlife 70days +allow_renewable bigdata
Principal "[email protected]" modified.

again kinit

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:03:40  2019-11-28T16:03:40  krbtgt/[email protected]
	renew until 2020-02-05T16:03:40

here renew until 2020-02-05T16:03:40,Time(2020-02-05T16:03:40)-Time(2019-11-27T16:03:40)=70days

Modify the client krb5.conf,renew_lifetime by 60days

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 60d
 forwardable = true
 rdns = false
 default_realm = HADOOP.COM

kinit

[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:08:21  2019-11-28T16:08:21  krbtgt/[email protected]
	renew until 2020-01-26T16:08:21

Time(2020-01-26T16:08:21)-Time(2019-11-27T16:08:21)=60days

At this moment, if you manually refresh the settings renewable_lifetime by 80days

[[email protected] ~]# kinit -r 80days
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-11-27T16:09:41  2019-11-28T16:09:41  krbtgt/[email protected]
	renew until 2020-02-05T16:09:41

Time(2020-02-05T16:09:41)-TIme(2019-11-27T16:09:41)=70days

Link to the original text :https://blog.csdn.net/woloqun/article/details/103277813/

原网站

版权声明
本文为[kiraraLou]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/187/202207060913061218.html