当前位置:网站首页>[Kerberos] deeply understand the Kerberos ticket life cycle
[Kerberos] deeply understand the Kerberos ticket life cycle
2022-07-06 11:32:00 【kiraraLou】
ticket lifetime Depends on 5 Minimum value in item settings :
- Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_life
- built-in principal krbtgt Of maximum ticket life, Can be found in kadmin Command line getprinc Command view
- principal Of maximum ticket life, Can be found in kadmin Command line getprinc Command view
- Kerberos client On /etc/krb5.conf Of ticket_lifetime
- kinit -l The time specified after the parameter
ticket renew lifetime Depends on 5 Minimum value in item settings :
- Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_renewable_life
- built-in principal krbtgt Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
- Yours principal Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
- Kerberos client On /etc/krb5.conf Of renew_lifetime
- kinit -r The time specified after the parameter
View the current server ticket
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T14:01:44 2019-11-28T14:01:44 krbtgt/[email protected]
renew until 2019-12-04T14:01:44
- Valid starting: Time of certification , Which is execution kinit Time for :2019-11-27T14:01:44
Expires: Failure time 2019-11-28T14:01:44, This time is the expiration time of the current life cycle of the bill - renew until: After a life cycle of bills , Will automatically refresh once to get a new ticket , until 2019-12-04T14:01:44, After each refresh Expires Will change ;
Of course, you can also refresh manually
kinit -R
If you refresh manually ,valid starting and Expires Will change ,renew until unchanged
[[email protected] ~]# kinit -R
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T15:08:45 2019-11-28T15:08:45 krbtgt/[email protected]
renew until 2019-12-04T14:01:44
In fact, we can see that renew until Determines the final expiration time of the bill ;renew until How it was decided ?
renew until Determined by the following parameters
a:Kerberos server On /var/kerberos/krb5kdc/kdc.conf in max_renewable_life; Decided the upper limit
b:Kerberos client On /etc/krb5.conf Of renew_lifetime
c:krbtgt Of maximum renewable life, Use getprinc Command view
d:principal Of maximum renewable life, Can be found in kadmin Command line getprinc Command view
e:kinit -r 15days
c Upper limit a
d The upper limit is c
b,e The upper limit is d
b,e<d<c<a
verification
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
database_name = /var/kerberos/principal
max_life = 25h
max_renewable_life = 90d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
restart krb5kdc
systemctl restart krb5kdc
For testing purposes , We will kdc Medium renewable Set to minimum 90days, The others are set to 100days,110days,120days
modify krbtgt Of maximum renewable life by 100days
kadmin.local: modprinc -maxlife 1days -maxrenewlife 100days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.
modify bigdata Of maximum renewable life by 110days
modprinc -maxlife 1days -maxrenewlife 110days +allow_renewable bigdata
Modify the client krb5.conf renew_lifetime by 120days
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 120d
forwardable = true
rdns = false
default_realm = HADOOP.COM
verification
[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T15:55:54 2019-11-28T15:55:54 krbtgt/[email protected]
renew until 2020-02-25T15:55:54
here renew until 2020-02-25T15:55:54,Time(2020-02-25T15:55:54)-Time(2019-11-27T15:55:54)=90days
modify krbtgt Of maximum renewable life by 80days
kadmin.local: modprinc -maxlife 1days -maxrenewlife 80days +allow_renewable krbtgt/HADOOP.COM
Principal "krbtgt/[email protected]" modified.
again kinit
[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:00:05 2019-11-28T16:00:05 krbtgt/[email protected]
renew until 2020-02-15T16:00:05
here renew until 2020-02-15T16:00:05,Time(2020-02-15T16:00:05)-Time(2019-11-27T16:00:05)=80days
modify bigdata Of maximum renewable life by 70days
kadmin.local: modprinc -maxlife 1days -maxrenewlife 70days +allow_renewable bigdata
Principal "[email protected]" modified.
again kinit
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:03:40 2019-11-28T16:03:40 krbtgt/[email protected]
renew until 2020-02-05T16:03:40
here renew until 2020-02-05T16:03:40,Time(2020-02-05T16:03:40)-Time(2019-11-27T16:03:40)=70days
Modify the client krb5.conf,renew_lifetime by 60days
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 60d
forwardable = true
rdns = false
default_realm = HADOOP.COM
kinit
[[email protected] ~]# kinit bigdata
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:08:21 2019-11-28T16:08:21 krbtgt/[email protected]
renew until 2020-01-26T16:08:21
Time(2020-01-26T16:08:21)-Time(2019-11-27T16:08:21)=60days
At this moment, if you manually refresh the settings renewable_lifetime by 80days
[[email protected] ~]# kinit -r 80days
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-11-27T16:09:41 2019-11-28T16:09:41 krbtgt/[email protected]
renew until 2020-02-05T16:09:41
Time(2020-02-05T16:09:41)-TIme(2019-11-27T16:09:41)=70days
Link to the original text :https://blog.csdn.net/woloqun/article/details/103277813/
边栏推荐
- QT creator create button
- QT creator support platform
- error C4996: ‘strcpy‘: This function or variable may be unsafe. Consider using strcpy_ s instead
- 快来走进JVM吧
- Punctual atom stm32f103zet6 download serial port pin
- 使用lambda在循环中传参时,参数总为同一个值
- Dotnet replaces asp Net core's underlying communication is the IPC Library of named pipes
- UDS learning notes on fault codes (0x19 and 0x14 services)
- Picture coloring project - deoldify
- QT creator test
猜你喜欢
![[蓝桥杯2017初赛]方格分割](/img/e9/e49556d0867840148a60ff4906f78e.png)
[蓝桥杯2017初赛]方格分割
Request object and response object analysis
解决安装Failed building wheel for pillow
Windows下安装MongDB教程、Redis教程
UDS learning notes on fault codes (0x19 and 0x14 services)
机器学习--人口普查数据分析
Mtcnn face detection
MySQL and C language connection (vs2019 version)
AcWing 1298.曹冲养猪 题解
Machine learning -- census data analysis
随机推荐
PyCharm中无法调用numpy,报错ModuleNotFoundError: No module named ‘numpy‘
QT creator custom build process
Image recognition - pyteseract TesseractNotFoundError: tesseract is not installed or it‘s not in your path
L2-001 紧急救援 (25 分)
Rhcsa certification exam exercise (configured on the first host)
Number game
安装numpy问题总结
SQL时间注入
How to set up voice recognition on the computer with shortcut keys
【kerberos】深入理解kerberos票据生命周期
快来走进JVM吧
AcWing 1294.樱花 题解
Punctual atom stm32f103zet6 download serial port pin
[NPUCTF2020]ReadlezPHP
{one week summary} take you into the ocean of JS knowledge
AcWing 179. Factorial decomposition problem solution
牛客Novice月赛40
学习问题1:127.0.0.1拒绝了我们的访问
[MRCTF2020]套娃
Julia 1.6 1.7 common problem solving