Categories
SysOps

How to define ticket lifetime and renewable time

Define ticket lifetime and renewable time when using MIT Kerberos.

Inspect initial configuration

Inspect initial Kerberos KDC configuration.

$ sudo cat /etc/krb5kdc/kdc.conf 
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    OCTOCAT.LAB = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

This configuration defines that maximum ticket lifetime is 10 hours and it can be renewed up to 7 days.

Inspect Kerberos configuration.

$ cat /etc/krb5.conf 
[libdefaults]
        default_realm = OCTOCAT.LAB
        default_ccache_name = KEYRING:persistent:%{uid}

        forwardable = true

[realms]
        OCTOCAT.LAB = {
                kdc = kerberos.octocat.lab
                admin_server = kerberos.octocat.lab
                default_domain = octocat.lab
        }

[domain_realm]
        octocat.lab = OCTOCAT.LAB
        .octocat.lab = OCTOCAT.LAB 

It does not define default values for ticket lifetime and renew time.

By default ticket lifetime will be 10 hours and it could be renewed up to one day.

$ kinit
Password for milosz@OCTOCAT.LAB: ************
$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: milosz@OCTOCAT.LAB

Valid starting     Expires            Service principal
11/12/21 01:48:18  11/12/21 11:48:18  krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
        renew until 11/13/21 01:48:16
$ kdestroy 

Update configuration

I will update configuration to set ticket lifetime to 1 day and maximum renew time to 7 days.

At first you need to increase maximum ticket lifetime in KDC configuration.

$ sudo cat /etc/krb5kdc/kdc.conf 
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    OCTOCAT.LAB = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 1d 0h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

Restart KDC server to apply new configuration.

$ sudo systemctl restart krb5-kdc.service 

Update Kerberos configuration to set default values.

$ cat /etc/krb5.conf 
[libdefaults]
        default_realm = OCTOCAT.LAB
        default_ccache_name = KEYRING:persistent:%{uid}

        ticket_lifetime = 1d
        renew_lifetime = 7d

[realms]
        OCTOCAT.LAB = {
                kdc = kerberos.octocat.lab
                admin_server = kerberos.octocat.lab
                default_domain = octocat.lab
        }

[domain_realm]
        octocat.lab = OCTOCAT.LAB
        .octocat.lab = OCTOCAT.LAB 

Execute Kerberos database administration utility

$ sudo kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@OCTOCAT.LAB: ************

Inspect principal settings, inspect maximum ticket life and maximum renewable life values.

kadmin:  get_principal milosz
Principal: milosz@OCTOCAT.LAB
Expiration date: [never]
Last password change: Tue Nov 09 01:55:53 CET 2021
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 09 01:55:53 CET 2021 (root/admin@OCTOCAT.LAB)
Last successful authentication: Fri Nov 12 01:42:44 CET 2021
Last failed authentication: Fri Nov 12 01:42:40 CET 2021
Failed password attempts: 0
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

Update these values for each user principal.

kadmin:  modify_principal -maxlife 1d -maxrenewlife 7d milosz
Principal "milosz@OCTOCAT.LAB" modified.

You will be limited by Kerberos ticket-granting ticket as you also cannot exceed its maximum values.

kadmin:  get_principal krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
Principal: krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
Expiration date: [never]
Last password change: [never]
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Nov 07 01:50:56 CET 2021 (db_creation@OCTOCAT.LAB)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH LOCKDOWN_KEYS
Policy: [none]

Update krbtgt/OCTOCAT.LAB@OCTOCAT.LAB principal.

kadmin:  modify_principal -maxlife 1d -maxrenewlife 7d krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
Principal "krbtgt/OCTOCAT.LAB@OCTOCAT.LAB" modified.

Now, try obtain and cache Kerberos ticket-granting ticket.

$ kinit 
Password for milosz@OCTOCAT.LAB: ************
$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: milosz@OCTOCAT.LAB

Valid starting     Expires            Service principal
11/12/21 02:53:08  11/13/21 02:53:07  krbtgt/OCTOCAT.LAB@OCTOCAT.LAB
        renew until 11/19/21 02:53:07
$ kdestroy